diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 288fc7b572..6b0407617e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19463,7 +19463,7 @@ { "source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md", "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware", - "redirect_document_id": false + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md", @@ -20114,7 +20114,7 @@ "source_path": "windows/deployment/update/update-compliance-v2-enable.md", "redirect_url": "/windows/deployment/update/wufb-reports-enable", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-help.md", "redirect_url": "/windows/deployment/update/wufb-reports-help", @@ -20124,22 +20124,22 @@ "source_path": "windows/deployment/update/update-compliance-v2-overview.md", "redirect_url": "/windows/deployment/update/wufb-reports-overview", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-prerequisites.md", "redirect_url": "/windows/deployment/update/wufb-reports-prerequisites", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclient.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclient", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus", @@ -20149,17 +20149,17 @@ "source_path": "windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucdevicealert", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucupdatealert", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema", @@ -20194,7 +20194,7 @@ "source_path": "windows/deployment/planning/features-lifecycle.md", "redirect_url": "/windows/whats-new/feature-lifecycle", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/planning/windows-10-deprecated-features.md", "redirect_url": "/windows/whats-new/deprecated-features", @@ -20205,7 +20205,7 @@ "redirect_url": "/windows/whats-new/removed-features", "redirect_document_id": false }, - { + { "source_path": "windows/deployment/usmt/usmt-common-issues.md", "redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues", "redirect_document_id": false @@ -20295,6 +20295,101 @@ "redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key", "redirect_document_id": false }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision", + "redirect_document_id": true + }, { "source_path": "windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md", "redirect_url": "/windows/configuration/provisioning-packages/provision-pcs-with-apps", @@ -20315,6 +20410,11 @@ "redirect_url": "/windows/resources", "redirect_document_id": false }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard-protection-limits", + "redirect_document_id": true + }, { "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md", "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always", @@ -20334,6 +20434,201 @@ "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md", "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always", "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-faq", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-event-300.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md", + "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies", + "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/policy-ddf-file.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", + "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/applocker-xsd.md", + "redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema", + "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/vpnv2-profile-xsd.md", + "redirect_url": "/windows/client-management/mdm/vpnv2-csp#profilexml-xsd-schema", + "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md", + "redirect_url": "/windows/client-management/mdm/enterprisedesktopappmanagement-csp#downloadinstall-xsd-schema", + "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/enterprisemodernappmanagement-xsd.md", + "redirect_url": "/windows/client-management/mdm/enterprisemodernappmanagement-csp#enterprisemodernappmanagement-xsd", + "redirect_document_id": true + }, + { + "source_path": "education/windows/education-scenarios-store-for-business.md", + "redirect_url": "/windows/resources", + "redirect_document_id": false + }, + { + "source_path": "education/windows/teacher-get-minecraft.md", + "redirect_url": "/education/windows/get-minecraft-for-education", + "redirect_document_id": false + }, + { + "source_path": "education/windows/school-get-minecraft.md", + "redirect_url": "/education/windows/get-minecraft-for-education", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", + "redirect_document_id": true + }, + { + "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/get-support-for-security-baselines.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-scripts.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/whats-new/windows-10-insider-preview.md", + "redirect_url": "/windows/whats-new", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md", + "redirect_url": "/windows/security", + "redirect_document_id": false } ] -} \ No newline at end of file +} diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index d36533a87e..361003c659 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -28,6 +28,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml index 41ba94ebb6..25f20730ab 100644 --- a/browsers/edge/microsoft-edge-faq.yml +++ b/browsers/edge/microsoft-edge-faq.yml @@ -2,6 +2,7 @@ metadata: title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros ms.reviewer: + ms.date: 12/14/2020 audience: itpro manager: dansimp description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md index 30d32a8d1a..2c433182a9 100644 --- a/browsers/enterprise-mode/enterprise-mode.md +++ b/browsers/enterprise-mode/enterprise-mode.md @@ -11,7 +11,7 @@ ms.reviewer: manager: dansimp title: Enterprise Mode for Microsoft Edge ms.sitesec: library -ms.date: '' +ms.date: 07/17/2018 --- # Enterprise Mode for Microsoft Edge @@ -55,5 +55,3 @@ You can build and manage your Enterprise Mode Site List is by using any generic ### Add multiple sites to the site list - - diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index 4573423115..2cfad8e8db 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -1,3 +1,6 @@ +--- +ms.date: 07/17/2018 +--- Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. diff --git a/browsers/enterprise-mode/what-is-enterprise-mode-include.md b/browsers/enterprise-mode/what-is-enterprise-mode-include.md index 34359d6f1b..b10897a3d3 100644 --- a/browsers/enterprise-mode/what-is-enterprise-mode-include.md +++ b/browsers/enterprise-mode/what-is-enterprise-mode-include.md @@ -1,4 +1,7 @@ +--- +ms.date: 07/17/2018 +--- ## What is Enterprise Mode? Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. \ No newline at end of file +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index f52e815de7..626d8e7d35 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -24,6 +24,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.topic": "article", diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index bbfd85b95e..c8b17e2ff9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -57,7 +57,7 @@ If you use Automatic Updates in your company, but want to stop your users from a > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.yml). - **Use an update management solution to control update deployment.** - If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. + If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. > [!NOTE] > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. @@ -66,7 +66,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t ## Availability of Internet Explorer 11 -Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS. +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Configuration Manager and WSUS. ## Prevent automatic installation of Internet Explorer 11 with WSUS diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index b795f7aab3..75027dfd9d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -9,6 +9,7 @@ title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Expl ms.sitesec: library ms.localizationpriority: medium manager: dansimp +ms.date: 02/24/2016 --- @@ -62,4 +63,4 @@ IE11 offers differing experiences in Windows 8.1: ## Related topics - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) \ No newline at end of file +- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md index c0fb369154..1dd3438086 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md @@ -50,7 +50,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage | Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.

If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.

If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | | Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.

**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. | | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.

**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. | -| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Endpoint Configuration Manager.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | +| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Configuration Manager.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | | Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | | Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.

If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.

If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. | diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md index 7015595563..2090ed72ef 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md @@ -33,7 +33,7 @@ Before you begin, you should: - **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). -- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Endpoint Configuration Manager, or your network. +- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Configuration Manager, or your network. - **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons. diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md index f72747f486..08899cb2db 100644 --- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md @@ -6,6 +6,7 @@ author: dansimp ms.prod: ie11 ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8 ms.reviewer: +ms.date: 03/15/2016 audience: itpro manager: dansimp ms.author: dansimp @@ -60,8 +61,3 @@ You can also click **Select All** to add, or **Clear All** to remove, all of the     - - - - - diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index 5b662eeca6..d4dde73e8c 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -9,6 +9,7 @@ title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide ms.sitesec: library ms.localizationpriority: medium manager: dansimp +ms.date: 03/15/2016 --- @@ -49,4 +50,4 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) \ No newline at end of file +- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md index 912ce707bd..2ba0956295 100644 --- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md +++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md @@ -1,16 +1,12 @@ --- author: aczechowski ms.author: aaroncz -ms.date: 12/16/2022 +ms.date: 02/14/2023 ms.reviewer: cathask manager: aaroncz ms.prod: ie11 ms.topic: include --- -> [!WARNING] -> **Update:** The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023. -> -> We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization does not experience business disruption. -> -> For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). +> [!CAUTION] +> **Update:** The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). diff --git a/education/docfx.json b/education/docfx.json index 70b106e401..993809eee6 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -29,7 +29,10 @@ "globalMetadata": { "recommendations": true, "ms.topic": "article", - "ms.collection": "education", + "ms.collection": [ + "education", + "tier2" + ], "ms.prod": "windows-client", "ms.technology": "itpro-edu", "author": "paolomatarazzo", @@ -52,14 +55,15 @@ "rjagiewich", "traya1", "rmca14", - "claydetels19", + "claydetels19", "Kellylorenebaker", "jborsecnik", "tiburd", "AngelaMotherofDragons", "dstrome", "v-dihans", - "garycentric" + "garycentric", + "v-stsavell" ] }, "externalReference": [], diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index f3861da706..8de6af0540 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,25 +2,17 @@ -## Week of January 09, 2023 +## Week of February 20, 2023 | Published On |Topic title | Change | |------|------------|--------| -| 1/12/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | added | - - -## Week of December 19, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | - - -## Week of December 12, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 12/13/2022 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified | +| 2/22/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified | +| 2/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | +| 2/22/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified | +| 2/22/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified | +| 2/22/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified | +| 2/23/2023 | Education scenarios Microsoft Store for Education | removed | +| 2/23/2023 | [Get and deploy Minecraft Education](/education/windows/get-minecraft-for-education) | modified | +| 2/23/2023 | For IT administrators get Minecraft Education Edition | removed | +| 2/23/2023 | For teachers get Minecraft Education Edition | removed | diff --git a/education/index.yml b/education/index.yml index ef45124188..29efffa3ae 100644 --- a/education/index.yml +++ b/education/index.yml @@ -45,7 +45,7 @@ productDirectory: text: Azure information protection deployment acceleration guide - url: /defender-cloud-apps/get-started text: Microsoft Defender for Cloud Apps - - url: /microsoft-365/compliance/create-test-tune-dlp-policy + - url: /microsoft-365/compliance/information-protection#prevent-data-loss text: Data loss prevention - url: /microsoft-365/compliance/ text: Microsoft Purview compliance diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index bc030c32e4..b732e77d6d 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -46,6 +46,8 @@ items: href: configure-aad-google-trust.md - name: Configure Shared PC href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context + - name: Get and deploy Minecraft Education + href: get-minecraft-for-education.md - name: Use the Set up School PCs app href: use-set-up-school-pcs-app.md - name: Change Windows edition @@ -56,16 +58,6 @@ items: href: change-to-pro-education.md - name: Upgrade Windows Home to Windows Education on student-owned devices href: change-home-to-edu.md - - name: "Get and deploy Minecraft: Education Edition" - items: - - name: "Get Minecraft: Education Edition" - href: get-minecraft-for-education.md - - name: "For IT administrators: get Minecraft Education Edition" - href: school-get-minecraft.md - - name: "For teachers: get Minecraft Education Edition" - href: teacher-get-minecraft.md - - name: Work with Microsoft Store for Education - href: education-scenarios-store-for-business.md - name: Migrate from Chromebook to Windows items: - name: Chromebook migration guide diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 0901d32b40..c6fc526cd0 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 1826ecd768..f92de780a3 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -7,6 +7,9 @@ author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma manager: jeffbu +ms.collection: + - tier3 + - education appliesto: - ✅ Windows 10 and later --- @@ -71,7 +74,7 @@ It's critical that MAKs are protected whenever they're used. The following proce - Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp); > [!IMPORTANT] > If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students. -- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager. +- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager. For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades). @@ -114,7 +117,7 @@ These steps provide instructions on how to use Microsoft Intune to upgrade devic These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters). -- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com) +- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431) - Select **Tenant administration** > **Filters** - Select **Create** - Specify a name for the filter (for example *Windows Home edition*) @@ -139,7 +142,7 @@ These steps configure a filter that will only apply to devices running the *Wind These steps create and assign a Windows edition upgrade policy. For more information, see [Windows 10/11 device settings to upgrade editions or enable S mode in Intune](/mem/intune/configuration/edition-upgrade-windows-settings). -- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com) +- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431) - Select **Devices** > **Configuration profiles** - Select **Create profile** - Select the **Platform** as **Windows 10 or later** @@ -174,9 +177,9 @@ The edition upgrade policy will now apply to all existing and new Windows Home e ### Step 3: Report on device edition -You can check the Windows versions of managed devices in the Microsoft Endpoint Manager admin console. +You can check the Windows versions of managed devices in the Microsoft Intune admin center. -- Start in the **Microsoft Endpoint Manager admin console** +- Start in the **Microsoft Intune admin center** - Select **Devices** > **Windows** - Select the **Columns** button - Select **Sku Family** diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index f377a4582c..a134019d38 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- @@ -147,7 +148,7 @@ Existing Azure AD domain joined devices will be changed to Windows 10 Pro Educat ### For new devices that are not Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. -#### Step 1: Join users’ devices to Azure AD +#### Step 1: Join users' devices to Azure AD Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703. diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 05c7db8963..969f81b3be 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -346,7 +346,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid |--- |--- |--- |--- | |Use Office 365||✔️|✔️| |Use Intune for management||✔️|✔️| -|Use Microsoft Endpoint Manager for management|✔️||✔️| +|Use Microsoft Configuration Manager for management|✔️||✔️| |Use Group Policy for management|✔️||✔️| |Have devices that are domain-joined|✔️||✔️| |Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️| @@ -359,7 +359,7 @@ You may ask the question, “Why plan for device, user, and app management befor Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. -Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Endpoint Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. +Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. Table 6. Device, user, and app management products and technologies @@ -464,7 +464,7 @@ Use the following Microsoft management systems and the deployment resources to p - [Windows Autopilot](/mem/autopilot/windows-autopilot) -- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/) +- Microsoft Configuration Manager [core infrastructure documentation](/mem/configmgr/core/) - Provisioning packages: diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index 5d51041ce7..2afa86f4c1 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -1,7 +1,7 @@ --- title: Configure federation between Google Workspace and Azure AD description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD. -ms.date: 1/12/2023 +ms.date: 02/24/2023 ms.topic: how-to --- @@ -24,28 +24,29 @@ To test federation, the following prerequisites must be met: 1. A Google Workspace environment, with users already created > [!IMPORTANT] - > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD + > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD. + > For more information about identity matching, see [Identity matching in Azure AD](federated-sign-in.md#identity-matching-in-azure-ad). 1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: - School Data Sync (SDS) - Azure AD Connect sync for environment with on-premises AD DS - PowerShell scripts that call the Microsoft Graph API - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072) -## Configure Google Workspace as and IdP for Azure AD +## Configure Google Workspace as an IdP for Azure AD 1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges 1. Select **Apps > Web and mobile apps** 1. Select **Add app > Search for apps** and search for *microsoft* 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select** :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app."::: -1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later -1. On the *Service provider details* page +1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later +1. On the **Service provider detail*s** page - Select the option **Signed response** - Verify that the Name ID format is set to **PERSISTENT** - - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\ + - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\ If using Google auto-provisioning, select **Basic Information > Primary email** - Select **Continue** -1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes +1. On the **Attribute mapping** page, map the Google attributes to the Azure AD attributes |Google Directory attributes|Azure AD attributes| |-|-| diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 4935d37ed7..25b23567fd 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -1,6 +1,6 @@ --- title: Deploy Windows 10 in a school district (Windows 10) -description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices. +description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices. ms.topic: how-to ms.date: 08/10/2022 appliesto: @@ -9,7 +9,7 @@ appliesto: # Deploy Windows 10 in a school district -This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. +This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for district deployment @@ -125,7 +125,7 @@ Now that you've the plan (blueprint) for your district and individual schools an The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). -You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. +You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md). @@ -163,7 +163,7 @@ The high-level process for deploying and configuring devices within individual c 6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices. -7. Import the captured reference images into MDT or Microsoft Endpoint Configuration Manager. +7. Import the captured reference images into MDT or Microsoft Configuration Manager. 8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. @@ -191,9 +191,9 @@ Before you select the deployment and management methods, you need to review the |Scenario feature |Cloud-centric|On-premises and cloud| |---|---|---| |Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD | -|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT | +|Windows 10 deployment | MDT only | Microsoft Configuration Manager with MDT | |Configuration setting management | Intune | Group Policy

Intune| -|App and update management | Intune |Microsoft Endpoint Configuration Manager

Intune| +|App and update management | Intune |Microsoft Configuration Manager

Intune| *Table 1. Deployment and management scenarios* @@ -205,19 +205,19 @@ These scenarios assume the need to support: Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind: * You can use Group Policy or Intune to manage configuration settings on a device but not both. -* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. +* You can use Configuration Manager or Intune to manage apps and updates on a device but not both. * You can't manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. ### Select the deployment methods -To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. +To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. |Method|Description| |--- |--- | |MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
Select this method when you:

  • Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
  • Don’t have an existing AD DS infrastructure.
  • Need to manage devices regardless of where they are (on or off premises).
    The advantages of this method are that:
  • You can deploy Windows 10 operating systems
  • You can manage device drivers during initial deployment.
  • You can deploy Windows desktop apps (during initial deployment)
  • It doesn’t require an AD DS infrastructure.
  • It doesn’t have extra infrastructure requirements.
  • MDT doesn’t incur extra cost: it’s a free tool.
  • You can deploy Windows 10 operating systems to institution-owned and personal devices.
    The disadvantages of this method are that it:
  • Can’t manage applications throughout entire application life cycle (by itself).
  • Can’t manage software updates for Windows 10 and apps (by itself).
  • Doesn’t provide antivirus and malware protection (by itself).
  • Has limited scaling to large numbers of users and devices.| -|Microsoft Endpoint Configuration Manager|
  • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
  • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
    Select this method when you:
  • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
  • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
  • Typically deploy Windows 10 to on-premises devices.
    The advantages of this method are that:
  • You can deploy Windows 10 operating systems.
  • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
  • You can manage software updates for Windows 10 and apps.
  • You can manage antivirus and malware protection.
  • It scales to large number of users and devices.
    The disadvantages of this method are that it:
  • Carries an extra cost for Microsoft Endpoint Manager server licenses (if the institution doesn't have Configuration Manager already).
  • Can deploy Windows 10 only to domain-joined (institution-owned devices).
  • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| +|Microsoft Configuration Manager|
  • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
  • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
    Select this method when you:
  • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
  • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
  • Typically deploy Windows 10 to on-premises devices.
    The advantages of this method are that:
  • You can deploy Windows 10 operating systems.
  • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
  • You can manage software updates for Windows 10 and apps.
  • You can manage antivirus and malware protection.
  • It scales to large number of users and devices.
    The disadvantages of this method are that it:
  • Carries an extra cost for Microsoft Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
  • Can deploy Windows 10 only to domain-joined (institution-owned devices).
  • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| *Table 2. Deployment methods* @@ -226,7 +226,7 @@ Record the deployment methods you selected in Table 3. |Selection | Deployment method| |--------- | -----------------| | |MDT by itself | -| |Microsoft Endpoint Manager and MDT| +| |Microsoft Configuration Manager and MDT| *Table 3. Deployment methods selected* @@ -260,9 +260,9 @@ Use the information in Table 6 to determine which combination of app and update |Selection|Management method| |--- |--- | -|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
  • Selected Configuration Manager to deploy Windows 10.
  • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
  • Want to manage AD DS domain-joined devices.
  • Have an existing AD DS infrastructure.
  • Typically manage on-premises devices.
  • Want to deploy operating systems.
  • Want to provide application management for the entire application life cycle.
    The advantages of this method are that:
  • You can deploy Windows 10 operating systems.
  • You can manage applications throughout the entire application life cycle.
  • You can manage software updates for Windows 10 and apps.
  • You can manage antivirus and malware protection.
  • It scales to large numbers of users and devices.
    The disadvantages of this method are that it:
  • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
  • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
  • Can only manage domain-joined (institution-owned devices).
  • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
  • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| +|Microsoft Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
  • Selected Configuration Manager to deploy Windows 10.
  • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
  • Want to manage AD DS domain-joined devices.
  • Have an existing AD DS infrastructure.
  • Typically manage on-premises devices.
  • Want to deploy operating systems.
  • Want to provide application management for the entire application life cycle.
    The advantages of this method are that:
  • You can deploy Windows 10 operating systems.
  • You can manage applications throughout the entire application life cycle.
  • You can manage software updates for Windows 10 and apps.
  • You can manage antivirus and malware protection.
  • It scales to large numbers of users and devices.
    The disadvantages of this method are that it:
  • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
  • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
  • Can only manage domain-joined (institution-owned devices).
  • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
  • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| |Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
    Select this method when you:
  • Selected MDT only to deploy Windows 10.
  • Want to manage institution-owned and personal devices that aren't domain joined.
  • Want to manage Azure AD domain-joined devices.
  • Need to manage devices regardless of where they are (on or off premises).
  • Want to provide application management for the entire application life cycle.
    The advantages of this method are that:
  • You can manage institution-owned and personal devices.
  • It doesn’t require that devices be domain joined.
  • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
  • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
    The disadvantages of this method are that it:
  • Carries an extra cost for Intune subscription licenses.
  • can't deploy Windows 10 operating systems.| -|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
    Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
    Select this method when you:
  • Selected Microsoft Endpoint Manager to deploy Windows 10.
  • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
  • Want to manage domain-joined devices.
  • Want to manage Azure AD domain-joined devices.
  • Have an existing AD DS infrastructure.
  • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
  • Want to provide application management for the entire application life cycle.
    The advantages of this method are that:
  • You can deploy operating systems.
  • You can manage applications throughout the entire application life cycle.
  • You can scale to large numbers of users and devices.
  • You can support institution-owned and personal devices.
  • It doesn’t require that devices be domain joined.
  • It can manage devices regardless of their location (on or off premises).
    The disadvantages of this method are that it:
  • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
  • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
  • Carries an extra cost for Intune subscription licenses.
  • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| +|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.

    Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.

    Select this method when you:
  • Selected Microsoft Configuration Manager to deploy Windows 10.
  • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
  • Want to manage domain-joined devices.
  • Want to manage Azure AD domain-joined devices.
  • Have an existing AD DS infrastructure.
  • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
  • Want to provide application management for the entire application life cycle.

    The advantages of this method are that:
  • You can deploy operating systems.
  • You can manage applications throughout the entire application life cycle.
  • You can scale to large numbers of users and devices.
  • You can support institution-owned and personal devices.
  • It doesn’t require that devices be domain joined.
  • It can manage devices regardless of their location (on or off premises).

    The disadvantages of this method are that it:
  • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
  • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
  • Carries an extra cost for Intune subscription licenses.
  • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| *Table 6. App and update management products* @@ -270,9 +270,9 @@ Record the app and update management methods that you selected in Table 7. |Selection | Management method| |----------|------------------| -| |Microsoft Endpoint Manager by itself| +| |Microsoft Configuration Manager by itself| | |Intune by itself| -| |Microsoft Endpoint Manager and Intune (hybrid mode)| +| |Microsoft Configuration Manager and Intune (hybrid mode)| *Table 7. App and update management methods selected* @@ -315,16 +315,16 @@ For more information about how to create a deployment share, see [Step 3-1: Crea ### Install the Configuration Manager console > [!NOTE] -> If you selected Microsoft Endpoint Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. +> If you selected Microsoft Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers. -For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole). +For more information about how to install the Configuration Manager console, see [Install Microsoft Configuration Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole). ### Configure MDT integration with the Configuration Manager console > [!NOTE] -> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next. +> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next. You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT. @@ -841,7 +841,7 @@ At the end of this section, you should know the Windows 10 editions and processo ## Prepare for deployment -Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. +Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. ### Configure the MDT deployment share @@ -851,17 +851,17 @@ The first step in preparing for Windows 10 deployment is to configure—that is, |--- |--- | |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| |2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.
    Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| -|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
    Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
  • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
  • For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.

    If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
    If you've Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
    In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
  • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
  • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| +|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
    Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
  • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
  • For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.

    If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
    If you've Intune or Microsoft Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
    In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
  • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
  • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| |4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them.
    To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
    If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
    This is the preferred method for deploying and managing Windows desktop apps.
    **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
    For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| |5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
  • Deploy 64-bit Windows 10 Education to devices.
  • Deploy 32-bit Windows 10 Education to devices.
  • Upgrade existing devices to 64-bit Windows 10 Education.
  • Upgrade existing devices to 32-bit Windows 10 Education.

    Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| |6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
    For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| *Table 16. Tasks to configure the MDT deployment share* -### Configure Microsoft Endpoint Configuration Manager +### Configure Microsoft Configuration Manager > [!NOTE] -> If you've already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section. +> If you've already configured your Microsoft Configuration Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section. Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure. @@ -871,21 +871,21 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this * [Start using Configuration Manager](/mem/configmgr/core/servers/deploy/start-using) -#### To configure an existing Microsoft Endpoint Manager infrastructure for operating system deployment +#### To configure an existing Microsoft Configuration Manager infrastructure for operating system deployment 1. Perform any necessary infrastructure remediation. - Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment). + Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment). 2. Add the Windows PE boot images, Windows 10 operating systems, and other content. You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. - You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager). + You can add this content by using Microsoft Configuration Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager). 3. Add device drivers. You must add device drivers for the different device types in your district. For example, if you've a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device. - Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers). + Create a Microsoft Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers). 4. Add Windows apps. Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. @@ -914,14 +914,14 @@ You can use Windows Deployment Services in conjunction with MDT to automatically For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). -### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager +### Configure Windows Deployment Services for Microsoft Configuration Manager > [!NOTE] -> If you've already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next. +> If you've already configured your Microsoft Configuration Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next. You can use Windows Deployment Services in conjunction with Configuration Manager to automatically initiate boot images on target devices. These boot images are Windows PE images that you use to boot the target devices, and then initiate Windows 10, app, and device driver deployment. -#### To configure Windows Deployment Services for Microsoft Endpoint Configuration Manager +#### To configure Windows Deployment Services for Microsoft Configuration Manager 1. Set up and configure Windows Deployment Services. @@ -944,7 +944,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage #### Summary -Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district. +Your MDT deployment share and Microsoft Configuration Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district. ## Capture the reference image @@ -1015,7 +1015,7 @@ Both the Deployment Workbench and the Configuration Manager console have wizards For more information about how to import the reference image into: * An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](/mem/configmgr/mdt/use-the-mdt#ImportaPreviouslyCapturedImageofaReferenceComputer). -* Microsoft Endpoint Configuration Manager, see [Manage operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images). +* Microsoft Configuration Manager, see [Manage operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images). ### Create a task sequence to deploy the reference image @@ -1026,10 +1026,10 @@ As you might expect, both the Deployment Workbench and the Configuration Manager For more information about how to create a task sequence in the: * Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). -* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system). +* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system). #### Summary -In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Endpoint Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices. +In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices. ## Prepare for device management @@ -1095,7 +1095,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/ ### Deploy and manage apps by using Intune -If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section. +If you selected to deploy and manage apps by using Microsoft Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager) section. You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages. @@ -1106,9 +1106,9 @@ For more information about how to configure Intune to manage your apps, see the - [Protect apps and data with Microsoft Intune](/mem/intune/apps/app-protection-policy) - [Help protect your data with full or selective wipe using Microsoft Intune](/mem/intune/remote-actions/devices-wipe) -### Deploy and manage apps by using Microsoft Endpoint Configuration Manager +### Deploy and manage apps by using Microsoft Configuration Manager -You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box. +You can use Microsoft Configuration Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box. For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types. @@ -1121,7 +1121,7 @@ For more information about how to configure Configuration Manager to deploy and ### Manage updates by using Intune -If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager) section. +If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager) section. To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune. @@ -1133,7 +1133,7 @@ For more information about how to configure Intune to manage updates and malware - [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/mem/intune/protect/endpoint-protection-configure) -### Manage updates by using Microsoft Endpoint Configuration Manager +### Manage updates by using Microsoft Configuration Manager To ensure that your users have the most current features and security protection, use the software updates feature in Configuration Manager to manage updates. The software updates feature works in conjunction with WSUS to manage updates for Windows 10 devices. @@ -1146,7 +1146,7 @@ For more information about how to configure Configuration Manager to manage Wind #### Summary -In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Endpoint Manager to manage your apps. Finally, you configured Intune or Microsoft Endpoint Manager to manage software updates for Windows 10 and your apps. +In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Configuration Manager to manage your apps. Finally, you configured Intune or Microsoft Configuration Manager to manage software updates for Windows 10 and your apps. ## Deploy Windows 10 to devices @@ -1159,7 +1159,7 @@ Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these | | Task | |:---|:---| |**1.** |Ensure that the target devices have sufficient system resources to run Windows 10.| -|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Endpoint Configuration Manager.| +|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Configuration Manager.| |**3.** |For each Microsoft Store and Windows desktop app, create an MDT application or Configuration Manager application.| |**4.** |Notify the students and faculty about the deployment.| @@ -1243,11 +1243,11 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour |Verify that Windows Update is active and current with operating system and software updates.
    For more information about completing this task when you have:
  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
    Neither Intune, Group Policy, nor WSUS, see "Install, upgrade, & activate" in Windows 10 help.|✔️|✔️|✔️| |Verify that Windows Defender is active and current with malware Security intelligence.
    For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows) and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️| |Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
    For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️| -|Download and approve updates for Windows 10, apps, device driver, and other software.
    For more information, see:
  • [Manage updates by using Intune](#manage-updates-by-using-intune)
  • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️| +|Download and approve updates for Windows 10, apps, device driver, and other software.
    For more information, see:
  • [Manage updates by using Intune](#manage-updates-by-using-intune)
  • [Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager)|✔️|✔️|✔️| |Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️| |Refresh the operating system and apps on devices.
    For more information about completing this task, see the following resources:
  • [Prepare for deployment](#prepare-for-deployment)
  • [Capture the reference image](#capture-the-reference-image)
  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️| -|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
    For more information, see:
  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️| -|Install new or update existing Microsoft Store apps used in the curriculum.
    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration.
    For more information, see:
  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️| +|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
    For more information, see:
  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
  • [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️| +|Install new or update existing Microsoft Store apps used in the curriculum.
    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Configuration Manager, or both in a hybrid configuration.
    For more information, see:
  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
  • [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️| |Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you've an on-premises AD DS infrastructure).
    For more information about how to:
  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
  • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| |Add new accounts (and corresponding licenses) to AD DS (if you've an on-premises AD DS infrastructure).
    For more information about how to:
  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
  • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| |Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure).
    For more information about how to:
  • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
  • Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 1655458c44..34726cf380 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -79,13 +79,13 @@ Now that you've the plan (blueprint) for your classroom, you’re ready to learn The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). -You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. +You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. -The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. +The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), [Configuration Manager](/mem/configmgr/core/understand/introduction), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. The configuration process requires the following devices: diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 023393a04f..56094c8023 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Configure Stickers for Windows 11 SE diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md deleted file mode 100644 index 1a86e4e1c4..0000000000 --- a/education/windows/education-scenarios-store-for-business.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Education scenarios Microsoft Store for Education -description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. -ms.topic: article -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 and later ---- - -# Working with Microsoft Store for Education - -Learn about education scenarios for Microsoft Store for Education. IT admins and teachers can use Microsoft Store to find, acquire, distribute, and manage apps. - -Many of the [settings in Microsoft Store for Business](/microsoft-store/settings-reference-microsoft-store-for-business) also apply in Microsoft Store for Education. Several of the items in this topic are unique to Microsoft Store for Education. - -## Basic Purchaser role -Applies to: IT admins - -By default, when a teacher with a work or school account signs up for Microsoft Store for Education, the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to: -- View the Minecraft: Education Edition product description page -- Acquire and manage Minecraft: Education Edition, and other apps from Store for Education -- Use info on **Support** (including links to documentation and access to support through customer service) - -> [!NOTE] -> People with the **Basic Purchaser** role can only manage (assign and reclaim licenses) for apps that they purchased. They can't manage apps purchased by people with **Purchaser** or **Admin** roles. - -Admins can control whether or not teachers are automatically assigned the **Basic Purchaser** role. You can configure this with **Make everyone a Basic Purchaser**. You'll find this on **Settings**, with **Shop** settings. - -**To manage Make everyone a Basic Purchaser** -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, and then click **Settings**. -3. On **Shop**, select or clear **Make everyone a Basic Purchaser**. - -> [!NOTE] -> **Make everyone a Basic Purchaser** is on by default. - -When **Make everyone a Basic Purchaser** is turned off, admins can manually assign the role to teachers. - -**To assign Basic Purchaser role** - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, and then choose **Permissions**. -3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**. - - -**Blocked Basic Purchasers** - -When **Make everyone a Basic Purchaser** is on, admins can still manage which users have the **Basic Purchaser** role. An admin can unassign the **Basic Purchaser** role from a user, and the user is added to a list of **Blocked Basic Purchasers**. Admins can review who are **Basic Purchasers** and **Blocked Basic Purchasers** on **Permissions**. - -## Private store - -Applies to: IT admins - -When you create your Microsoft Store for Education account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use. - -These apps will automatically be in your private store: -- Word mobile -- Excel mobile -- PowerPoint mobile -- OneNote -- Sway -- Fresh Paint -- Minecraft: Education Edition - -As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed. - -## Manage domain settings - -Applies to: IT admins - -### Self-service sign up -Self-service sign-up makes it easier for users in your organization to sign up for online services from Microsoft. We call this sign up process "self-service sign-up" because your users can sign up to use services paid by your subscription, or use free services, without asking you to take action on their behalf. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US). - -### Domain verification -For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Microsoft 365 admin center. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US). - -## Acquire apps -Applies to: IT admins and teachers - -Find apps for your school using Microsoft Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps. - -**To acquire apps** -- For info on how to acquire apps, see [Acquire apps in Microsoft Store for Business](/microsoft-store/acquire-apps-windows-store-for-business#acquire-apps) - -**To add a payment method - debit or credit card** - -If the app you purchase has a price, you’ll need to provide a payment method. -- During your purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card. - -For more information on payment options, see [payment options](/microsoft-store/acquire-apps-windows-store-for-business#payment-options). - -For more information on tax rates, see [tax information](/microsoft-store/update-windows-store-for-business-account-settings#organization-tax-information). - -## Manage apps and software -Applies to: IT admins and teachers - -## Manage purchases -IT admins and teachers in educational settings can purchase apps from Microsoft Store for Education. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default. - -While both groups can purchase apps, they can't manage purchases made by the other group. - -Admins can: -- Manage and distribute apps they purchased and apps purchased by other admins in the organization. -- View apps purchased by teachers. -- View and manage apps on **Manage**, under **Apps & software**. - -Teachers can: -- Manage and distribute apps they purchased. -- View and manage apps on **Manage**, under **Apps & software**. - -> [!NOTE] -> Teachers with the Basic purchaser role can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased. - -## Distribute apps - -**To manage and distribute apps** -- For info on how to manage and distribute apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business) - -**To assign an app to a student** - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then choose **Apps & software**. -3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. -4. Type the email address, or name for the student that you're assigning the app to, and click **Assign**. - -Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**. - -### Purchase more licenses -Applies to: IT admins and teachers - -You can manage current app licenses, or purchase more licenses for apps in **Apps & software**. - -**To purchase additional app licenses** -1. Click **Manage**, click **Apps & software**, and then click an app. -2. Click **Buy more** to purchase more licenses
    - -You'll have a summary of current license availability. - -## Manage order history -Applies to: IT admins and teachers - -You can manage your orders through Microsoft Store for Business. For info on order history and how to refund an order, see [Manage app orders in Microsoft Store for Business](/microsoft-store/manage-orders-microsoft-store-for-business). - -It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 09ceb1908c..eefe5ce3e3 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,16 +1,21 @@ --- title: Configure federated sign-in for Windows devices -description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune -ms.date: 01/12/2023 +description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages. +ms.date: 02/24/2023 ms.topic: how-to appliesto: - - ✅ Windows 11 SE + - ✅ Windows 11 +ms.collection: + - highpri + - tier1 + - education --- - -# Configure federated sign-in for Windows 11 SE +# Configure federated sign-in for Windows devices -Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in. +Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\ +This feature is called *federated sign-in*.\ +Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in. ## Benefits of federated sign-in @@ -23,33 +28,44 @@ With fewer credentials to remember and a simplified sign-in process, students ar To implement federated sign-in, the following prerequisites must be met: -1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1] +1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Azure AD?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4] >[!NOTE] >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1]. - > - >For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md). + + - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md) + - For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1] 1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform 1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: - [School Data Sync (SDS)][SDS-1] - [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1] - provisioning tools offered by the IdP + + For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad). 1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2] -1. Enable federated sign-in on the Windows devices that the users will be using - > [!IMPORTANT] - > This feature is exclusively available for Windows 11 SE, version 22H2. +1. Enable federated sign-in on the Windows devices To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet. -## Enable federated sign-in on devices - - -To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune. +To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: [!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] @@ -65,25 +81,25 @@ To sign-in with a SAML 2.0 identity provider, your devices must be configured wi [!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] [!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] - ## How to use federated sign-in @@ -102,24 +118,62 @@ Federated sign-in doesn't work on devices that have the following settings enabl - **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1] - **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2] -- **Take a Test**, since it leverages the security policy above +- **Take a Test**, since it uses the security policy above + +### Identity matching in Azure AD + +When an Azure AD user is federated, the user's identity from the IdP must match an existing user object in Azure AD. +After the token sent by the IdP is validated, Azure AD searches for a matching user object in the tenant by using an attribute called *ImmutableId*. + +> [!NOTE] +> The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it. + +If the matching object is found, the user is signed-in. If not, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found: + +:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png"::: + +> [!IMPORTANT] +> The ImmutableId matching is case-sensitive. + +The ImmutableId is typically configured when the user is created in Azure AD, but it can also be updated later.\ +In a scenario where a user is federated and you want to change the ImmutableId, you must: + +1. Convert the federated user to a cloud-only user (update the UPN to a non-federated domain) +1. Update the ImmutableId +1. Convert the user back to a federated user + +Here's a PowerShell example to update the ImmutableId for a federated user: + +```powershell +#1. Convert the user from federated to cloud-only +Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alton@example.onmicrosoft.com + +#2. Convert the user back to federated, while setting the immutableId +Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alton@example.com -ImmutableId '260051' +``` ## Troubleshooting - The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen - Select the *Other User* button, and the standard username/password credentials are available to log into the device -[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp + + +[AZ-1]: /azure/active-directory/hybrid/whatis-fed [AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign [AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis +[AZ-4]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp [GRAPH-1]: /graph/api/user-post-users?tabs=powershell +[EXT-1]: https://support.clever.com/hc/s/articles/000001546 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10 [MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843 [SDS-1]: /schooldatasync +[KB-1]: https://support.microsoft.com/kb/5022913 + [WIN-1]: /windows/client-management/mdm/sharedpc-csp [WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin \ No newline at end of file diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 903d8182e3..0c1e50cd52 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -1,29 +1,149 @@ --- -title: Get Minecraft Education Edition -description: Learn how to get and distribute Minecraft Education Edition. +title: Get and deploy Minecraft Education +description: Learn how to obtain and distribute Minecraft Education to Windows devices. ms.topic: how-to -ms.date: 08/10/2022 +ms.date: 02/23/2023 appliesto: - ✅ Windows 10 and later ms.collection: - highpri - education + - tier2 --- -# Get Minecraft: Education Edition +# Get and deploy Minecraft Education -[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. +Minecraft Education is a game-based platform that inspires creative and inclusive learning through play. Explore blocky worlds that unlock new ways to tackle any subject or challenge. Dive into subjects like reading, math, history, and coding with lessons and standardized curriculum designed for all types of learners. Or explore and build together in creative open worlds. - +**Use it your way**: with hundreds of ready-to-teach lessons, creative challenges, and blank canvas worlds, there are lots of ways to make Minecraft Education work for your students. It's easy to get started, no gaming experience necessary. -Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution. +**Prepare students for the future**: learners develop key skills like problem solving, collaboration, digital citizenship, and critical thinking to help them thrive now and in the future workplace. Spark a passion for STEM. -## Prerequisites - -- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements). -- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD). - - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**. - - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office) - - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription) +**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges.  -[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. +## Minecraft Education key features + +- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments  +- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution  +- Immersive Reader helps players read and translate text  +- Camera and Book & Quill items allow documentation and export of in-game creations  +- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls  + +## Try or purchase Minecraft Education + +Users in a Microsoft-verified academic organization with Microsoft 365 accounts have [access to a free trial][EDU-1] for Minecraft Education. This grants faculty accounts 25 free logins, and student accounts 10 free logins before a paid license is required to continue playing. Users in non-Microsoft-verified academic organizations have 10 free logins. + +Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 365 admin center*, via volume licensing agreements, or through partner resellers. + +When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Azure Active Directory (Azure AD) tenant. If you don't have an Azure AD tenant: + +- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes an Azure AD tenant +- Non-Microsoft-verified academic organizations can set up a free Azure AD tenant when they [purchase Minecraft Education commercial licenses][EDU-4] + +### Direct purchase + +To purchase direct licenses: + +1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar +1. Scroll down and select **Buy Now** under **Direct Purchase** +1. In the *purchase* page, sign in with an account that has *Billing Admin* privileges in your organization +1. If necessary, fill in any requested organization or payment information +1. Select the quantity of licenses you'd like to purchase and select **Place Order** +1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses) + +If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). + +### Volume licensing + +Qualified education institutions can purchase Minecraft Education licenses through their Microsoft channel partner. Schools need to be part of the *Enrollment for Education Solutions* (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft Education licensing offer is best for their institution. The process looks like this: + +1. Your channel partner will submit and process your volume license order +1. Your licenses will show on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx) +1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses) + +### Payment options + +You can pay for Minecraft Education with a debit or credit card, or with an invoice. + +#### Debit or credit cards + +During the purchase, select **Add a new payment method**. Provide the information needed for your debit or credit card. + +#### Invoices + +Invoices are a supported payment method for Minecraft Education. There are a few requirements: + +- $500 invoice minimum for your initial purchase +- $15,000 invoice maximum (for all invoices within your organization) + +To pay with an invoice: + +1. During the purchase, select **Add a new payment method.** +2. Select the **Invoice** option, and provide the information needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization. + +For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1]. + +## Assign Minecraft Education licenses + +You can assign and manage Minecraft Education licenses from the Microsoft 365 admin center.\ +You must be a *Global*, *License*, or *User admin* to assign licenses. For more information, see [About Microsoft 365 admin roles][M365-2]. + +1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization +1. From the left-hand menu in Microsoft Admin Center, select *Users* +1. From the Users list, select the users you want to add or remove for Minecraft Education access +1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already + > [!Note] + > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions. +1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on + > [!Note] + > If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access + +:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png"::: + +For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5]. + +## Distribute Minecraft Education + +There are different ways to install Minecraft Education on Windows devices. You can manually install the app on each device, or you can use a deployment tool to distribute the app to multiple devices. +If you're using Microsoft Intune to manage your devices, follow these steps to deploy Minecraft Education: + +1. Go to the Microsoft Intune admin center +1. Select **Apps > Windows > Add** +1. Under *App type*, select **Microsoft Store app (new)** and choose **Select** +1. Select **Search the Microsoft Store app (new)** and search for **Minecraft Education** +1. Select the app and choose **Select** +1. On the *App information* screen, select **Next** +1. On the *Assignments* screen, choose how you want to target the installation of Minecraft Education + - *Required* means that Intune installs the app without user interaction + - *Available* enables Minecraft Education in the Company Portal, where users can install the app on-demand +1. Select **Next** +1. On the *Review + Create* screen, select **Create** + +Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs. + +:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device."::: + +For more information how to deploy Minecraft Education, see: + +- [Windows installation guide][EDU-6] +- [Chromebook installation guide][EDU-7] +- [iOS installation guide][EDU-8] +- [macOS installation guide][EDU-9] + +If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1]. + + +[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432 +[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532 +[EDU-3]: https://www.microsoft.com/education/products/office +[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812 +[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956 +[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672 +[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516 +[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351 +[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792 + +[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription +[M365-2]: /microsoft-365/admin/add-users/about-admin-roles + +[AKA-1]: https://aka.ms/minecraftedusupport diff --git a/education/windows/images/federated-sign-in-settings-ppkg.png b/education/windows/images/federated-sign-in-settings-ppkg.png new file mode 100644 index 0000000000..553c40b0dd Binary files /dev/null and b/education/windows/images/federated-sign-in-settings-ppkg.png differ diff --git a/education/windows/images/federation/user-match-lookup-failure.png b/education/windows/images/federation/user-match-lookup-failure.png new file mode 100644 index 0000000000..93fc3a4aa2 Binary files /dev/null and b/education/windows/images/federation/user-match-lookup-failure.png differ diff --git a/education/windows/images/minecraft/admin-center-minecraft-license.png b/education/windows/images/minecraft/admin-center-minecraft-license.png new file mode 100644 index 0000000000..ef96f3ef69 Binary files /dev/null and b/education/windows/images/minecraft/admin-center-minecraft-license.png differ diff --git a/education/windows/images/minecraft/mcee-invoice-info.png b/education/windows/images/minecraft/mcee-invoice-info.png deleted file mode 100644 index f4bf29f8b2..0000000000 Binary files a/education/windows/images/minecraft/mcee-invoice-info.png and /dev/null differ diff --git a/education/windows/images/minecraft/win11-minecraft-education.png b/education/windows/images/minecraft/win11-minecraft-education.png new file mode 100644 index 0000000000..84a8d86b96 Binary files /dev/null and b/education/windows/images/minecraft/win11-minecraft-education.png differ diff --git a/education/windows/images/suspcs/2023-02-16_13-02-37.png b/education/windows/images/suspcs/2023-02-16_13-02-37.png new file mode 100644 index 0000000000..dc396099bf Binary files /dev/null and b/education/windows/images/suspcs/2023-02-16_13-02-37.png differ diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md index a8d82dfea6..c5eee0e2a8 100644 --- a/education/windows/includes/intune-custom-settings-1.md +++ b/education/windows/includes/intune-custom-settings-1.md @@ -1,13 +1,13 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 11/08/2022 +ms.date: 02/22/2022 ms.topic: include --- To configure devices with Microsoft Intune, use a custom policy: -1. Go to the Microsoft Endpoint Manager admin center +1. Go to the Microsoft Intune admin center 2. Select **Devices > Configuration profiles > Create profile** 3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** 4. Select **Create** diff --git a/education/windows/index.yml b/education/windows/index.yml index a84e4b3961..49ca3b7f40 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -12,6 +12,7 @@ metadata: ms.collection: - education - highpri + - tier1 author: paolomatarazzo ms.author: paoloma ms.date: 08/10/2022 @@ -100,5 +101,5 @@ landingContent: url: edu-take-a-test-kiosk-mode.md - text: Configure Shared PC url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - - text: "Deploy Minecraft: Education Edition" + - text: Get and deploy Minecraft Education url: get-minecraft-for-education.md \ No newline at end of file diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md deleted file mode 100644 index fca31b0f6b..0000000000 --- a/education/windows/school-get-minecraft.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: For IT administrators get Minecraft Education Edition -description: Learn how IT admins can get and distribute Minecraft in their schools. -ms.topic: how-to -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 -ms.collection: - - highpri - - education ---- - -# For IT administrators - get Minecraft: Education Edition - -When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription, Minecraft: Education Edition will be added to the inventory in your Microsoft Admin Center which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Admin Center is only displayed to members of your organization with administrative roles. - ->[!Note] ->If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you purchase Minecraft: Education Edition. For more information, see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). - -## Settings for Microsoft 365 A3 or Microsoft 365 A5 customers - -Schools that purchased Microsoft 365 A3 or Microsoft 365 A5 have an extra option for making Minecraft: Education Edition available to their students: - -If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already. - -> [!Note] -> If you add a faculty license, the user will be assigned an instructor role in the application and will have elevated permissions. - -After selecting the appropriate product license, ensure Minecraft: Education Edition is toggled on or off, depending on if you want to add or remove Minecraft: Education Edition from the user (it will be on by default). - -If you turn off this setting after students have been using Minecraft: Education Edition, they will have up to 30 more days to use Minecraft: Education Edition before they don't have access. - -## How to get Minecraft: Education Edition - -Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies). - -If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). - -### Minecraft: Education Edition - direct purchase - -1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar. - -2. Scroll down and select **Buy Now** under Direct Purchase. - -3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account. - -4. If necessary, fill in any requested organization or payment information. - -5. Select the quantity of licenses you would like to purchase and select **Place Order**. - -6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). - -If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). - -### Minecraft: Education Edition - volume licensing - -Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: - -- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory. -- You’ll receive an email with a link to Microsoft Store for Education. -- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft) - -## Minecraft: Education Edition payment options - -You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice. - -### Debit or credit cards - -During the purchase, click **Add a new payment method**. Provide the info needed for your debit or credit card. - -### Invoices - -Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements: - -- Admins only (not supported for Teachers) -- $500 invoice minimum for your initial purchase -- $15,000 invoice maximum (for all invoices within your organization) - -**To pay with an invoice** - -1. During the purchase, click **Add a new payment method.** - -2. Select the Invoice option, and provide the info needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization. - - ![Invoice Details page showing items that need to be completed for an invoice. PO number is highlighted.](images/minecraft/mcee-invoice-info.png) - -For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?). - -## Distribute Minecraft - -After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee). - -## Learn more - -[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac) - -## Related topics - -[Get Minecraft: Education Edition](get-minecraft-for-education.md) diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md deleted file mode 100644 index df19ac8729..0000000000 --- a/education/windows/teacher-get-minecraft.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: For teachers get Minecraft Education Edition -description: Learn how teachers can obtain and distribute Minecraft. -ms.topic: how-to -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 and later -ms.collection: - - highpri - - education ---- - -# For teachers - get Minecraft: Education Edition - -The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers. - - -## Try Minecraft: Education Edition for Free - -Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. - -To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download) - -## Purchase Minecraft: Education Edition for Teachers and Students - -As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription. - -M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. - - -#### Troubleshoot - -If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport). - -## Related topics - -[Get Minecraft: Education Edition](get-minecraft-for-education.md) -[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md) - - diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 06e17f21da..eaeda25979 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Test Windows 10 in S mode on existing Windows 10 education devices diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md index f70081a995..5b63ea0b0b 100644 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -70,7 +70,7 @@ To create a Windows Update policy: For more information, see [Updates and upgrade][INT-6]. > [!NOTE] -> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information: +> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information: > - [What is Windows Update for Business?][WIN-1] > - [Manage Windows software updates in Intune][MEM-1] @@ -92,7 +92,7 @@ To create a security policy: For more information, see [Security][INT-4]. > [!NOTE] -> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information: +> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information: > - [Antivirus][MEM-2] > - [Disk encryption][MEM-3] > - [Firewall][MEM-4] diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md index 01394b420a..32ff8c37ed 100644 --- a/education/windows/tutorial-school-deployment/enroll-autopilot.md +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -54,7 +54,7 @@ Here are the steps for creating a dynamic group for the devices that have an ass 1. Select **Create group** :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true"::: -More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3]. +More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3]. > [!TIP] > You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings. @@ -76,7 +76,7 @@ To create an Autopilot deployment profile: 1. Ensure that **User account type** is configured as **Standard** 1. Select **Save** -While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4]. +While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4]. ### Configure an Enrollment Status Page @@ -87,7 +87,7 @@ An Enrollment Status Page (ESP) is a greeting page displayed to users while enro > [!NOTE] > Some Windows Autopilot deployment profiles **require** the ESP to be configured. -To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager. +To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune. > [!TIP] > While testing the deployment process, you can configure the ESP to: diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index 98574366e1..a23afe72b0 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -29,8 +29,8 @@ This content provides a comprehensive path for schools to deploy and manage new Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management. -Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices. -Microsoft Endpoint Manager services include: +Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices. +Microsoft Intune services include: - [Microsoft Intune][MEM-1] - [Microsoft Intune for Education][INT-1] diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md index e374fd8f7d..94efd0d46b 100644 --- a/education/windows/tutorial-school-deployment/manage-surface-devices.md +++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md @@ -17,25 +17,25 @@ Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI. -:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true"::: +:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true"::: ## Microsoft Surface Management Portal -Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more. +Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more. When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities. To access and use the Surface Management Portal: -1. Sign in to Microsoft Endpoint Manager admin center -1. Select **All services** > **Surface Management Portal** - :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true"::: -1. To obtain insights for all your Surface devices, select **Monitor** +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Select **All services** > **Surface Management Portal** + :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true"::: +3. To obtain insights for all your Surface devices, select **Monitor** - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here -1. To obtain details on each insights category, select **View report** +4. To obtain details on each insights category, select **View report** - This dashboard displays diagnostic information that you can customize and export -1. To obtain the device's warranty information, select **Device warranty and coverage** -1. To review a list of support requests and their status, select **Support requests** +5. To obtain the device's warranty information, select **Device warranty and coverage** +6. To review a list of support requests and their status, select **Support requests** diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md index d27616f71e..899b8298dd 100644 --- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md +++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md @@ -30,7 +30,7 @@ For more information, see [Create your Office 365 tenant account][M365-1] The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant). -From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others: +From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Intune, Intune for Education, and others: :::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true"::: diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md index f4d3b44e2e..8d1b84254e 100644 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -7,9 +7,9 @@ ms.topic: tutorial # Set up Microsoft Intune -Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale. +Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale. -Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments. +The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments. :::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true"::: @@ -44,13 +44,13 @@ With enrollment restrictions, you can prevent certain types of devices from bein To block personally owned Windows devices from enrolling: -1. Sign in to the Microsoft Endpoint Manager admin center +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions** 1. Select the **Windows restrictions** tab 1. Select **Create restriction** 1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next** 1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next** - :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true"::: + :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png"::: 1. Optionally, on the **Scope tags** page, add scope tags > **Next** 1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next** 1. On the **Review + create** page, select **Create** to save the restriction @@ -63,13 +63,13 @@ Windows Hello for Business is a biometric authentication feature that allows use It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices. To disable Windows Hello for Business at the tenant level: -1. Sign in to the Microsoft Endpoint Manager admin center +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Windows** > **Windows Enrollment** 1. Select **Windows Hello for Business** 1. Ensure that **Configure Windows Hello for Business** is set to **disabled** 1. Select **Save** -:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png"::: +:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png"::: For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4]. diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md index dd9817a5b9..a58a7f2d9a 100644 --- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md +++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md @@ -1,6 +1,6 @@ --- title: Troubleshoot Windows devices -description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services. +description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services. ms.date: 08/31/2022 ms.topic: tutorial appliesto: @@ -9,7 +9,7 @@ appliesto: # Troubleshoot Windows devices -Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices. +Microsoft Intune provides many tools that can help you troubleshoot Windows devices. Here's a collection of resources to help you troubleshoot Windows devices managed by Intune: - [Troubleshooting device enrollment in Intune][MEM-2] @@ -27,11 +27,12 @@ Here's a collection of resources to help you troubleshoot Windows devices manage Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop. -Follow these steps to obtain support in Microsoft Endpoint Manager: +Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices. +: -- Sign in to the Microsoft Endpoint Manager admin center +- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - Select **Troubleshooting + support** > **Help and support** - :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png"::: + :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png"::: - Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365 - Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests* - In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like: @@ -43,7 +44,7 @@ Follow these steps to obtain support in Microsoft Endpoint Manager: > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue. - To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review -For more information, see [Microsoft Endpoint Manager support page][MEM-1] +For more information, see [Microsoft Intune support page][MEM-1] [MEM-1]: /mem/get-support diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 05dbf61f4b..301a6d1da2 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -13,7 +13,7 @@ IT administrators and technical teachers can use the **Set up School PCs** app t Set up School PCs also: * Joins each student PC to your organization's Office 365 and Azure Active Directory tenant. * Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state. -* Utilizes Windows Update and maintenance hours to keeps student PCs up-to-date, without interfering with class time. +* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time. * Locks down the student PC to prevent activity that isn't beneficial to their education. This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). @@ -23,8 +23,6 @@ Before you begin, make sure that you, your computer, and your school's network a * Office 365 and Azure Active Directory * [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40) -* Permission to buy apps in Microsoft Store for Education -* Set up School PCs app has permission to access the Microsoft Store for Education * A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office * Student PCs must either: * Be within range of the Wi-Fi network that you configured in the app. @@ -170,9 +168,9 @@ The following table describes each setting and lists the applicable Windows 10 v |---------|---------|---------|---------|---------|---------|---------| |Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| |Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.| -|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | |Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| -|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| +|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| |Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| After you've made your selections, click **Next**. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 8a63a27c99..1508376333 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier1 --- # Windows 11 SE Overview @@ -93,6 +94,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Class Policy` | 114.0.0 | Win32 | `Class Policy` | | `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | +| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | +| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | @@ -104,7 +107,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | | `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | | `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` | -| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` | +| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` | +| `GuideConnect` | 1.23 | Win32 | `Dolphin Computer Access` | | `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` | | `Immunet` | 7.5.8.21178 | Win32 | `Immunet` | | `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` | @@ -137,10 +141,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` | | `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` | | `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | -| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` | +| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` | | `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` | | `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` | -|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` +|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | | `WordQ` | 5.4.23 | Win32 | `Mathetmots` | diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 774fca45dd..b338b51a2f 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -5,6 +5,9 @@ ms.topic: article ms.date: 09/12/2022 appliesto: - ✅ Windows 11 SE +ms.collection: + - education + - tier1 --- # Windows 11 SE for Education settings list @@ -50,7 +53,7 @@ The following settings can't be changed. | Allowed Account Types | Microsoft accounts and Azure AD accounts are allowed. | | Virtual Desktops | Virtual Desktops are blocked. | | Microsoft Store | The Microsoft Store is blocked. | -| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. | +| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Intune can run. | | Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). | ## Next steps diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index d6bbee15ca..e4d5e9ef2e 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -16,7 +16,7 @@ ms.date: 07/21/2021 # Acquire apps in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index 4ea7713429..d2cf5a3906 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -19,7 +19,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot). diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 3555366945..926aa750f9 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -20,7 +20,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md index f59d3fa018..661d98861a 100644 --- a/store-for-business/apps-in-microsoft-store-for-business.md +++ b/store-for-business/apps-in-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education has thousands of apps from many different categories. diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index 7225de9903..c296c8f37d 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization. diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md index a258d9af7e..5205cbadba 100644 --- a/store-for-business/billing-payments-overview.md +++ b/store-for-business/billing-payments-overview.md @@ -17,7 +17,7 @@ manager: dansimp # Billing and payments > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Access invoices and managed your payment methods. diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md index 77f5fa0713..82581997ea 100644 --- a/store-for-business/billing-profile.md +++ b/store-for-business/billing-profile.md @@ -17,7 +17,7 @@ manager: dansimp # Understand billing profiles > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index d3b06dbe77..e500732cc9 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -16,7 +16,7 @@ manager: dansimp # Understand your Microsoft Customer Agreement invoice > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The invoice provides a summary of your charges and provides instructions for payment. It's available for download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements). diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index 70adfcef94..190b9be3e6 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. @@ -45,6 +45,6 @@ After your management tool is added to your Azure AD directory, you can configur Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics: - [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) -- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) For third-party MDM providers or management servers, check your product documentation. \ No newline at end of file diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 2cc25547e0..b443e48e71 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md index 39518d2c87..7f88c7212e 100644 --- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store. diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index 8bde8ed28d..90e4939804 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content. diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index b1b43828f9..765f0b39ce 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. @@ -45,7 +45,7 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y - **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages). - **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: - - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) + - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - [Manage apps from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
    For third-party MDM providers or management servers, check your product documentation. diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 9388758a6c..4be7b72365 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -32,6 +32,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json", "ms.author": "trudyha", "audience": "ITPro", diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md index 0a239cee50..ad4b5f621a 100644 --- a/store-for-business/find-and-acquire-apps-overview.md +++ b/store-for-business/find-and-acquire-apps-overview.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 5555b333e4..99a065dd84 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -1,3 +1,6 @@ +--- +ms.date: 10/31/2020 +--- diff --git a/store-for-business/index.md b/store-for-business/index.md index 82901c7ebe..369336371c 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -20,7 +20,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school. diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 84c39959bb..2b8c3e26f4 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md index 855e3839ed..706e1bc726 100644 --- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md +++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 4b6f8bd99e..dfc9b3d00d 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -16,7 +16,7 @@ manager: dansimp # Manage app orders in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index b7765c7ea3..218f2b5aac 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -21,7 +21,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index 37505459c3..e3d9147262 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md index de70959d59..36ec4938f9 100644 --- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md +++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups. diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index a5149c0b1e..3318a1ca0c 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -19,7 +19,7 @@ manager: dansimp - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459). diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 6516ad323c..a7009160fa 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 548f8ecce0..264f2228e9 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md index b0d445d780..b56a2ebe5e 100644 --- a/store-for-business/payment-methods.md +++ b/store-for-business/payment-methods.md @@ -17,7 +17,7 @@ manager: dansimp # Payment methods > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards: - VISA diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 59d4c2b19b..0dd6457beb 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 5d9ea05e6c..e1fd90b393 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -15,7 +15,7 @@ manager: dansimp # Microsoft Store for Business and Education release history > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 6b9ac86995..1ca0ec4692 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index 4a44723dd6..f29dace9ef 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -17,7 +17,7 @@ ms.date: 07/21/2021 # Settings reference: Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md index 32cdba4b8f..4c4e855373 100644 --- a/store-for-business/sign-up-microsoft-store-for-business-overview.md +++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps. diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index 074a34eb0f..f9154689ca 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Troubleshooting topics for Microsoft Store for Business. @@ -53,7 +53,7 @@ The private store for your organization is a page in Microsoft Store app that co ![Private store for Contoso publishing.](images/wsfb-privatestoreapps.png) -## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager +## Troubleshooting Microsoft Store for Business integration with Microsoft Configuration Manager If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](/troubleshoot/mem/configmgr/troubleshoot-microsoft-store-for-business-integration). diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index b277705e60..78cd7532b8 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -17,7 +17,7 @@ manager: dansimp # Update Billing account settings > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). A billing account contains defining information about your organization. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index ee29b9c93f..bc329afe4d 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -15,7 +15,7 @@ manager: dansimp # What's new in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 92b489f6ab..0a71365353 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry. diff --git a/template.md b/template.md index 6049d2ff6d..c9529e25a3 100644 --- a/template.md +++ b/template.md @@ -290,4 +290,4 @@ Always include alt text for accessibility, and always end it with a period. ## docs.ms extensions > [!div class="nextstepaction"] -> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr) +> [Microsoft Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr) diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 96f2e3ec05..2ae9fdd4fd 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -1,15 +1,16 @@ --- title: Add or hide optional apps and features on Windows devices | Microsoft Docs description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. -ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.localizationpriority: medium ms.date: 08/30/2021 -ms.reviewer: ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier2 +ms.reviewer: --- # Add or hide features on the Windows client OS diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 506b43cbea..523ee3c2d8 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,15 +1,16 @@ --- title: Learn about the different app types in Windows 10/11 | Microsoft Docs description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. -ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.date: 12/07/2017 -ms.reviewer: -ms.localizationpriority: medium +ms.date: 02/09/2023 ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier2 +ms.reviewer: --- # Overview of apps on Windows client devices diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 4cd7b0588c..1c1b014b8d 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -35,6 +35,9 @@ "globalMetadata": { "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", + "ms.collection": [ + "tier2" + ], "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-apps", "ms.topic": "article", diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index f55199f3a5..19c8ec6649 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,14 +1,16 @@ --- title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 10/03/2017 -ms.reviewer: ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier2 +ms.reviewer: --- # Remove background task resource restrictions diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index 87c9ec2b04..14de444ad4 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -3,9 +3,10 @@ author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 09/20/2021 -ms.reviewer: -ms.prod: w10 ms.topic: include +ms.prod: w10 +ms.collection: tier1 +ms.reviewer: --- Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at Azure Virtual Desktop with MSIX app attach. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal). diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index b26f9904a6..13ec789f1d 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -3,9 +3,12 @@ author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 09/28/2021 -ms.reviewer: -ms.prod: w10 ms.topic: include +ms.prod: windows-client +ms.technology: itpro-apps +ms.localizationpriortiy: medium +ms.collection: tier1 +ms.reviewer: --- **Applies to**: diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index 73c14c4195..da969d420b 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -6,14 +6,15 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management description: Learn about managing applications in Windows 10 and Windows 11. - ms.topic: landing-page - ms.prod: windows-client - ms.collection: - - highpri author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 08/24/2021 + ms.topic: landing-page + ms.prod: windows-client + ms.collection: + - tier1 + - highpri landingContent: # Cards and links should be based on top customer tasks or top subjects diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 56381683e9..d094fba726 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,18 +1,24 @@ --- title: Per-user services in Windows 10 and Windows Server description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. -ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 09/14/2017 -ms.reviewer: +ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier2 +ms.reviewer: --- # Per-user services in Windows 10 and Windows Server -> Applies to: Windows 10, Windows Server +**Applies to**: + +- Windows 10 +- Windows Server Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index e9d56cf86b..5b0372ddb2 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -4,11 +4,13 @@ description: Use the Company Portal app in Windows 11 devices to access the priv author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.reviewer: amanh -ms.prod: windows-client ms.date: 09/15/2021 -ms.localizationpriority: medium +ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier2 +ms.reviewer: amanh --- # Private app repository in Windows 11 @@ -63,7 +65,7 @@ To install the Company Portal app, you have some options: - **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use. - - In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in. + - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in. - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates. @@ -80,17 +82,17 @@ To install the Company Portal app, you have some options: ## Customize the Company Portal app -Many organizations customize the Company Portal app to include their specific information. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more. +Many organizations customize the Company Portal app to include their specific information. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more. For more information, see [Configure the Intune Company Portal app](/mem/intune/apps/company-portal-app). ## Add your organization apps to the Company Portal app -When you add an app in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting. +When you add an app in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting. On co-managed devices (Microsoft Intune + Configuration Manager together), your Configuration Manager apps can also be shown in the Company Portal app. For more information, see [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal). -When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Endpoint Manager admin center, see: +When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Intune admin center, see: - [Add Microsoft 365 apps using Intune](/mem/intune/apps/apps-add-office365) - [Add web apps using Intune](/mem/intune/apps/web-app) diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index fb6660fbcf..80dcf53c89 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -1,15 +1,16 @@ --- title: Get the provisioned apps on Windows client operating system | Microsoft Docs -ms.reviewer: +description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.date: 12/07/2017 -description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. -ms.prod: windows-client -ms.localizationpriority: medium +ms.date: 01/12/2023 ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier1 +ms.reviewer: --- # Provisioned apps installed with the Windows client OS diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 57b52fce28..195ee09977 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -1,17 +1,22 @@ --- title: How to keep apps removed from Windows 10 from returning during an update description: How to keep provisioned apps that were removed from your machine from returning during an update. -ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 05/25/2018 -ms.reviewer: +ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier1 +ms.reviewer: --- # How to keep apps removed from Windows 10 from returning during an update -> Applies to: Windows 10 (General Availability Channel) +**Applies to**: + +- Windows 10 When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index f4ab632036..30203efdaf 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,15 +1,16 @@ --- title: Sideload LOB apps in Windows client OS | Microsoft Docs description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. -ms.reviewer: author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 12/07/2017 -ms.prod: windows-client -ms.localizationpriority: medium -ms.technology: itpro-apps ms.topic: article +ms.prod: windows-client +ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier2 +ms.reviewer: --- # Sideload line of business (LOB) apps in Windows client devices diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 692bae2fe3..f5c9589209 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -1,18 +1,23 @@ --- title: Service Host service refactoring in Windows 10 version 1703 description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703. -ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz ms.date: 07/20/2017 -ms.reviewer: +ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.colletion: tier1 +ms.reviewer: --- # Changes to Service Host grouping in Windows 10 -> Applies to: Windows 10 +**Applies to**: + +- Windows 10 The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example: diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 1e692a53a0..efc4c311ec 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -1,15 +1,16 @@ --- title: Get the system apps on Windows client operating system | Microsoft Docs -ms.reviewer: +description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.date: 12/07/2017 -description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. -ms.prod: windows-client -ms.localizationpriority: medium +ms.date: 2/14/2023 ms.topic: article +ms.prod: windows-client ms.technology: itpro-apps +ms.localizationpriority: medium +ms.collection: tier1 +ms.reviewer: --- # System apps installed with the Windows client OS @@ -43,314 +44,314 @@ The following information lists the system apps on some Windows Enterprise OS ve - File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89 --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515 --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - InputApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.AccountsControl | Package name: Microsoft.AccountsControl --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Hello setup UI | Package name: Microsoft.BioEnrollment --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.CredDialogHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.ECApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.LockApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft Edge | Package name: Microsoft.MicrosoftEdge --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.MicrosoftEdgeDevToolsClient --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.PPIProjection --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.Win32WebViewHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.Apprep.ChxApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.AssignedAccessLockApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.CapturePicker --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.CloudExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.ContentDeliveryManager --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Cortana | Package name: Microsoft.Windows.Cortana --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.Windows.OOBENetworkCaptivePort --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.OOBENetworkConnectionFlow --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.ParentalControls --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - People Hub | Package name: Microsoft.Windows.PeopleExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.PinningConfirmationDialog --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.SecHealthUI --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.SecureAssessmentBrowser --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Start | Package name: Microsoft.Windows.ShellExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.XboxGameCallableUI --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Windows.CBSPreview --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Settings | Package name: Windows.immersivecontrolpanel --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Print 3D | Package name: Windows.Print3D --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ✔️ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ✔️ | ✔️ | | | ✔️ | --- - Print UI | Package name: Windows.PrintDialog --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index d5697e455b..095188a9ba 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -8,7 +8,9 @@ manager: aaroncz ms.localizationpriority: medium ms.date: 03/28/2022 ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index f2c906993c..5cd9b9cbb6 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,14 +1,16 @@ --- title: Azure Active Directory integration with MDM description: Azure Active Directory is the world's largest enterprise cloud identity management service. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -46,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in > [!IMPORTANT] > Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. - + ### BYOD scenario Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted. @@ -70,7 +72,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en > [!NOTE] > Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. - + ### MDM endpoints involved in Azure AD–integrated enrollment Azure AD MDM enrollment is a two-step process: @@ -187,7 +189,7 @@ The following image show how MDM applications show up in the Azure app gallery. ### Add cloud-based MDM to the app gallery > [!NOTE] -> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application The following table shows the required information to create an entry in the Azure AD app gallery. @@ -200,7 +202,7 @@ The following table shows the required information to create an entry in the Azu |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| - + ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. @@ -232,7 +234,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is |--- |--- |--- |--- |--- | |FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css| |MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css| - + ## Terms of Use protocol semantics The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. @@ -332,7 +334,7 @@ The following table shows the error codes. |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| - + ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index af610cec3c..cc058826be 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -11,12 +11,12 @@ ms.reviewer: manager: aaroncz --- -# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Endpoint Manager admin center +# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center Microsoft Intune can be accessed directly using its own admin center. For more information, go to: -- [Tutorial: Walkthrough Intune in Microsoft Endpoint Manager admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) -- Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) +- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). If you use the Azure portal, then you can access Intune using the following steps: diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md index 80c06690e1..36449cf15b 100644 --- a/windows/client-management/change-history-for-mdm-documentation.md +++ b/windows/client-management/change-history-for-mdm-documentation.md @@ -20,14 +20,14 @@ As of November 2020 This page will no longer be updated. This article lists new |New or updated article | Description| |--- | ---| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policy:
    - [Multitasking/BrowserAltTabBlowout](mdm/policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policy:
    - [Multitasking/BrowserAltTabBlowout](mdm/policy-csp-multitasking.md#browseralttabblowout) | | [SurfaceHub CSP](mdm/surfacehub-csp.md) | Added the following new node:
    -Properties/SleepMode | ## October 2020 |New or updated article | Description| |--- | ---| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policies
    - [Experience/DisableCloudOptimizedContent](mdm/policy-csp-experience.md#experience-disablecloudoptimizedcontent)
    - [LocalUsersAndGroups/Configure](mdm/policy-csp-localusersandgroups.md#localusersandgroups-configure)
    - [MixedReality/AADGroupMembershipCacheValidityInDays](mdm/policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
    - [MixedReality/BrightnessButtonDisabled](mdm/policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
    - [MixedReality/FallbackDiagnostics](mdm/policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
    - [MixedReality/MicrophoneDisabled](mdm/policy-csp-mixedreality.md#mixedreality-microphonedisabled)
    - [MixedReality/VolumeButtonDisabled](mdm/policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
    - [Update/DisableWUfBSafeguards](mdm/policy-csp-update.md#update-disablewufbsafeguards)
    - [WindowsSandbox/AllowAudioInput](mdm/policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)
    - [WindowsSandbox/AllowClipboardRedirection](mdm/policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)
    - [WindowsSandbox/AllowNetworking](mdm/policy-csp-windowssandbox.md#windowssandbox-allownetworking)
    - [WindowsSandbox/AllowPrinterRedirection](mdm/policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)
    - [WindowsSandbox/AllowVGPU](mdm/policy-csp-windowssandbox.md#windowssandbox-allowvgpu)
    - [WindowsSandbox/AllowVideoInput](mdm/policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policies
    - [Experience/DisableCloudOptimizedContent](mdm/policy-csp-experience.md#disablecloudoptimizedcontent)
    - [LocalUsersAndGroups/Configure](mdm/policy-csp-localusersandgroups.md#configure)
    - [MixedReality/AADGroupMembershipCacheValidityInDays](mdm/policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays)
    - [MixedReality/BrightnessButtonDisabled](mdm/policy-csp-mixedreality.md#brightnessbuttondisabled)
    - [MixedReality/FallbackDiagnostics](mdm/policy-csp-mixedreality.md#fallbackdiagnostics)
    - [MixedReality/MicrophoneDisabled](mdm/policy-csp-mixedreality.md#microphonedisabled)
    - [MixedReality/VolumeButtonDisabled](mdm/policy-csp-mixedreality.md#volumebuttondisabled)
    - [Update/DisableWUfBSafeguards](mdm/policy-csp-update.md#disablewufbsafeguards)
    - [WindowsSandbox/AllowAudioInput](mdm/policy-csp-windowssandbox.md#allowaudioinput)
    - [WindowsSandbox/AllowClipboardRedirection](mdm/policy-csp-windowssandbox.md#allowclipboardredirection)
    - [WindowsSandbox/AllowNetworking](mdm/policy-csp-windowssandbox.md#allownetworking)
    - [WindowsSandbox/AllowPrinterRedirection](mdm/policy-csp-windowssandbox.md#allowprinterredirection)
    - [WindowsSandbox/AllowVGPU](mdm/policy-csp-windowssandbox.md#allowvgpu)
    - [WindowsSandbox/AllowVideoInput](mdm/policy-csp-windowssandbox.md#allowvideoinput) | ## September 2020 @@ -185,7 +185,7 @@ As of November 2020 This page will no longer be updated. This article lists new |[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.| |[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.| |[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.| -|[Policy DDF file](mdm/policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy
  • DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • Update/UpdateNotificationLevel

    Start/DisableContextMenus - added in Windows 10, version 1803.

    RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.| ## July 2018 @@ -217,7 +217,7 @@ As of November 2020 This page will no longer be updated. This article lists new |New or updated article|Description| |--- |--- | -|[Policy DDF file](mdm/policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.
  • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
  • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.
  • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
  • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)| ## April 2018 @@ -281,7 +281,7 @@ As of November 2020 This page will no longer be updated. This article lists new | New or updated article | Description | | --- | --- | -| [Policy DDF file](mdm/policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. | +| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. | | [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:

    - Defender/ControlledFolderAccessAllowedApplications - string separator is `|`
    - Defender/ControlledFolderAccessProtectedFolders - string separator is `|` | | [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. | | [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. | @@ -308,10 +308,10 @@ As of November 2020 This page will no longer be updated. This article lists new |[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:

    Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.| |[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.| |[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:
  • 0 (default) – Off / No protection (decrypts previously protected data).
  • 1 – Silent mode (encrypt and audit only).
  • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).| -|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allow-list-examples).| +|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allowlist-examples).| |[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:
  • Provider/ProviderID/ConfigInfo
  • Provider/ProviderID/EnrollmentInfo| |[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:
  • Installation/CurrentStatus| |[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.| |[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:
  • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
  • Changed some data types from integer to bool.
  • Updated the list of supported operations for some settings.
  • Added default values.| -|[Policy DDF file](mdm/policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
  • Browser/AllowMicrosoftCompatibilityList
  • Update/DisableDualScan
  • Update/FillEmptyContentUrls| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
  • Browser/AllowMicrosoftCompatibilityList
  • Update/DisableDualScan
  • Update/FillEmptyContentUrls| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
  • Browser/ProvisionFavorites
  • Browser/LockdownFavorites
  • ExploitGuard/ExploitProtectionSettings
  • Games/AllowAdvancedGamingServices
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
  • Privacy/EnableActivityFeed
  • Privacy/PublishUserActivities
  • Update/DisableDualScan
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

    Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

    Changed the names of the following policies:
  • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
  • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

    Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).

    There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
  • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
  • Start/HideAppList| diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 04d9be81f2..56b72cdf0a 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -41,7 +41,7 @@ Config lock isn't enabled by default, or turned on by the OS during boot. Rather The steps to turn on config lock using Microsoft Intune are as follows: 1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune. -1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**. +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**. 1. Select the following and press **Create**: - **Platform**: Windows 10 and later - **Profile type**: Templates diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 18fb8a5311..88a544e7d9 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -6,10 +6,12 @@ author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa ms.date: 01/18/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -29,23 +31,23 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported. -- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. -- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. +- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC. - On the PC you want to connect to: 1. Open system properties for the remote PC. - + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. ![Allow remote connections to this computer.](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: - + - Adding users manually - + You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: ```powershell net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" @@ -62,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - Adding users using policy - + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). > [!TIP] diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 4964a3969d..4c730c626d 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,7 +1,7 @@ --- title: Mobile device management MDM for device updates description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 11/15/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device management (MDM) for device updates diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md index 088c0df06a..f9829a3514 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md @@ -1,7 +1,7 @@ --- title: Diagnose MDM failures in Windows 10 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/25/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Diagnose MDM failures in Windows 10 diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 8c038b6c43..ae506a8cb0 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-manage", diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index ce77a2e025..67353c881b 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 2. Find the variable names of the parameters in the ADMX file. - You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2). + You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#publishingallowserver2). ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index ec40469278..8bffb182d7 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,15 +7,18 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Enroll a Windows 10 device automatically using Group Policy **Applies to:** +- Windows 11 - Windows 10 Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. @@ -187,16 +190,19 @@ Requirements: - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) - + - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - - + + - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) + + - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) + 2. Install the package on the Domain Controller. 3. Navigate, depending on the version to the folder: @@ -210,13 +216,17 @@ Requirements: - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** + + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** + 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. 5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index 88f302cdce..91645ea1af 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 08/03/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -18,44 +18,45 @@ The Windows version of mobile application management (MAM) is a lightweight solu ## Integration with Azure AD -MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  +MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). -MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. -Regular non-admin users can enroll to MAM.  +Regular non-admin users can enroll to MAM. ## Integration with Windows Information Protection -MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.  +MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf. To make applications WIP-aware, app developers need to include the following data in the app resource file. ``` syntax -// Mark this binary as Allowed for WIP (EDP) purpose  +// Mark this binary as Allowed for WIP (EDP) purpose MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID BEGIN 0x0001 - END  + END ``` ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. > [!NOTE] -> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  +> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured. ## MAM enrollment -MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  +MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method. + +Below are protocol changes for MAM enrollment: -Below are protocol changes for MAM enrollment:  - MDM discovery isn't supported. - APPAUTH node in [DMAcc CSP](mdm/dmacc-csp.md) is optional. - MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. @@ -74,7 +75,7 @@ Here's an example provisioning XML for MAM enrollment. ``` -Since the [Poll](mdm/dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours. +Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't provided above, the device would default to once every 24 hours. ## Supported CSPs @@ -95,7 +96,6 @@ MAM on Windows supports the following configuration service providers (CSPs). Al - [VPNv2 CSP](mdm/vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. - [WiFi CSP](mdm/wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. - ## Device lock policies and EAS MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. @@ -120,7 +120,7 @@ Windows doesn't support applying both MAM and MDM policies to the same devices. To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment. -In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that: +In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user's access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that: - Both MAM and MDM policies for the organization support Windows Information Protection. - EDP CSP Enterprise ID is the same for both MAM and MDM. diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index ff469792d0..d782edc5b3 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -11,6 +11,7 @@ metadata: ms.technology: itpro-manage ms.collection: - highpri + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 466a326260..37aae00014 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium ms.date: 06/03/2022 author: vinaypamnani-msft ms.author: vinpa -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: overview ms.technology: itpro-manage @@ -30,11 +30,8 @@ This six-minute video demonstrates how users can bring in a new retail device an This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning) - - [Identity and Authentication](#identity-and-authentication) - - [Configuration](#settings-and-configuration) - - [Updating and Servicing](#updating-and-servicing) ## Reviewing the management options with Windows 10 @@ -121,7 +118,7 @@ There are various steps you can take to begin the process of modernizing device **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). +**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 7cf55e0587..0771fcc433 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -5,10 +5,12 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa ms.date: 09/14/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -51,7 +53,7 @@ First, you create a default user profile with the customizations that you want, 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. > [!NOTE] - > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index f5d5c1dc39..7023a7b517 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,17 +1,19 @@ --- title: MDM enrollment of Windows 10-based devices description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: +MS-HAID: - 'p\_phdevicemgmt.enrollment\_ui' - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -35,7 +37,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio > [!NOTE] > Mobile devices can't be connected to an Active Directory domain. -### Out-of-box-experience +### Out-of-box-experience Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: @@ -90,7 +92,7 @@ There are a few instances where your device can't be connected to an Active Dire | You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - + ### Connect your device to an Azure AD domain (join Azure AD) @@ -167,9 +169,9 @@ There are a few instances where your device can't be connected to an Azure AD do | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - -## Connect personally owned devices + +## Connect personally owned devices Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. @@ -247,7 +249,7 @@ To create a local account and connect the device: ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. - + ### Help with connecting personally owned devices There are a few instances where your device may not be able to connect to work. @@ -260,7 +262,7 @@ There are a few instances where your device may not be able to connect to work. | You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | - + ## Connect your Windows 10-based device to work using a deep link @@ -283,13 +285,13 @@ The deep link used for connecting your device to work will always use the follow | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | > [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. ### Connect to MDM using a deep link > [!NOTE] > Deep links only work with Internet Explorer or Microsoft Edge browsers. Examples of URI's that may be used to connect to MDM using a deep link: -> +> > - **ms-device-enrollment:?mode=mdm** > - **ms-device-enrollment:?mode=mdm&username=`someone@example.com`&servername=`https://example.server.com`** @@ -342,7 +344,7 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a ![work or school info.](images/unifiedenrollment-rs1-35-b.png) > [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. +> Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect @@ -363,7 +365,7 @@ Starting in Windows 10, version 1709, you can get the advanced diagnostic report ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) - + diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 8c630a325a..fd9f4c2321 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -9,7 +9,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile Device Management overview diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index f50369aa36..5c3c9714b8 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,30 +1,580 @@ --- -title: Language Pack Management CSP -description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. -ms.reviewer: +title: LanguagePackManagement CSP +description: Learn more about the LanguagePackManagement CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/22/2021 +ms.topic: reference --- -# Language Pack Management CSP + -The table below shows the applicability of Windows: + +# LanguagePackManagement CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + + The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module. + + + +The following list shows the LanguagePackManagement configuration service provider nodes: + +- ./Device/Vendor/MSFT/LanguagePackManagement + - [Install](#install) + - [{Language ID}](#installlanguage-id) + - [CopyToDeviceInternationalSettings](#installlanguage-idcopytodeviceinternationalsettings) + - [EnableLanguageFeatureInstallations](#installlanguage-idenablelanguagefeatureinstallations) + - [ErrorCode](#installlanguage-iderrorcode) + - [StartInstallation](#installlanguage-idstartinstallation) + - [Status](#installlanguage-idstatus) + - [InstalledLanguages](#installedlanguages) + - [{Language ID}](#installedlanguageslanguage-id) + - [LanguageFeatures](#installedlanguageslanguage-idlanguagefeatures) + - [Providers](#installedlanguageslanguage-idproviders) + - [LanguageSettings](#languagesettings) + - [SystemPreferredUILanguages](#languagesettingssystempreferreduilanguages) + + + +## Install + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/Install +``` + + + + +Language to be installed or being installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Install/{Language ID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID} +``` + + + + +Language tag of the language to be installed or being installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Language tag of the language to be installed or being installed. | + + + + + + + + + +#### Install/{Language ID}/CopyToDeviceInternationalSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/CopyToDeviceInternationalSettings +``` + + + + +Copies the language to the international settings (i.e., locale, input layout, speech recognizer, preferred UI language) of the device immediately after installation if the value is true. Default value is false. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Don't copy the language to the international settings immediately after installation. | +| true | Copy the language to the international settings immediately after installation. | + + + + + + + + + +#### Install/{Language ID}/EnableLanguageFeatureInstallations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/EnableLanguageFeatureInstallations +``` + + + + +Enables installations of all available language features when the value is true. Default value is true. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true (Default) | Install all available language features. | +| false | Install only the required language features. | + + + + + + + + + +#### Install/{Language ID}/ErrorCode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/ErrorCode +``` + + + + +Error code of queued language installation. 0 if there is no error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Install/{Language ID}/StartInstallation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/StartInstallation +``` + + + + +Execution node to queue a language for installation on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +#### Install/{Language ID}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/Install/{Language ID}/Status +``` + + + + +Status of the language queued for install. 0 - not started; 1 - in progress; 2 - succeeded; 3 - failed; 4 - partially succeeded. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## InstalledLanguages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages +``` + + + + +Languages currently installed on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### InstalledLanguages/{Language ID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/{Language ID} +``` + + + + +Language tag of an installed language on the device. Delete to uninstall. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### InstalledLanguages/{Language ID}/LanguageFeatures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/{Language ID}/LanguageFeatures +``` + + + + +Numeric representation of the language features installed. Basic Typing - 1 (0x1), Fonts - 2 (0x2), Handwriting - 4 (0x4), Speech - 8 (0x8), TextToSpeech - 16 (0x10), OCR - 32 (0x20), LocaleData - 64 (0x40), SupplementFonts - 128 (0x80). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### InstalledLanguages/{Language ID}/Providers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/{Language ID}/Providers +``` + + + + +Numeric representation of how a language is installed. 1 - The system language pack is installed; 2 - The Local Experience Pack is installed; 3 - Both are installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## LanguageSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings +``` + + + + +Language settings of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### LanguageSettings/SystemPreferredUILanguages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview [99.9.9999] | + + + +```Device +./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages +``` + + + + +System Preferred UI Language of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + + +## Examples 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: @@ -60,10 +610,10 @@ The Language Pack Management CSP allows a way to easily add languages and relate - System Preferred UI Language - System Locale - Default settings for new users - - Input Method (keyboard) - - Locale - - Speech Recognizer - - User Preferred Language List + - Input Method (keyboard) + - Locale + - Speech Recognizer + - User Preferred Language List - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. false- will install only required features; true (default)- will install all available features. Here are the sample commands to install French language with required features and copy to the device's international settings: @@ -79,7 +629,6 @@ The Language Pack Management CSP allows a way to easily add languages and relate **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** Status: 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates not all the provisioning operations succeeded, for example, there was an error installing the language pack or features). - ErrorCode: An HRESULT that could help diagnosis if the installation failed or partially failed. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language. @@ -92,7 +641,10 @@ The Language Pack Management CSP allows a way to easily add languages and relate 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** + -## Related topics + -[Configuration service provider reference](index.yml) +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 5fe3530eca..beefa0c052 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -1,99 +1,143 @@ --- title: ActiveSync CSP -description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. -ms.reviewer: +description: Learn more about the ActiveSync CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.topic: reference --- + + + # ActiveSync CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported. > [!NOTE] -> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. +> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. The `./Vendor/MSFT/ActiveSync` path is deprecated. + -On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in. + +The following list shows the ActiveSync configuration service provider nodes: -The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term. +- ./User/Vendor/MSFT/ActiveSync + - [Accounts](#accounts) + - [{Account GUID}](#accountsaccount-guid) + - [AccountIcon](#accountsaccount-guidaccounticon) + - [AccountName](#accountsaccount-guidaccountname) + - [AccountType](#accountsaccount-guidaccounttype) + - [Domain](#accountsaccount-guiddomain) + - [EmailAddress](#accountsaccount-guidemailaddress) + - [Options](#accountsaccount-guidoptions) + - [CalendarAgeFilter](#accountsaccount-guidoptionscalendaragefilter) + - [ContentTypes](#accountsaccount-guidoptionscontenttypes) + - [{Content Type GUID}](#accountsaccount-guidoptionscontenttypescontent-type-guid) + - [Enabled](#accountsaccount-guidoptionscontenttypescontent-type-guidenabled) + - [Name](#accountsaccount-guidoptionscontenttypescontent-type-guidname) + - [Logging](#accountsaccount-guidoptionslogging) + - [MailAgeFilter](#accountsaccount-guidoptionsmailagefilter) + - [MailBodyType](#accountsaccount-guidoptionsmailbodytype) + - [MailHTMLTruncation](#accountsaccount-guidoptionsmailhtmltruncation) + - [MailPlainTextTruncation](#accountsaccount-guidoptionsmailplaintexttruncation) + - [Schedule](#accountsaccount-guidoptionsschedule) + - [UseSSL](#accountsaccount-guidoptionsusessl) + - [Password](#accountsaccount-guidpassword) + - [Policies](#accountsaccount-guidpolicies) + - [MailBodyType](#accountsaccount-guidpoliciesmailbodytype) + - [MaxMailAgeFilter](#accountsaccount-guidpoliciesmaxmailagefilter) + - [ServerName](#accountsaccount-guidservername) + - [UserName](#accountsaccount-guidusername) + -The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +## Accounts -```console -./Vendor/MSFT -ActiveSync -----Accounts ---------Account GUID -------------EmailAddress -------------Domain -------------AccountIcon -------------AccountType -------------AccountName -------------Password -------------ServerName -------------UserName -------------Options -----------------CalendarAgeFilter -----------------Logging -----------------MailBodyType -----------------MailHTMLTruncation -----------------MailPlainTextTruncation -----------------Schedule -----------------UseSSL -----------------MailAgeFilter -----------------ContentTypes ---------------------Content Type GUID -------------------------Enabled -------------------------Name -------------Policies -----------------MailBodyType -----------------MaxMailAgeFilter + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts ``` + -**./User/Vendor/MSFT/ActiveSync** -The root node for the ActiveSync configuration service provider. + + +The parent node group all active sync accounts. + -> [!NOTE] -> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. + + + -On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in. + +**Description framework properties**: -The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -The supported operation is Get. + + + -**Accounts** -The root node for all ActiveSync accounts. + -The supported operation is Get. + +### Accounts/{Account GUID} -***Account GUID*** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID} +``` + + + + Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device. + -Supported operations are Get, Add, and Delete. - + + When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and doesn't create the new account. + -Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + + + + +**Example**: + +Braces `{}` are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: ```xml @@ -108,196 +152,1024 @@ For OMA DM, you must use the ASCII values of %7B and %7D for the opening and clo ``` + + + + + +#### Accounts/{Account GUID}/AccountIcon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/AccountIcon +``` + + + + +Specify the location of the icon associated with the account. + + + + +The account icon can be used as a tile in the Start list or an icon in the applications list under **Settings** > **Email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.genericmail.png`. The suggested icon for Exchange Accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.office.outlook.png`. Custom icons can be added if desired. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Accounts/{Account GUID}/AccountName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/AccountName +``` + + + + +The name that refers to the account on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Accounts/{Account GUID}/AccountType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/AccountType +``` + + + + +Specify the account type. This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Accounts/{Account GUID}/Domain + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Domain +``` + + + + +Domain name of the Exchange server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Accounts/{Account GUID}/EmailAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/EmailAddress +``` + + + + +The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required. + + + + +This email address is entered by the user during setup and must be in the fully qualified email address format, for example, `someone@example.com`. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Accounts/{Account GUID}/Options + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options +``` + + + + +Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Accounts/{Account GUID}/Options/CalendarAgeFilter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/CalendarAgeFilter +``` + + + + +Specifies the time window used for syncing calendar items to the phone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Accounts/{Account GUID}/Options/ContentTypes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes +``` + + + + +Interior node for Content Types. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID} +``` + + + + +Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID. Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}. Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: The GUID values allowed are one of the following: Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}". Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}". Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}". Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}". | + + + + + + + + + +###### Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Enabled +``` + + + + +Enables or disables Sync for Email, contacts, calendar, and Tasks. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Sync for email, contacts, calendar, or tasks is disabled. | +| 1 (Default) | Sync is enabled. | + + + + + + + + + +###### Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/ContentTypes/{Content Type GUID}/Name +``` + + + + +The name of the content type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Accounts/{Account GUID}/Options/Logging + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/Logging +``` + + + + +Specifies whether diagnostic logging is enabled and at what level. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Logging is off. | +| 1 | Basic logging is enabled. | +| 2 | Advanced logging is enabled. | + + + + + + + + + +##### Accounts/{Account GUID}/Options/MailAgeFilter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailAgeFilter +``` + + + + +Specifies the time window used for syncing email items to the phone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | No age filter is used, and all email items are synced to the device. | +| 1 | Only email up to one day old is synced to the device. | +| 2 | Only email up to three days old is synced to the device. | +| 3 (Default) | Email up to a week old is synced to the device. | +| 4 | Email up to two weeks old is synced to the device. | +| 5 | Email up to a month old is synced to the device. | +| 6 | Email up to three months old is synced to the device. | + + + + + + + + + +##### Accounts/{Account GUID}/Options/MailBodyType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailBodyType +``` + + + + +Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | None. | +| 1 | Text. | +| 2 | HTML. | +| 3 | RTF. | +| 4 | MIME. | + + + + + + + + + +##### Accounts/{Account GUID}/Options/MailHTMLTruncation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailHTMLTruncation +``` + + + + +This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Accounts/{Account GUID}/Options/MailPlainTextTruncation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/MailPlainTextTruncation +``` + + + + +This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Accounts/{Account GUID}/Options/Schedule + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/Schedule +``` + + + + +Specifies the time until the next sync is performed in minutes. If -1 is chosen, a sync will occur as items are received. If a 0 is chosen, all syncs must be performed manually. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[(-1)-4294967295]` | +| Default Value | -1 | + + + + + + + + + +##### Accounts/{Account GUID}/Options/UseSSL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Options/UseSSL +``` + + + + +Specifies whether SSL is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | SSL is not used. | +| 1 (Default) | SSL is used. | + + + + + + + + + +#### Accounts/{Account GUID}/Password + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Password +``` + + + + +A character string that specifies the password for the account. For the Get command, only asterisks are returned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Accounts/{Account GUID}/Policies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Policies +``` + + + + +Specifies the mail body type and email age filter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Accounts/{Account GUID}/Policies/MailBodyType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Policies/MailBodyType +``` + + + + +Specifies the email body type. HTML or plain. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| HTML | HTML. | +| plain | Plain. | + + + + + + + + + +##### Accounts/{Account GUID}/Policies/MaxMailAgeFilter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/Policies/MaxMailAgeFilter +``` + + + + +Specifies the time window used for syncing mail items to the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Accounts/{Account GUID}/ServerName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/ServerName +``` + + + + +Specifies the server name used by the account. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -***Account GUID*/EmailAddress** -Required. A character string that specifies the email address associated with the Exchange ActiveSync account. - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com". - -***Account GUID*/Domain** -Optional for Exchange. Specifies the domain name of the Exchange server. - -Supported operations are Get, Replace, Add, and Delete. - -***Account GUID*/AccountIcon** -Required. A character string that specifies the location of the icon associated with the account. - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired. - -***Account GUID*/AccountType** -Required. A character string that specifies the account type. - -Supported operations are Get and Add (can't Add after the account is created). - -This value is entered during setup and can't be modified once entered. An Exchange account is indicated by the string value "Exchange". - -***Account GUID*/AccountName** -Required. A character string that specifies the name that refers to the account on the device. - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -***Account GUID*/Password** -Required. A character string that specifies the password for the account. - -Supported operations are Get, Replace, Add, and Delete. - -For the Get command, only asterisks are returned. - -***Account GUID*/ServerName** -Required. A character string that specifies the server name used by the account. - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -***Account GUID*/UserName** -Required. A character string that specifies the user name for the account. - -Supported operations are Get, and Add (can't Add after the account is created). - -The user name can't be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com". - -**Options** -Node for other parameters. - -**Options/CalendarAgeFilter** -Specifies the time window used for syncing calendar items to the device. Value type is chr. - -**Options/Logging** -Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled). - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -Valid values are any of the following values: - -- 0 (default) - Logging is off. - -- 1 - Basic logging is enabled. - -- 2 - Advanced logging is enabled. - -Logging is set to off by default. The user might be asked to set this logging to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic. - -**Options/MailBodyType** -Indicates the email format. Valid values: - -- 0 - none -- 1 - text -- 2 - HTML -- 3 - RTF -- 4 - MIME - -**Options/MailHTMLTruncation** -Specifies the size beyond which HTML-formatted email messages are truncated when they're synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation. - -**Options/MailPlainTextTruncation** -This setting specifies the size beyond which text-formatted e-mail messages are truncated when they're synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. - -**Options/UseSSL** -Optional. A character string that specifies whether SSL is used. - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -Valid values are: - -- 0 - SSL isn't used. - -- 1 (default) - SSL is used. - -**Options/Schedule** -Required. A character string that specifies the time until the next sync is performed, in minutes. The default value is -1. - -Supported operations are Get and Replace. - -Valid values are any of the following values: - -- -1 (default) - A sync will occur as items are received - -- 0 - All syncs must be performed manually - -- 15 - Sync every 15 minutes - -- 30 - Sync every 30 minutes - -- 60 - Sync every 60 minutes - -**Options/MailAgeFilter** -Required. A character string that specifies the time window used for syncing email items to the device. The default value is 3. - -Supported operations are Get and Replace. - -Valid values are any of the following values: - -- 0 – No age filter is used, and all email items are synced to the device. - -- 2 – Only email up to three days old is synced to the device. - -- 3 (default) – Email up to a week old is synced to the device. - -- 4 – Email up to two weeks old is synced to the device. - -- 5 – Email up to a month old is synced to the device. - -**Options/ContentTypes/***Content Type GUID* -Defines the type of content to be individually enabled/disabled for sync. - -The *GUID* values allowed are any of the following values: - -- Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}" - -- Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}" - -- Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}" - -- Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}" - -**Options/ContentTypes/*Content Type GUID*/Enabled** -Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled). - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -Valid values are any of the following values: - -- 0 - Sync for email, contacts, calendar, or tasks are disabled. -- 1 (default) - Sync is enabled. - -**Options/ContentTypes/*Content Type GUID*/Name** -Required. A character string that specifies the name of the content type. - -> [!NOTE] -> In Windows 10, this node is currently not working. - -Supported operations are Get, Replace, and Add (can't Add after the account is created). - -When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected. - -**Policies** -Node for mail body type and email age filter. - -**Policies/MailBodyType** -Required. Specifies the email body type: HTML or plain. - -Value type is string. - -Supported operations are Add, Get, Replace, and Delete. - -**Policies/MaxMailAgeFilter** -Required. Specifies the time window used for syncing mail items to the device. - -Value type is string. Supported operations are Add, Get, Replace, and Delete. - -## Related topics - -[Configuration service provider reference](index.yml) - - + + + + + + +#### Accounts/{Account GUID}/UserName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/ActiveSync/Accounts/{Account GUID}/UserName +``` + + + +Specifies the user name for the account. The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "`someone@example.com`", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "`someone@example.com`". + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + +## Related articles +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 0bf7e5329b..5128680488 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -1,36 +1,32 @@ --- title: ActiveSync DDF file -description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/16/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # ActiveSync DDF file -This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the ActiveSync configuration service provider. ```xml - -]> +]> 1.2 + + ActiveSync - ./Vendor/MSFT + ./User/Vendor/MSFT @@ -46,8 +42,13 @@ The XML below is the current version for this CSP. - com.microsoft/1.0/MDM/ActiveSync + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + Accounts @@ -66,17 +67,18 @@ The XML below is the current version for this CSP. - + - + + - - + + Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device. @@ -90,17 +92,23 @@ The XML below is the current version for this CSP. Account GUID - + + + + + + \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + EmailAddress - - + + The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required. @@ -113,18 +121,20 @@ The XML below is the current version for this CSP. - text/plain + + + Domain - - + + Domain name of the Exchange server @@ -137,18 +147,20 @@ The XML below is the current version for this CSP. - text/plain + + + AccountIcon - - + + Specify the location of the icon associated with the account. @@ -161,20 +173,22 @@ The XML below is the current version for this CSP. - text/plain + + + AccountType - - + + - Specify the account type. + Specify the account type. This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange". @@ -185,20 +199,22 @@ The XML below is the current version for this CSP. - text/plain + + + AccountName - - + + - The name that refers to the account on the phone. + The name that refers to the account on the device. @@ -209,20 +225,22 @@ The XML below is the current version for this CSP. - text/plain + + + Password - - + + - A character string that specifies the password for the account. + A character string that specifies the password for the account. For the Get command, only asterisks are returned. @@ -233,18 +251,20 @@ The XML below is the current version for this CSP. - text/plain + + + ServerName - - + + Specifies the server name used by the account. @@ -257,20 +277,22 @@ The XML below is the current version for this CSP. - text/plain + + + UserName - - + + - Specifies the user name for the account. + Specifies the user name for the account. The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com". @@ -281,18 +303,20 @@ The XML below is the current version for this CSP. - text/plain + + + Options - - + + Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging. @@ -305,17 +329,17 @@ The XML below is the current version for this CSP. - + CalendarAgeFilter - - + + Specifies the time window used for syncing calendar items to the phone. @@ -328,19 +352,22 @@ The XML below is the current version for this CSP. - text/plain + + + Logging - - + + + 0 Specifies whether diagnostic logging is enabled and at what level. @@ -352,18 +379,32 @@ The XML below is the current version for this CSP. - text/plain + + + + 0 + Logging is off. + + + 1 + Basic logging is enabled. + + + 2 + Advanced logging is enabled. + + MailBodyType - - + + Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME). @@ -376,18 +417,40 @@ The XML below is the current version for this CSP. - text/plain + + + + 0 + none + + + 1 + text + + + 2 + HTML + + + 3 + RTF + + + 4 + MIME + + MailHTMLTruncation - - + + This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. @@ -400,18 +463,20 @@ The XML below is the current version for this CSP. - text/plain + + + MailPlainTextTruncation - - + + This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. @@ -424,20 +489,23 @@ The XML below is the current version for this CSP. - text/plain + + + Schedule - - + + - Specifies the time until the next sync is performed in minutes. + -1 + Specifies the time until the next sync is performed in minutes. If -1 is chosen, a sync will occur as items are received. If a 0 is chosen, all syncs must be performed manually. @@ -448,19 +516,23 @@ The XML below is the current version for this CSP. - text/plain + + + [(-1)-4294967295] + UseSSL - - + + + 1 Specifies whether SSL is used. @@ -472,19 +544,30 @@ The XML below is the current version for this CSP. - text/plain + + + + 0 + SSL is not used. + + + 1 + SSL is used. + + MailAgeFilter - - + + + 3 Specifies the time window used for syncing email items to the phone. @@ -496,19 +579,50 @@ The XML below is the current version for this CSP. - text/plain + + + + 0 + No age filter is used, and all email items are synced to the device. + + + 1 + Only email up to one day old is synced to the device + + + 2 + Only email up to three days old is synced to the device. + + + 3 + Email up to a week old is synced to the device. + + + 4 + Email up to two weeks old is synced to the device. + + + 5 + Email up to a month old is synced to the device. + + + 6 + Email up to three months old is synced to the device. + + ContentTypes - - + + + Interior node for Content Types @@ -519,42 +633,47 @@ The XML below is the current version for this CSP. - + - + + - - + + - Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} + Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} - 1 + Content Type GUID - + + + The GUID values allowed are one of the following: Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}". Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}". Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}". Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}". + Enabled - - + + + 1 Enables or disables Sync for Email, contacts, calendar, and Tasks. @@ -566,18 +685,28 @@ The XML below is the current version for this CSP. - text/plain + + + + 0 + Sync for email, contacts, calendar, or tasks is disabled. + + + 1 + Sync is enabled. + + Name - - + + The name of the content type. @@ -590,25 +719,50 @@ The XML below is the current version for this CSP. - text/plain + + + - + - Policies + Policies + + + + + + + + Specifies the mail body type and email age filter. + + + + + + + + + + + + + + + MailBodyType - - + + - Specifies the mail body type and email age filter. + Specifies the email body type. HTML or plain - + @@ -617,57 +771,46 @@ The XML below is the current version for this CSP. - + + + + HTML + HTML + + + plain + plain + + - - MailBodyType - - - - - - - - Specifies the email body type. HTML or plain - - - - - - - - - - - text/plain - - - - - MaxMailAgeFilter - - - - - - - - Specifies the time window used for syncing mail items to the device. - - - - - - - - - - - text/plain - - - + + + MaxMailAgeFilter + + + + + + + + Specifies the time window used for syncing mail items to the device. + + + + + + + + + + + + + + + + @@ -675,6 +818,6 @@ The XML below is the current version for this CSP. ``` -## Related topics +## Related articles -[ActiveSync configuration service provider](activesync-csp.md) +[ActiveSync configuration service provider reference](activesync-csp.md) diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 749f34bf9b..27821afa03 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,55 +1,135 @@ --- -title: ApplicationControl CSP DDF -description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML. +title: ApplicationControl DDF file +description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/16/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/10/2019 +ms.topic: reference --- -# ApplicationControl CSP DDF + -This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML. +# ApplicationControl DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). +The following XML file contains the device description framework (DDF) for the ApplicationControl configuration service provider. ```xml -]> +]> 1.2 + + + + ApplicationControl + ./Vendor/MSFT + + + + + Root Node of the ApplicationControl CSP + + + + + + + + + + + + + + 10.0.18362 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Policies + + + + + Beginning of a Subtree that contains all policies. + + + + + + + + + + Policies + + + + - ApplicationControl - ./Vendor/MSFT + + - Root Node of the ApplicationControl CSP. + The GUID of the Policy - + - + + Policy GUID - + + + The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. + - Policies + Policy + + + + + + + + The policy binary encoded as base64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet. + + + + + + + + + + Policy + + + + + + + + + PolicyInfo - Beginning of a Subtree that contains all policies. + Information Describing the Policy indicated by the GUID @@ -57,219 +137,337 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - + - Policies + PolicyInfo - + - + Version - The GUID of the Policy. + Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type - + - + - Policy GUID + Version - + + + + + + IsBasePolicy + + + + + TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy + + + + + + + + + + IsBasePolicy + + + + + + + IsSystemPolicy + + + + + TRUE/FALSE if the Policy is a System Policy, that is a policy managed by Microsoft as part of the OS + + + + + + + + + + IsSystemPolicy + + + + + + + IsEffective + + + + + Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect) + + + + + + + + + + IsEffective + + + + + + + IsDeployed + + + + + Whether the Policy indicated by the GUID is deployed on the system (on the physical machine) + + + + + + + + + + IsDeployed + + + + + + + IsAuthorized + + + + + Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system + + + + + + + + + + IsAuthorized + + + + + + + Status + + + + + The Current Status of the Policy Indicated by the Policy GUID + + + + + + + + + + Status + + + + + + + FriendlyName + + + + + The FriendlyName of the Policy Indicated by the Policy GUID + + + + + + + + + + FriendlyName + + - - Policy - - - - - - - - The policy binary encoded as base64. - - - - - - - - - - Policy - - - - - - - PolicyInfo - - - - - Information Describing the Policy indicated by the GUID. - - - - - - - - - - PolicyInfo - - - - - - Version - - - - - Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type. - - - - - - - - - - Version - - text/plain - - - - - IsEffective - - - - - Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect). - - - - - - - - - - IsEffective - - text/plain - - - - - IsDeployed - - - - - Whether the Policy indicated by the GUID is deployed on the system (on the physical machine). - - - - - - - - - - IsDeployed - - text/plain - - - - - IsAuthorized - - - - - Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. - - - - - - - - - - IsAuthorized - - text/plain - - - - - Status - - - - - The Current Status of the Policy Indicated by the Policy GUID. - - - - - - - - - - Status - - text/plain - - - - - FriendlyName - - - - - The FriendlyName of the Policy Indicated by the Policy GUID. - - - - - - - - - - FriendlyName - - text/plain - - - - + + + Tokens + + + + + Beginning of a Subtree that contains all tokens. + + + + + + + + + + Tokens + + + + + + + + + + + + Arbitrary ID used to differentiate tokens + + + + + + + + + + ID + + + + + The ApplicationControl CSP enforces that the "ID" segment of a given token URI is unique. + + + + Token + + + + + + + + The token binary encoded as base64. Supported value is a binary file, obtained from the OneCoreDeviceUnlockService. + + + + + + + + + + Token + + + + + + + + + TokenInfo + + + + + Information Describing the Token indicated by the corresponding ID. + + + + + + + + + + TokenInfo + + + + + + Status + + + + + The Current Status of the Token Indicated by the Token ID + + + + + + + + + + Status + + + + + + + Type + + + + + The Type of Token Indicated by the Token ID + + + + + + + + + + Type + + + + + + + + + ``` -## Related topics +## Related articles -[ApplicationControl configuration service provider](applicationcontrol-csp.md) \ No newline at end of file +[ApplicationControl configuration service provider reference](applicationcontrol-csp.md) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 58e6ece757..8e4b0ab2da 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,155 +1,791 @@ --- title: ApplicationControl CSP -description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server. +description: Learn more about the ApplicationControl CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.reviewer: jsuther1974 -ms.date: 09/10/2020 +ms.topic: reference --- + + + # ApplicationControl CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot. + + +Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot. Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. + -The following example shows the ApplicationControl CSP in tree format. + +The following list shows the ApplicationControl configuration service provider nodes: -```console -./Vendor/MSFT -ApplicationControl -----Policies ---------Policy GUID -------------Policy -------------PolicyInfo -----------------Version -----------------IsEffective -----------------IsDeployed -----------------IsAuthorized -----------------Status -----------------FriendlyName -------------Token -----------------TokenID -----Tokens ---------ID -------------Token -------------TokenInfo -----------------Status -------------PolicyIDs -----------------Policy GUID -----TenantID -----DeviceID +- ./Vendor/MSFT/ApplicationControl + - [Policies](#policies) + - [{Policy GUID}](#policiespolicy-guid) + - [Policy](#policiespolicy-guidpolicy) + - [PolicyInfo](#policiespolicy-guidpolicyinfo) + - [FriendlyName](#policiespolicy-guidpolicyinfofriendlyname) + - [IsAuthorized](#policiespolicy-guidpolicyinfoisauthorized) + - [IsBasePolicy](#policiespolicy-guidpolicyinfoisbasepolicy) + - [IsDeployed](#policiespolicy-guidpolicyinfoisdeployed) + - [IsEffective](#policiespolicy-guidpolicyinfoiseffective) + - [IsSystemPolicy](#policiespolicy-guidpolicyinfoissystempolicy) + - [Status](#policiespolicy-guidpolicyinfostatus) + - [Version](#policiespolicy-guidpolicyinfoversion) + - [Tokens](#tokens) + - [{ID}](#tokensid) + - [Token](#tokensidtoken) + - [TokenInfo](#tokensidtokeninfo) + - [Status](#tokensidtokeninfostatus) + - [Type](#tokensidtokeninfotype) + + + +## Policies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies ``` + -**./Vendor/MSFT/ApplicationControl** -Defines the root node for the ApplicationControl CSP. + + +Beginning of a Subtree that contains all policies. + -Scope is permanent. Supported operation is Get. + + +Each policy is identified by their globally unique identifier (GUID). + -**ApplicationControl/Policies** -An interior node that contains all the policies, each identified by their globally unique identifier (GUID). + +**Description framework properties**: -Scope is permanent. Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**ApplicationControl/Policies/_Policy GUID_** -The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. + + + -Scope is dynamic. Supported operation is Get. + -**ApplicationControl/Policies/_Policy GUID_/Policy** -This node is the policy binary itself, which is encoded as base64. + +### Policies/{Policy GUID} -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -Value type is b64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet. + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID} +``` + + + +The GUID of the Policy. + + + + +Each Policy GUID node contains a Policy node and a corresponding PolicyInfo node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. | + + + + + + + + + +#### Policies/{Policy GUID}/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/Policy +``` + + + + +The policy binary encoded as base64. Supported value is a binary file, converted from the policy XML file by the ConvertFrom-CIPolicy cmdlet. + + + + Default value is empty. + -**ApplicationControl/Policies/_Policy GUID_/PolicyInfo** -An interior node that contains the nodes that describe the policy indicated by the GUID. + +**Description framework properties**: -Scope is dynamic. Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Delete, Get, Replace | + -**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version** -This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type. + + + -Scope is dynamic. Supported operation is Get. + -Value type is char. + +#### Policies/{Policy GUID}/PolicyInfo -**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** -This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -Scope is dynamic. Supported operation is Get. + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo +``` + -Value type is bool. Supported values are as follows: + + +Information Describing the Policy indicated by the GUID. + -- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system. -- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value. + + + -**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** -This node specifies whether a policy is deployed on the system and is present on the physical machine. + +**Description framework properties**: -Scope is dynamic. Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Value type is bool. Supported values are as follows: + + + -- True—Indicates that the policy is deployed on the system and is present on the physical machine. -- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value. + -**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** -This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system. + +##### Policies/{Policy GUID}/PolicyInfo/FriendlyName -Scope is dynamic. Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -Value type is bool. Supported values are as follows: + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/FriendlyName +``` + -- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system. -- False—Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value. + + +The FriendlyName of the Policy Indicated by the Policy GUID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Policies/{Policy GUID}/PolicyInfo/IsAuthorized + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsAuthorized +``` + + + + +Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. + + + + +Supported values are as follows: + +- True: Indicates that the policy is authorized to be loaded by the enforcement engine on the system. +- False: Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### Policies/{Policy GUID}/PolicyInfo/IsBasePolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsBasePolicy +``` + + + + +TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### Policies/{Policy GUID}/PolicyInfo/IsDeployed + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsDeployed +``` + + + + +Whether the Policy indicated by the GUID is deployed on the system (on the physical machine) + + + + +Supported values are as follows: + +- True: Indicates that the policy is deployed on the system and is present on the physical machine. +- False: Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### Policies/{Policy GUID}/PolicyInfo/IsEffective + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsEffective +``` + + + + +Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect) + + + + +Supported values are as follows: + +- True: Indicates that the policy is loaded by the enforcement engine and is in effect on a system. +- False: Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/IsSystemPolicy +``` + + + + +TRUE/FALSE if the Policy is a System Policy, that is a policy managed by Microsoft as part of the OS. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### Policies/{Policy GUID}/PolicyInfo/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Status +``` + + + + +The Current Status of the Policy Indicated by the Policy GUID. + + + + +Default value is 0, which indicates that the policy status is `OK`. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +##### Policies/{Policy GUID}/PolicyInfo/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/Version +``` + + + + +Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Tokens + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Tokens +``` + + + + +Beginning of a Subtree that contains all tokens. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Tokens/{ID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Tokens/{ID} +``` + + + + +Arbitrary ID used to differentiate tokens. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | UniqueName: The ApplicationControl CSP enforces that the "ID" segment of a given token URI is unique. | + + + + + + + + + +#### Tokens/{ID}/Token + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Tokens/{ID}/Token +``` + + + + +The token binary encoded as base64. Supported value is a binary file, obtained from the OneCoreDeviceUnlockService. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Tokens/{ID}/TokenInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo +``` + + + + +Information Describing the Token indicated by the corresponding ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Tokens/{ID}/TokenInfo/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Status +``` + + + + +The Current Status of the Token Indicated by the Token ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +##### Tokens/{ID}/TokenInfo/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/ApplicationControl/Tokens/{ID}/TokenInfo/Type +``` + + + + +The Type of Token Indicated by the Token ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + + +## IsAuthorized, IsDeployed, and IsEffective values The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: -|IsAuthorized | IsDeployed | IsEffective | Resultant | -|------------ | ---------- | ----------- | --------- | -|True|True|True|Policy is currently running and is in effect.| -|True|True|False|Policy requires a reboot to take effect.| -|True|False|True|Policy requires a reboot to unload from CI.| -|False|True|True|Not Reachable.| -|True|False|False|*Not Reachable.| -|False|True|False|*Not Reachable.| -|False|False|True|Not Reachable.| -|False|False|False|*Not Reachable.| +| IsAuthorized | IsDeployed | IsEffective | Resultant | +|--------------|------------|-------------|-----------------------------------------------| +| True | True | True | Policy is currently running and is in effect. | +| True | True | False | Policy requires a reboot to take effect. | +| True | False | True | Policy requires a reboot to unload from CI. | +| False | True | True | Not Reachable. | +| True | False | False | *Not Reachable. | +| False | True | False | *Not Reachable. | +| False | False | True | Not Reachable. | +| False | False | False | *Not Reachable. | \* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail. -**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status** -This node specifies whether the deployment of the policy indicated by the GUID was successful. - -Scope is dynamic. Supported operation is Get. - -Value type is integer. Default value is 0 = OK. - -**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName** -This node provides the friendly name of the policy indicated by the policy GUID. - -Scope is dynamic. Supported operation is Get. - -Value type is char. - ## Microsoft Intune Usage Guidance For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). @@ -164,7 +800,7 @@ In order to use the ApplicationControl CSP without using Intune, you must: Below is a sample certutil invocation: -```console +```cmd certutil -encode WinSiPolicy.p7b WinSiPolicy.cer ``` @@ -242,15 +878,15 @@ Perform a GET using a deployed policy's GUID to interrogate/inspect the policy i The following table displays the result of Get operation on different nodes: -|Nodes | Get Results| -|------------- | ------| -|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy|raw p7b| -|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version|Policy version| -|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective|Is the policy in effect| -|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed|Is the policy on the system| -|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized|Is the policy authorized on the system| -|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful| -|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| +| Nodes | Get Results | +|---------------------------------------------------------------------------------|----------------------------------------| +| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy | raw p7b | +| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version | Policy version | +| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective | Is the policy in effect | +| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed | Is the policy on the system | +| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized | Is the policy authorized on the system | +| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status | Was the deployment successful | +| ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName | Friendly name per the policy | An example of Get command is: @@ -328,7 +964,10 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa ```powershell Get-CimInstance -Namespace $namespace -ClassName $policyClassName ``` + + + ## Related articles -[Configuration service provider reference](index.yml) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index a21b6f8223..bfc85fbfa9 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -1,223 +1,934 @@ --- title: AppLocker CSP -description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed. -ms.reviewer: +description: Learn more about the AppLocker CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2019 +ms.topic: reference --- + + + # AppLocker CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. + -The following example shows the AppLocker configuration service provider in tree format. + +The following list shows the AppLocker configuration service provider nodes: -```console -./Vendor/MSFT -AppLocker -----ApplicationLaunchRestrictions ---------Grouping -------------EXE -----------------Policy -----------------EnforcementMode -----------------NonInteractiveProcessEnforcement -------------MSI -----------------Policy -----------------EnforcementMode -------------Script -----------------Policy -----------------EnforcementMode -------------StoreApps -----------------Policy -----------------EnforcementMode -------------DLL -----------------Policy -----------------EnforcementMode -----------------NonInteractiveProcessEnforcement -------------CodeIntegrity -----------------Policy -----EnterpriseDataProtection ---------Grouping -------------EXE -----------------Policy -------------StoreApps -----------------Policy -----LaunchControl ---------Grouping -------------EXE -----------------Policy -----------------EnforcementMode -------------StoreApps -----------------Policy -----------------EnforcementMode -----FamilySafety ---------Grouping -------------EXE -----------------Policy -----------------EnforcementMode -------------StoreApps -----------------Policy -----------------EnforcementMode +- ./Vendor/MSFT/AppLocker + - [ApplicationLaunchRestrictions](#applicationlaunchrestrictions) + - [{Grouping}](#applicationlaunchrestrictionsgrouping) + - [CodeIntegrity](#applicationlaunchrestrictionsgroupingcodeintegrity) + - [Policy](#applicationlaunchrestrictionsgroupingcodeintegritypolicy) + - [DLL](#applicationlaunchrestrictionsgroupingdll) + - [EnforcementMode](#applicationlaunchrestrictionsgroupingdllenforcementmode) + - [NonInteractiveProcessEnforcement](#applicationlaunchrestrictionsgroupingdllnoninteractiveprocessenforcement) + - [Policy](#applicationlaunchrestrictionsgroupingdllpolicy) + - [EXE](#applicationlaunchrestrictionsgroupingexe) + - [EnforcementMode](#applicationlaunchrestrictionsgroupingexeenforcementmode) + - [NonInteractiveProcessEnforcement](#applicationlaunchrestrictionsgroupingexenoninteractiveprocessenforcement) + - [Policy](#applicationlaunchrestrictionsgroupingexepolicy) + - [MSI](#applicationlaunchrestrictionsgroupingmsi) + - [EnforcementMode](#applicationlaunchrestrictionsgroupingmsienforcementmode) + - [Policy](#applicationlaunchrestrictionsgroupingmsipolicy) + - [Script](#applicationlaunchrestrictionsgroupingscript) + - [EnforcementMode](#applicationlaunchrestrictionsgroupingscriptenforcementmode) + - [Policy](#applicationlaunchrestrictionsgroupingscriptpolicy) + - [StoreApps](#applicationlaunchrestrictionsgroupingstoreapps) + - [EnforcementMode](#applicationlaunchrestrictionsgroupingstoreappsenforcementmode) + - [Policy](#applicationlaunchrestrictionsgroupingstoreappspolicy) + - [EnterpriseDataProtection](#enterprisedataprotection) + - [{Grouping}](#enterprisedataprotectiongrouping) + - [EXE](#enterprisedataprotectiongroupingexe) + - [Policy](#enterprisedataprotectiongroupingexepolicy) + - [StoreApps](#enterprisedataprotectiongroupingstoreapps) + - [Policy](#enterprisedataprotectiongroupingstoreappspolicy) + - [FamilySafety](#familysafety) + - [{Grouping}](#familysafetygrouping) + - [EXE](#familysafetygroupingexe) + - [EnforcementMode](#familysafetygroupingexeenforcementmode) + - [Policy](#familysafetygroupingexepolicy) + - [StoreApps](#familysafetygroupingstoreapps) + - [EnforcementMode](#familysafetygroupingstoreappsenforcementmode) + - [Policy](#familysafetygroupingstoreappspolicy) + - [LaunchControl](#launchcontrol) + - [{Grouping}](#launchcontrolgrouping) + - [EXE](#launchcontrolgroupingexe) + - [EnforcementMode](#launchcontrolgroupingexeenforcementmode) + - [Policy](#launchcontrolgroupingexepolicy) + - [StoreApps](#launchcontrolgroupingstoreapps) + - [EnforcementMode](#launchcontrolgroupingstoreappsenforcementmode) + - [Policy](#launchcontrolgroupingstoreappspolicy) + + + +## ApplicationLaunchRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions ``` -**./Vendor/MSFT/AppLocker** -Defines the root node for the AppLocker configuration service provider. + -**AppLocker/ApplicationLaunchRestrictions** + + Defines restrictions for applications. + + + > [!NOTE] -> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. +> When you create a list of allowed apps, all [inbox apps](#inbox-apps-and-components) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node. > [!NOTE] -> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. +> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the `AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy` URI. + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. -Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + +**Description framework properties**: -Supported operations are Get, Add, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE** -Defines restrictions for launching executable applications. + + + -Supported operations are Get, Add, Delete, and Replace. + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + +### ApplicationLaunchRestrictions/{Grouping} -Data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Delete, and Replace. + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping} +``` + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + -The data type is a string. + + + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/NonInteractiveProcessEnforcement** -The data type is a string. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + -Supported operations are Add, Delete, Get, and Replace. + + + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI** -Defines restrictions for executing Windows Installer files. + -Supported operations are Get, Add, Delete, and Replace. + +#### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Data type is string. + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity +``` + -Supported operations are Get, Add, Delete, and Replace. + + + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + -The data type is a string. + +**Description framework properties**: -Supported operations are Get, Add, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script** -Defines restrictions for running scripts. + + + -Supported operations are Get, Add, Delete, and Replace. + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + +##### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy -Data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Delete, and Replace. + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy +``` + -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). - -The data type is a string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps** -Defines restrictions for running apps from the Microsoft Store. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. - -Data type is string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). - -The data type is a string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL** -Defines restrictions for processing DLL files. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. - -Data type is string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). - -The data type is a string. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/NonInteractiveProcessEnforcement** -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity** -This node is only supported on the desktop. - -Supported operations are Get, Add, Delete, and Replace. - -**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy** -Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. - -Data type is Base64. - -Supported operations are Get, Add, Delete, and Replace. + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded. + + + > [!NOTE] -> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. +> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker CSP. + -**AppLocker/EnterpriseDataProtection** -Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/DLL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL +``` + + + + +Defines restrictions for processing DLL files. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/DLL/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE +``` + + + + +Defines restrictions for launching executable applications. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/MSI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI +``` + + + + +Defines restrictions for executing Windows Installer files. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/MSI/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/Script + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script +``` + + + + +Defines restrictions for running scripts. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/Script/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### ApplicationLaunchRestrictions/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps +``` + + + + +Defines restrictions for running apps from the Microsoft Store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +## EnterpriseDataProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection +``` + + + + +Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP. + + + + In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: @@ -238,52 +949,1316 @@ Exempt examples: Additional information: - [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. + -**AppLocker/EnterpriseDataProtection/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. -Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + +**Description framework properties**: -Supported operations are Get, Add, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**AppLocker/EnterpriseDataProtection/_Grouping_/EXE** + + + + + + + +### EnterpriseDataProtection/{Grouping} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping} +``` + + + + +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### EnterpriseDataProtection/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE +``` + + + + Defines restrictions for launching executable applications. + -Supported operations are Get, Add, Delete, and Replace. + + + -**AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### EnterpriseDataProtection/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE/Policy +``` + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + -Data type is string. + + + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### EnterpriseDataProtection/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps +``` + + + + Defines restrictions for running apps from the Microsoft Store. + -Supported operations are Get, Add, Delete, and Replace. + + + -**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### EnterpriseDataProtection/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps/Policy +``` + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + -Data type is string. + + + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive). -2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + - The **Device Portal** page opens on your browser. + + + - ![device portal screenshot.](images/applocker-screenshot1.png) + -3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps. + +## FamilySafety - ![device portal app manager.](images/applocker-screenshot3.png) + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. + +```Device +./Vendor/MSFT/AppLocker/FamilySafety +``` + - ![app manager.](images/applocker-screenshot2.png) + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### FamilySafety/{Grouping} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### FamilySafety/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/EXE/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### FamilySafety/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/StoreApps/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### FamilySafety/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +## LaunchControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### LaunchControl/{Grouping} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### LaunchControl/{Grouping}/EXE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/EXE/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/EXE/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + +#### LaunchControl/{Grouping}/StoreApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/StoreApps/EnforcementMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/EnforcementMode +``` + + + + +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### LaunchControl/{Grouping}/StoreApps/Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/Policy +``` + + + + +Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Reboot Behavior | Automatic | +| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | + + + + + + + + + + +## Policy XSD Schema + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## File Publisher Rules The following table shows the mapping of information to the AppLocker publisher rule field. @@ -301,50 +2276,9 @@ Here's an example AppLocker publisher rule: ``` -You can get the publisher name and product name of apps using a web API. - -**To find publisher and product name for Microsoft apps in Microsoft Store for Business:** - -1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. - -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**. - -3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. - -Request URI: - -```http -https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata -``` - -Here's the example for Microsoft OneNote: - -Request - -```http -https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata -``` - -Result - -```json -{ - "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe", - "packageIdentityName": "Microsoft.Office.OneNote", - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -} -``` - -|Result data|AppLocker publisher rule field| -|--- |--- | -|packageIdentityName|ProductName| -|publisherCertificateName|Publisher| -|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

    This value will only be present if there's a XAP package associated with the app in the Store.

    If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| - - -## Settings apps that rely on splash apps +You can get the publisher name and product name of apps using either `Get-AppxPackage` PowerShell cmdlet or [Windows Device Portal](/windows/uwp/debug-test-perf/device-portal-desktop). +## Settings apps that rely on splash apps These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. @@ -368,8 +2302,7 @@ The product name is first part of the PackageFullName followed by the version nu | SettingsPageAppsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea580a\_1.0.0.0\_neutral\_\_4vefaa8deck74 | 5b04b775-356b-4aa0-aaf8-6491ffea580a | | SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 | - -## Inbox apps and components +## Inbox apps and components The following list shows the apps that may be included in the inbox. @@ -467,7 +2400,7 @@ The following list shows the apps that may be included in the inbox. |Xbox|b806836f-eebe-41c9-8669-19e243b81b83|Microsoft.XboxApp| |Xbox identity provider|ba88225b-059a-45a2-a8eb-d3580283e49d|Microsoft.XboxIdentityProvider| -## Allowlist examples +## Allowlist examples The following example disables the calendar application. @@ -1028,7 +2961,8 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business -The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings. + +The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inbox-apps-and-components) to enable a working device, and Settings. ```xml @@ -1464,7 +3398,10 @@ In this example, Contoso is the node name. We recommend using a GUID for this no ``` + -## Related topics + -[Configuration service provider reference](index.yml) +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index d0e4446e1c..af3f58ccbe 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,673 +1,1149 @@ --- title: AppLocker DDF file -description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/23/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # AppLocker DDF file -This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). +The following XML file contains the device description framework (DDF) for the AppLocker configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + AppLocker + ./Vendor/MSFT + + + + + Root node for the AppLocker configuration service provider + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - AppLocker - ./Vendor/MSFT + ApplicationLaunchRestrictions + + + + + Defines restrictions for applications. + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + + + + + + + + + + Grouping + + + + + + + + - ApplicationLaunchRestrictions + EXE + + + + + + + + Defines restrictions for launching executable applications. + + + + + + + + + + + + + + + Policy - - - - - - - - - - - - - - - - - - + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic - - - - - - - - - - - - - - - - - - - Grouping - - - - - - EXE - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - NonInteractiveProcessEnforcement - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSI - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - - Script - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - - StoreApps - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - - DLL - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforcementMode - - - - - - - - - - - - - - - - - - text/plain - - - - - NonInteractiveProcessEnforcement - - - - - - - - - - - - - - - - - - text/plain - - - - - - CodeIntegrity - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + NonInteractiveProcessEnforcement + + + + + + + + Insert Description Here + + + + + + + + + + + + + + - EnterpriseDataProtection + MSI + + + + + + + + Defines restrictions for executing Windows Installer files. + + + + + + + + + + + + + + + Policy - - - - - - - - - - - - - - - + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic - - - - - - - - - - - - - - - - - - - Grouping - - - - - - EXE - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - - StoreApps - - - - - - - - - - - - - - - - - - - - - - Policy - - - - - - - - - - - - - - - - - - text/plain - - - - - + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + Script + + + + + + + + Defines restrictions for running scripts. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + StoreApps + + + + + + + + Defines restrictions for running apps from the Microsoft Store. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + DLL + + + + + + + + Defines restrictions for processing DLL files. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + NonInteractiveProcessEnforcement + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + + + CodeIntegrity + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded. + + + + + + + + + + + + + + + Automatic + + + + + + EnterpriseDataProtection + + + + + Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP. + + + + + + + + + + + + + + + + + + + + + + + + Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. + + + + + + + + + + Grouping + + + + + + + + + + + EXE + + + + + + + + Defines restrictions for launching executable applications. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + + StoreApps + + + + + + + + Defines restrictions for running apps from the Microsoft Store. + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + + + + LaunchControl + + + + + Insert Description Here + + + + + + + + + + + + + + + + + + + + + + + + Insert Description Here + + + + + + + + + + Grouping + + + + + + + + + + + EXE + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + StoreApps + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + + + FamilySafety + + + + + Insert Description Here + + + + + + + + + + + + + + + + + + + + + + + + Insert Description Here + + + + + + + + + + Grouping + + + + + + + + + + + EXE + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + StoreApps + + + + + + + + Insert Description Here + + + + + + + + + + + + + + + Policy + + + + + + + + Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. + + + + + + + + + + + + + + ]]> + + Automatic + + + + EnforcementMode + + + + + + + + The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). + + + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles -[AppLocker configuration service provider](applocker-csp.md) \ No newline at end of file +[AppLocker configuration service provider reference](applocker-csp.md) diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md deleted file mode 100644 index 9daa087800..0000000000 --- a/windows/client-management/mdm/applocker-xsd.md +++ /dev/null @@ -1,1292 +0,0 @@ ---- -title: AppLocker XSD -description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# AppLocker XSD - -Here's the XSD for the AppLocker CSP. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -  - -  - - - - - - diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index cc8530ec85..5042ee9974 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1,230 +1,103 @@ --- title: AssignedAccess CSP -description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. -ms.reviewer: +description: Learn more about the AssignedAccess CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 05/03/2022 +ms.topic: reference --- + + + # AssignedAccess CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. -For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) +- For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a single-app kiosk on Windows 10/11](/windows/configuration/kiosk-single-app). +- For a step-by-step guide for configuring multi-app kiosks, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). -In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). +> [!IMPORTANT] +> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. -> [!Warning] +> [!WARNING] > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. -> [!Note] +> [!NOTE] > If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. + -> [!Note] -> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. + +The following list shows the AssignedAccess configuration service provider nodes: -The following example shows the AssignedAccess configuration service provider in tree format +- ./Vendor/MSFT/AssignedAccess + - [Configuration](#configuration) + - [KioskModeApp](#kioskmodeapp) + - [ShellLauncher](#shelllauncher) + - [Status](#status) + - [StatusConfiguration](#statusconfiguration) + -```console -./Vendor/MSFT -AssignedAccess -----KioskModeApp -----Configuration (Added in Windows 10, version 1709) -----Status (Added in Windows 10, version 1803) -----ShellLauncher (Added in Windows 10, version 1803) -----StatusConfiguration (Added in Windows 10, version 1803) + +## Configuration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/AssignedAccess/Configuration ``` + -**./Device/Vendor/MSFT/AssignedAccess** -Root node for the CSP. + + +This node accepts an AssignedAccessConfiguration xml as input. + -**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** -A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app). + + +The input XML specifies the settings that you can configure in the kiosk or device. -For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) +In **Windows 10, version 1803** the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. -> [!Note] -> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. -> -> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. +In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like `shift+alt+a`, where `shift` and `alt` are the modifiers and `a` is the key. -> [!Note] -> You can't set both KioskModeApp and ShellLauncher at the same time on the device. - -Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](../enterprise-app-management.md). - -Here's an example: - -```json -{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"} -``` - -> [!Tip] -> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\. -> -> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string. - -When the kiosk mode app is being configured, the account name will be used to find the target user. The account name includes domain name and user name. - -> [!Note] -> The domain name can be optional, if the user name is unique across the system. - -For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output. - -The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. - -**./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). - -Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key. - -> [!Note] -> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. -> -> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. - -Enterprises can use this to easily configure and manage the curated lockdown experience. - -Supported operations are Add, Get, Delete, and Replace. - -Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies back (for example, Start Layout). - -**./Device/Vendor/MSFT/AssignedAccess/Status** -Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload. - -In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible statuses available for single app kiosk mode. - -|Status |Description | -|---------|---------|---------| -| KioskModeAppRunning | This status means the kiosk app is running normally. | -| KioskModeAppNotFound | This state occurs when the kiosk app isn't deployed to the machine. | -| KioskModeAppActivationFailure | This state occurs when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. | +- For more information about setting up a multi-app kiosk, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). +- For more information on the schema, see [AssignedAccessConfiguration XSD](#assignedaccessconfiguration-xsd). +- For examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples). > [!NOTE] -> Status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus. +> Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies (for example, Start Layout). + -|Status code | KioskModeAppRuntimeStatus | -|---------|---------| -| 1 | KioskModeAppRunning | -| 2 | KioskModeAppNotFound | -| 3 | KioskModeAppActivationFailure | + +**Description framework properties**: -Additionally, the status payload includes a profileId that can be used by the MDM server to correlate as to which kiosk app caused the error. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -In Windows 10, version 1809, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes. + + +**Examples**: -|Status|Description| -|---|---| -|Running|The AssignedAccess account (kiosk or multi-app) is running normally.| -|AppNotFound|The kiosk app isn't deployed to the machine.| -|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.| -|AppNoResponse|The kiosk app launched successfully but is now unresponsive.| +For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples). -> [!NOTE] -> Status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus. - -|Status code|AssignedAccessRuntimeStatus| -|---|---| -|1|Running| -|2|AppNotFound| -|3|ActivationFailed| -|4|AppNoResponse| - -Additionally, the Status payload includes the following fields: - -- profileId: It can be used by the MDM server to correlate which account caused the error. -- OperationList: It gives the list of failed operations that occurred while applying the assigned access CSP, if any exist. - -Supported operation is Get. - -**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher** -Added in Windows 10, version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher). - -> [!Note] -> You can't set both ShellLauncher and KioskModeApp at the same time on the device. -> -> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. -> ->The ShellLauncher node is not supported in Windows 10 Pro. - -**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration** -Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema. - -By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. - -Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. - -This MDM alert header is defined as follows: - -- MDMAlertMark: Critical -- MDMAlertType: "com.microsoft.mdm.assignedaccess.status" -- MDMAlertDataType: String -- Source: "./Vendor/MSFT/AssignedAccess" -- Target: N/A - -> [!Note] -> MDM alert will only be sent for errors. - - -## KioskModeApp examples - -KioskModeApp Add - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - chr - - {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} - - - - - -``` - -KioskModeApp Delete - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - - - - -``` - -KioskModeApp Get +
    +
    + Get Configuration ```xml @@ -233,7 +106,7 @@ KioskModeApp Get 2 - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + ./Device/Vendor/MSFT/AssignedAccess/Configuration @@ -242,31 +115,1002 @@ KioskModeApp Get ``` -KioskModeApp Replace +
    + +
    +
    + Delete Configuration ```xml - + 2 - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + ./Device/Vendor/MSFT/AssignedAccess/Configuration - - chr - - {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} - + ``` +
    + + + + + +## KioskModeApp + +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT/AssignedAccess/KioskModeApp +``` + + + + +This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. + +Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`. + +When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. + +This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. + + + + +> [!TIP] +> In the above example the double `\\` is required because it's in JSON and JSON escapes `\\` into `\`. If an MDM server uses JSON parser\composer, they should ask customers to type only one `\`, which will be `\\` in the JSON. If user types `\\`, it'll become `\\\\` in JSON, which will cause erroneous results. For the same reason, `domain\user` used in Configuration xml does not need `\\` but only one `\`, because xml does not (need to) escape `\`. +> +> This applies to both `domain\user`, `AzureAD\someone@contoso.onmicrosoft.com`, as long as a `\` is used in JSON string. + +- For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app). +- For more information about single-app kiosk, see [Set up a single-app kiosk on Windows 10/11.](/windows/configuration/kiosk-single-app) + +> [!IMPORTANT] +> +> - In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. +> - Additionally, starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. Add/Replace/Delete commands on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it's not effective. +> - You can't set both KioskModeApp and ShellLauncher at the same time on the device. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +**Examples**: + +
    +
    + Add KioskModeApp + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} + + + + + +``` + +
    + +
    +
    + Delete KioskModeApp + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + +``` + +
    + +
    +
    + Get KioskModeApp + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + +``` + +
    + +
    +
    + Replace KioskModeApp + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} + + + + + +``` + +
    + + + + + +## ShellLauncher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/AssignedAccess/ShellLauncher +``` + + + + +This node accepts a ShellLauncherConfiguration xml as input. + + + + +In **Windows 10, version 1903**, Shell Launcher V2 was introduced to support both UWP and Win32 apps as the custom shell. + +For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher). + +> [!IMPORTANT] +> You can't set both ShellLauncher and KioskModeApp at the same time on the device. + +> [!NOTE] +> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU. +> +> Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. The ShellLauncher node is not supported in Windows 10 Pro. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +**ShellLauncherConfiguration XSD**: + +> [!NOTE] +> Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD. + +
    +
    + Shell Launcher V1 XSD + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +
    + +
    +
    + Shell Launcher V2 XSD + +```xml + + + + + + + + + + + + + + + +``` + +

    + +**Examples**: + +
    +
    + Add + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + +``` + +
    + +
    +
    + Add AutoLogon + +This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed. + +> [!NOTE] +> The auto-logon function is designed to be used after OOBE with provisioning packages. + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + +``` + +
    + +
    +
    + V2 Add + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + +``` + +
    + +
    +
    + Get + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + + + + +``` + +
    + + + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/AssignedAccess/Status +``` + + + + +This read only node contains kiosk health event xml. + + + + +This allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to "On" or "OnWithAlerts". If the StatusConfiguration is "Off", a "node not found" error will be reported to the MDM server. + +Starting in **Windows 10, version 1809**, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes: + +| Status Code | Status | Description | +|--|--|--| +| 0 | Unknown | Unknown status. | +| 1 | Running | The AssignedAccess account (kiosk or multi-app) is running normally. | +| 2 | AppNotFound | The kiosk app isn't deployed to the machine. | +| 3 | ActivationFailed | The AssignedAccess account (kiosk or multi-app) failed to sign in. | +| 4 | AppNoResponse | The kiosk app launched successfully but is now unresponsive. | + +Additionally, the Status payload includes the following fields: + +- profileId: It can be used by the MDM server to correlate which account caused the error. +- OperationList: It gives the list of failed operations that occurred while applying the assigned access CSP, if any exist. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + +**AssignedAccessAlert XSD**: + +
    +
    + Expand this section to see the schema XML + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +

    + +**Example**: + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Status + + + + + + +``` + + + + + +## StatusConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/AssignedAccess/StatusConfiguration +``` + + + + +This node accepts a StatusConfiguration xml as input. + + + + +There are three possible values for StatusEnabled node inside StatusConfiguration xml: + +- On +- OnWithAlerts +- Off + +By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. This MDM alert header is defined as follows: + +- MDMAlertMark: `Critical` +- MDMAlertType: `com.microsoft.mdm.assignedaccess.status` +- MDMAlertDataType: `string` +- Source: `./Vendor/MSFT/AssignedAccess` +- Target: `N/A` + +> [!NOTE] +> MDM alert are only sent for errors. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +**StatusConfiguration XSD**: + +
    +
    + Expand this section to see the schema XML + +```xml + + + + + + + + + + + + + + + + + + + + +``` + +

    + +**Examples**: + +
    +
    + Add StatusConfiguration with StatusEnabled set to OnWithAlerts + + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + OnWithAlerts + + ]]> + + + + + + + ``` + +
    + +
    +
    + Delete StatusConfiguration + + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + + ``` + +
    + +
    +
    + Get StatusConfiguration + + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + + ``` + +
    + +
    +
    + Replace StatusEnabled value with On + + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + On + + ]]> + + + + + + + ``` + +
    + + + + + + ## AssignedAccessConfiguration XSD -The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release. +
    +
    + Schema for AssignedAccessConfiguration. ```xml @@ -306,7 +1150,7 @@ The schema below is for AssignedAccess Configuration up to Windows 10 20H2 relea - + @@ -464,7 +1308,41 @@ The schema below is for AssignedAccess Configuration up to Windows 10 20H2 relea ); ``` -Here's the schema for new features introduced in Windows 10 1809 release: +
    + +
    +
    + Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization. + +```xml + + + + + + + + + + + + + +``` + +
    + +
    +
    + Schema for new features introduced in Windows 10 1809 release. ```xml @@ -510,7 +1388,11 @@ Here's the schema for new features introduced in Windows 10 1809 release: ``` -Schema for Windows 10 prerelease +
    + +
    +
    + Schema for Windows 10 prerelease. ```xml @@ -541,48 +1423,31 @@ Schema for Windows 10 prerelease ``` -The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization. -```xml - - +
    - - +## AssignedAccessConfiguration examples - - - - - - - -``` - -To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. - -```xml - [!NOTE] +> To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that was added in the 1809 release, use the below sample. Notice an alias `r1809` is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. > - - - - - -``` +> ```xml +> xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" +> xmlns:r1809="http://schemas.microsoft.com/AssignedAccess/201810/config" +> > +> +> +> +> +> +> ... +> +> ``` -## Example AssignedAccessConfiguration XML +
    +
    + Example XML configuration for a multi-app kiosk for Windows 10. -Example XML configuration for a multi-app kiosk: ```xml @@ -634,7 +1499,12 @@ Example XML configuration for a multi-app kiosk: ``` -Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. +
    + +
    +
    + Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. + ```xml ``` -Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. +
    + +
    +
    + Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. + > [!NOTE] > **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. + ```xml ``` -## Configuration examples +
    + +## Windows Holographic for Business edition example + +This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning). + +
    +
    + Expand this section to see the example. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + AzureAD\multiusertest@analogfre.onmicrosoft.com + + + + +``` + +
    + +## Handling XML in Configuration XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle. -Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you’ll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA. +Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you'll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA. -Escape and CDATA are mechanisms used when handling xml in xml. Consider that it’s a transportation channel to send the configuration xml as payload from server to client. It’s transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML. +Escape and CDATA are mechanisms used when handling xml in xml. Consider that it's a transportation channel to send the configuration xml as payload from server to client. It's transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML. -This example shows escaped XML of the Data node. +
    +
    + This example shows escaped XML of the Data node. ```xml @@ -761,79 +1707,11 @@ This example shows escaped XML of the Data node. ``` -This example shows escaped XML of the Data node. +
    -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Configuration - - - chr - - - <?xml version="1.0" encoding="utf-8" ?> -<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> - <Profiles> - <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> - <AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> - </AllowedApps> - </AllAppsList> - <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> - ]]> - </StartLayout> - <Taskbar ShowTaskbar="true"/> - </Profile> - </Profiles> - <Configs> - <Config> - <Account>MultiAppKioskUser</Account> - <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> - </Config> - </Configs> -</AssignedAccessConfiguration> - - - - - - - -``` - -This example uses CData for the XML. +
    +
    + This example shows CData for the XML. ```xml @@ -905,696 +1783,11 @@ This example uses CData for the XML. ``` -Example of Get command that returns the configuration in the device. +
    + -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Configuration - - - - - - -``` + -Example of the Delete command. +## Related articles -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Configuration - - - - - - -``` - -## StatusConfiguration XSD - -```xml - - - - - - - - - - - - - - - - - - - - -``` - -## StatusConfiguration example - -StatusConfiguration Add OnWithAlerts - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - OnWithAlerts - - ]]> - - - - - - -``` - -StatusConfiguration Delete - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - - - -``` - -StatusConfiguration Get - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - - - -``` - -StatusConfiguration Replace On - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - On - - ]]> - - - - - - -``` - -## Status example - -Status Get - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Status - - - - - - -``` - -## ShellLauncherConfiguration XSD - -Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -### Shell Launcher V2 XSD - -```xml - - - - - - - - - - - - - - - -``` - -## ShellLauncherConfiguration examples - -ShellLauncherConfiguration Add - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - -``` - -ShellLauncherConfiguration Add AutoLogon - -This function creates an autologon account on your behalf. It's a standard user with no password. The autologon account is managed by AssignedAccessCSP, so the account name isn't exposed. - -> [!Note] -> The autologon function is designed to be used after OOBE with provisioning packages. - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - -``` - -ShellLauncher V2 Add - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - -``` - -ShellLauncherConfiguration Get - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - - - - -``` - -## AssignedAccessAlert XSD - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Windows Holographic for Business edition example - -This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning). - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - AzureAD\multiusertest@analogfre.onmicrosoft.com - - - - -``` - -## Related topics - -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 4e49481095..f91d0c0381 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,198 +1,223 @@ --- -title: AssignedAccess DDF -description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. -ms.reviewer: +title: AssignedAccess DDF file +description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/27/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 02/22/2018 +ms.topic: reference --- -# AssignedAccess DDF + -This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. +# AssignedAccess DDF file -You can download the DDF files from the links below: - -- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) -- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) - -The XML below is for Windows 10, version 1803 and later. +The following XML file contains the device description framework (DDF) for the AssignedAccess configuration service provider. ```xml - -]> +]> - 1.2 + 1.2 + + + + AssignedAccess + ./Vendor/MSFT + + + + + Root node for the CSP + + + + + + + + + + + + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - AssignedAccess - ./Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/4.0/MDM/AssignedAccess - - - - KioskModeApp - - - - - - - - This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. + KioskModeApp + + + + + + + + This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. -Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. -When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional, if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. +When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. - - - - - - - - - - - - - - text/plain - - - - - Configuration - - - - - - - - This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN. - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - This read only node contains kiosk health event in xml. - - - - - - - - - - - - - - text/plain - - - - - ShellLauncher - - - - - - - - This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN. - - - - - - - - - - - - - - text/plain - - - - - StatusConfiguration - - - - - - - - This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN. - - - - - - - - - - - - - - text/plain - - - + + + + + + + + + + + + + + + + + + + + + Configuration + + + + + + + + This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + + + + 10.0.16299 + 1.1 + + + + + + + Status + + + + + This read only node contains kiosk health event xml + + + + + + + + + + + + + + + + + 10.0.17134 + 2.0 + + + + + ShellLauncher + + + + + + + + This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + + + + 10.0.17134 + 2.0 + 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0xAB;0xAC;0xAF;0xBC;0xBF + + + + + + + StatusConfiguration + + + + + + + + This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN. + + + + + + + + + + + + + + + + + 10.0.17134 + 2.0 + + + + + + ``` -## Related topics +## Related articles -[AssignedAccess configuration service provider](assignedaccess-csp.md) +[AssignedAccess configuration service provider reference](assignedaccess-csp.md) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7974e3a245..b3bbbac0bc 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,89 +1,1083 @@ --- title: BitLocker CSP -description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. +description: Learn more about the BitLocker CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/04/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # BitLocker CSP +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. > [!NOTE] -> Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. > -> You must send all the settings together in a single SyncML to be effective. +> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. +> - You must send all the settings together in a single SyncML to be effective. A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin. For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). + -The following example shows the BitLocker configuration service provider in tree format. + +The following list shows the BitLocker configuration service provider nodes: -```console -./Device/Vendor/MSFT -BitLocker -----RequireStorageCardEncryption -----RequireDeviceEncryption -----EncryptionMethodByDriveType -----IdentificationField -----SystemDrivesEnablePreBootPinExceptionOnDECapableDevice -----SystemDrivesEnhancedPIN -----SystemDrivesDisallowStandardUsersCanChangePIN -----SystemDrivesEnablePrebootInputProtectorsOnSlates -----SystemDrivesEncryptionType -----SystemDrivesRequireStartupAuthentication -----SystemDrivesMinimumPINLength -----SystemDrivesRecoveryMessage -----SystemDrivesRecoveryOptions -----FixedDrivesRecoveryOptions -----FixedDrivesRequireEncryption -----FixedDrivesEncryptionType -----RemovableDrivesRequireEncryption -----RemovableDrivesEncryptionType -----RemovableDrivesConfigureBDE -----AllowWarningForOtherDiskEncryption -----AllowStandardUserEncryption -----ConfigureRecoveryPasswordRotation -----RotateRecoveryPasswords -----Status ---------DeviceEncryptionStatus ---------RotateRecoveryPasswordsStatus ---------RotateRecoveryPasswordsRequestID +- ./Device/Vendor/MSFT/BitLocker + - [AllowStandardUserEncryption](#allowstandarduserencryption) + - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) + - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation) + - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) + - [FixedDrivesEncryptionType](#fixeddrivesencryptiontype) + - [FixedDrivesRecoveryOptions](#fixeddrivesrecoveryoptions) + - [FixedDrivesRequireEncryption](#fixeddrivesrequireencryption) + - [IdentificationField](#identificationfield) + - [RemovableDrivesConfigureBDE](#removabledrivesconfigurebde) + - [RemovableDrivesEncryptionType](#removabledrivesencryptiontype) + - [RemovableDrivesExcludedFromEncryption](#removabledrivesexcludedfromencryption) + - [RemovableDrivesRequireEncryption](#removabledrivesrequireencryption) + - [RequireDeviceEncryption](#requiredeviceencryption) + - [RequireStorageCardEncryption](#requirestoragecardencryption) + - [RotateRecoveryPasswords](#rotaterecoverypasswords) + - [Status](#status) + - [DeviceEncryptionStatus](#statusdeviceencryptionstatus) + - [RemovableDrivesEncryptionStatus](#statusremovabledrivesencryptionstatus) + - [RotateRecoveryPasswordsRequestID](#statusrotaterecoverypasswordsrequestid) + - [RotateRecoveryPasswordsStatus](#statusrotaterecoverypasswordsstatus) + - [SystemDrivesDisallowStandardUsersCanChangePIN](#systemdrivesdisallowstandarduserscanchangepin) + - [SystemDrivesEnablePrebootInputProtectorsOnSlates](#systemdrivesenableprebootinputprotectorsonslates) + - [SystemDrivesEnablePreBootPinExceptionOnDECapableDevice](#systemdrivesenableprebootpinexceptionondecapabledevice) + - [SystemDrivesEncryptionType](#systemdrivesencryptiontype) + - [SystemDrivesEnhancedPIN](#systemdrivesenhancedpin) + - [SystemDrivesMinimumPINLength](#systemdrivesminimumpinlength) + - [SystemDrivesRecoveryMessage](#systemdrivesrecoverymessage) + - [SystemDrivesRecoveryOptions](#systemdrivesrecoveryoptions) + - [SystemDrivesRequireStartupAuthentication](#systemdrivesrequirestartupauthentication) + + + +## AllowStandardUserEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption +``` + + + + +Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user. +"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced. +If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user +is the current logged on user in the system. + +The expected values for this policy are: + +1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. +0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy +will not try to enable encryption on any drive. + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [AllowWarningForOtherDiskEncryptionDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. | +| 1 | "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + 111 + + + ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption + + + int + + 0 + + +``` + + + + + +## AllowWarningForOtherDiskEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption +``` + + + + +Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption) +and turn on encryption on the user machines silently. + +> [!WARNING] +> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will +require reinstallation of Windows. + +> [!NOTE] +> This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. + +The expected values for this policy are + +1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed. +0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, +the value 0 only takes affect on Azure Active Directory joined devices. +Windows will attempt to silently enable BitLocker for value 0. + + + + + + +> [!NOTE] +> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key. +> +> The endpoint for a fixed data drive's backup is chosen in the following order: +> +> 1. The user's Windows Server Active Directory Domain Services account. +> 2. The user's Azure Active Directory account. +> 3. The user's personal OneDrive (MDM/MAM only). +> +> Encryption will wait until one of these three locations backs up successfully. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. | +| 1 (Default) | Warning prompt allowed. | + + + + +**Example**: + +```xml + + 110 + + + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption + + + int + 0 + + +``` + + + + + +## ConfigureRecoveryPasswordRotation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation +``` + + + + +Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. +When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when +Active Directory back up for recovery password is configured to required. +For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" +For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" + +Supported Values: 0 - Numeric Recovery Passwords rotation OFF. +1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value +2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Refresh off (default). | +| 1 | Refresh on for Azure AD-joined devices. | +| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. | + + + + + + + + + +## EncryptionMethodByDriveType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType +``` + + + + +This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. + +- If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). + +- If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script." + + + + +> [!NOTE] +> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encryption method for the OS and removable drives, you will get a 500 return status. + +Data ID elements: + +- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. +- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. +- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. + +Sample value for this node to enable this policy and set the encryption methods is: + +```xml + + + + ``` + The possible values for 'xx' are: + +- 3 = AES-CBC 128 +- 4 = AES-CBC 256 +- 6 = XTS-AES 128 +- 7 = XTS-AES 256 + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](../enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**./Device/Vendor/MSFT/BitLocker** -Defines the root node for the BitLocker configuration service provider. - +**ADMX mapping**: -**RequireDeviceEncryption** - -Allows the administrator to require encryption that needs to be turned on by using BitLocker\Device Encryption. - - +| Name | Value | +|:--|:--| +| Name | EncryptionMethodWithXts_Name | +| Friendly Name | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| ADMX File Name | VolumeEncryption.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +**Example**: - -Data type is integer. Sample value for this node to enable this policy: 1. -Supported operations are Add, Get, Replace, and Delete. +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType + + + chr + + + + +``` + + + + + +## FixedDrivesEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/FixedDrivesEncryptionType +``` + + + + +This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + +- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + +Sample value for this node to enable this policy is: + +```xml + +``` + +Possible values: + +- 0: Allow user to choose. +- 1: Full encryption. +- 2: Used space only encryption. + +> [!NOTE] +> This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> +> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FDVEncryptionType_Name | +| Friendly Name | Enforce drive encryption type on fixed data drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | FDVEncryptionType | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## FixedDrivesRecoveryOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions +``` + + + + +This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. + +The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. + +In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + +Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. + +In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS. + +Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. + +> [!NOTE] +> If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated. + +- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. + +- If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. + + + + +Data ID elements: + +- FDVAllowDRA_Name: Allow data recovery agent +- FDVRecoveryPasswordUsageDropDown_Name and FDVRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information +- FDVHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard +- FDVActiveDirectoryBackup_Name: Save BitLocker recovery information to Active Directory Domain Services +- FDVActiveDirectoryBackupDropDown_Name: Configure storage of BitLocker recovery information to AD DS +- FDVRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives + +Sample value for this node to enable this policy is: + +```xml + + + + + + + + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + +The possible values for 'yy' are: + +- 0 = Disallowed +- 1 = Required +- 2 = Allowed + +The possible values for 'zz' are: + +- 1 = Store recovery passwords and key packages +- 2 = Store recovery passwords only + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FDVRecoveryUsage_Name | +| Friendly Name | Choose how BitLocker-protected fixed drives can be recovered | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | FDVRecovery | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + chr + + + + +``` + + + + + +## FixedDrivesRequireEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption +``` + + + + +This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. + +- If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. + +- If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FDVDenyWriteAccess_Name | +| Friendly Name | Deny write access to fixed drives not protected by BitLocker | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE | +| Registry Value Name | FDVDenyWriteAccess | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use hte following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + chr + + + + +``` + + + + + +## IdentificationField + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/IdentificationField +``` + + + + +This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. + +The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. + +You can configure the identification fields on existing drives by using [manage-bde](/windows-server/administration/windows-commands/manage-bde).exe. + +- If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. + +When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. + +- If you disable or do not configure this policy setting, the identification field is not required. + +> [!NOTE] +> Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer. + + + + +Data ID elements: + +- IdentificationField: This is a BitLocker identification field. +- SecIdentificationField: This is an allowed BitLocker identification field. + +Sample value for this node to enable this policy is: + +```xml + + + +``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IdentificationField_Name | +| Friendly Name | Provide the unique identifiers for your organization | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | IdentificationField | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## RemovableDrivesConfigureBDE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesConfigureBDE +``` + + + + +This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. + +When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment). + +- If you do not configure this policy setting, users can use BitLocker on removable disk drives. + +- If you disable this policy setting, users cannot use BitLocker on removable disk drives. + + + + +Data ID elements: + +- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives. +- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives. + +Sample value for this node to enable this policy is: + +```xml + + + +``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RDVConfigureBDE | +| Friendly Name | Control use of BitLocker on removable drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | RDVConfigureBDE | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## RemovableDrivesEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesEncryptionType +``` + + + + +This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + +- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + +Sample value for this node to enable this policy is: + +```xml + +``` + +Possible values: + +- 0: Allow user to choose. +- 1: Full encryption. +- 2: Used space only encryption. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [BDEAllowed] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE`
    Dependency Allowed Value Type: `ADMX`
    | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RDVEncryptionType_Name | +| Friendly Name | Enforce drive encryption type on removable data drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | RDVEncryptionType | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## RemovableDrivesExcludedFromEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesExcludedFromEncryption +``` + + + + +When enabled, allows you to exclude removable drives and devices connected over USB interface from [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption). Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +## RemovableDrivesRequireEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption +``` + + + + +This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. + +- If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. + +If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. + +- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. + +> [!NOTE] +> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored. + + + + +Data ID elements: + +- RDVCrossOrg: Deny write access to devices configured in another organization + +Sample value for this node to enable this policy is: + +```xml + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RDVDenyWriteAccess_Name | +| Friendly Name | Deny write access to removable drives not protected by BitLocker | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE | +| Registry Value Name | RDVDenyWriteAccess | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + chr + + + + +``` + + + + + +## RequireDeviceEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption +``` + + + + +Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. + +Sample value for this node to enable this policy: +1 + +Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on. + + + + + +> [!NOTE] +> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device. The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives. @@ -95,13 +1089,32 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix - It must not be a system partition. - It must not be backed by virtual storage. - It must not have a reference in the BCD store. - -The following list shows the supported values: + -- 0 (default): Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes. -- 1: Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy). - -If you want to disable this policy, use the following SyncML: + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. | +| 1 | Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). | + + + + +**Example**: + +To disable RequireDeviceEncryption: ```xml @@ -121,1283 +1134,201 @@ If you want to disable this policy, use the following SyncML: ``` + + + + + +## RequireStorageCardEncryption > [!NOTE] -> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device. +> This policy is deprecated and may be removed in a future release. - - -**EncryptionMethodByDriveType** - -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)* -- GP name: *EncryptionMethodWithXts_Name* -- GP path: *Windows Components/BitLocker Drive Encryption* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. - -If you enable this setting, you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511. - -If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script. - - Sample value for this node to enable this policy and set the encryption methods is: - -```xml - + +```Device +./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption ``` + -- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. -- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. -- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. - - The possible values for 'xx' are: + + +Allows the Admin to require storage card encryption on the device. -- 3 = AES-CBC 128 -- 4 = AES-CBC 256 -- 6 = XTS-AES 128 -- 7 = XTS-AES 256 - -> [!NOTE] -> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status. +This policy is only valid for mobile SKU. +Sample value for this node to enable this policy: +1 - If you want to disable this policy, use the following SyncML: +Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on. -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType - - - chr - - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Storage cards do not need to be encrypted. | +| 1 | Require storage cards to be encrypted. | + + + + + + + + + +## RotateRecoveryPasswords + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords ``` + -Data type is string. + + +Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. +This policy is Execute type and rotates all numeric passwords when issued from MDM tools. -Supported operations are Add, Get, Replace, and Delete. - - -**IdentificationField** - -Allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. - - +The policy only comes into effect when Active Directory backup for a recovery password is configured to "required." +- For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives." +- For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives." -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes: - - -ADMX Info: +- status\RotateRecoveryPasswordsStatus +- status\RotateRecoveryPasswordsRequestID -- GP Friendly name: *Provide the unique identifiers for your organization* -- GP name: *IdentificationField_Name* -- GP path: *Windows Components/BitLocker Drive Encryption* -- GP ADMX file name: *VolumeEncryption.admx* +Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\ - - -This setting is used to establish an identifier that is applied to all encrypted drives in your organization. - -Identifiers are stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde): - -- **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field. - -- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations. - ->[!Note] ->When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization. - -If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization. - -Sample value for this node to enable this policy is: - -```xml - -``` - -Data ID: - -- IdentificationField: This is a BitLocker identification field. -- SecIdentificationField: This is an allowed BitLocker identification field. - -If you disable or don't configure this setting, the identification field isn't required. - ->[!Note] ->Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters. - - - - -**SystemDrivesEnablePreBootPinExceptionOnDECapableDevice** - -Allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN* -- GP name: *EnablePreBootPinExceptionOnDECapableDevice_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This setting overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware. - -If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the options of "Require additional authentication at startup" policy apply. - - - -**SystemDrivesEnhancedPIN** - -Allows users to configure whether or not enhanced startup PINs are used with BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Allow enhanced PINs for startup* -- GP name: *EnhancedPIN_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. - ->[!Note] ->Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. - -If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If you disable or don't configure this policy setting, enhanced PINs won't be used. - - - -**SystemDrivesDisallowStandardUsersCanChangePIN** - -Allows you to configure whether standard users are allowed to change BitLocker PIN or password that is used to protect the operating system drive. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Disallow standard users from changing the PIN or password* -- GP name: *DisallowStandardUsersCanChangePIN_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password, that is used to protect the operating system drive. - ->[!Note] ->To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. - -If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords. - -If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords. - -Sample value for this node to disable this policy is: - -```xml - -``` - - - -**SystemDrivesEnablePrebootInputProtectorsOnSlates** - -Allows users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enable use of BitLocker authentication requiring preboot keyboard input on slates* -- GP name: *EnablePrebootInputProtectorsOnSlates_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password. - -It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. - -When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard. - ->[!Note] ->If you don't enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available: -> ->- Configure TPM startup PIN: Required and Allowed ->- Configure TPM startup key and PIN: Required and Allowed ->- Configure use of passwords for operating system drives - - - - -**SystemDrivesEncryptionType** - -Allows you to configure the encryption type that is used by BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enforce drive encryption type on operating system drives* -- GP name: *OSEncryptionType_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy setting is applied when you turn on BitLocker. Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. - -Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. - -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. - ->[!Note] ->This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. ->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. - -For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). - - - -**SystemDrivesRequireStartupAuthentication** - -This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup". - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Require additional authentication at startup* -- GP name: *ConfigureAdvancedStartup_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to configure whether BitLocker requires more authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker. - -> [!NOTE] -> Only one of the additional authentication options is required at startup, otherwise an error occurs. - -If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive. - -On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. - -> [!NOTE] -> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits. - -If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. - -If you disable or don't configure this setting, users can configure only basic options on computers with a TPM. - -> [!NOTE] -> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. - -> [!NOTE] -> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. - -Sample value for this node to enable this policy is: - -```xml - -``` - -Data ID: - -- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). -- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key. -- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN. -- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN. -- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup. - - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - -The possible values for 'yy' are: - -- 2 = Optional -- 1 = Required -- 0 = Disallowed - - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - - -**SystemDrivesMinimumPINLength** - -This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup". - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Configure minimum PIN length for startup* -- GP name: *MinimumPINLength_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of six digits and can have a maximum length of 20 digits. - -> [!NOTE] -> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. -> ->In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This doesn't apply to TPM 1.2. - -If you enable this setting, you will require a minimum number of digits to set the startup PIN. - -If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits. - -Sample value for this node to enable this policy is: - -```xml - -``` - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - - -**SystemDrivesRecoveryMessage** - -This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL" -(PrebootRecoveryInfo_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Configure pre-boot recovery message and URL* -- GP name: *PrebootRecoveryInfo_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked. - -If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you've previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). - -If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. - -If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- 0 = Empty -- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). -- 2 = Custom recovery message is set. -- 3 = Custom recovery URL is set. -- 'yy' = string of max length 900. -- 'zz' = string of max length 500. - -> [!NOTE] -> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status. - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - - - chr - - - - -``` - -> [!NOTE] -> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**SystemDrivesRecoveryOptions** - -This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Choose how BitLocker-protected operating system drives can be recovered* -- GP name: *OSRecoveryUsage_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker. - -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). - -In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. - -Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. - -Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. - -Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. - -> [!NOTE] -> If the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. - -If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. - -If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - -The possible values for 'yy' are: - -- 2 = Allowed -- 1 = Required -- 0 = Disallowed - -The possible values for 'zz' are: - -- 2 = Store recovery passwords only. -- 1 = Store recovery passwords and key packages. - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**FixedDrivesRecoveryOptions** - -This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Choose how BitLocker-protected fixed drives can be recovered* -- GP name: *FDVRecoveryUsage_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. - -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). - -In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. - -Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. - -Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. - -Set the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. - -Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. - -> [!NOTE] -> If the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. - -If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. - -If this setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - -The possible values for 'yy' are: - -- 2 = Allowed -- 1 = Required -- 0 = Disallowed - -The possible values for 'zz' are: - -- 2 = Store recovery passwords only -- 1 = Store recovery passwords and key packages - - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**FixedDrivesRequireEncryption** - -This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Deny write access to fixed drives not protected by BitLocker* -- GP name: *FDVDenyWriteAccess_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. - -If you enable this setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**FixedDrivesEncryptionType** - -Allows you to configure the encryption type on fixed data drives that is used by BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enforce drive encryption type on fixed data drives* -- GP name: *FDVEncryptionType_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Data Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection is displayed to the user. - -Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only a portion of the drive that is used to store data is encrypted when BitLocker is turned on. - -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. - ->[!Note] ->This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. ->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. - -For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). - - - -**RemovableDrivesRequireEncryption** - -This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Deny write access to removable drives not protected by BitLocker* -- GP name: *RDVDenyWriteAccess_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Removeable Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. - -If you enable this setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. - -If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. - -If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access. - -> [!NOTE] -> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - - - chr - - - - -``` - - -**RemovableDrivesEncryptionType** - -Allows you to configure the encryption type that is used by BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enforce drive encryption type on removable data drives* -- GP name: *RDVEncryptionType_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy controls whether removed data drives utilize Full encryption or Used Space Only encryption, and is applied when you turn on BitLocker. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. - -Changing the encryption type will no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. - -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled or not configured, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. - - - -**RemovableDrivesConfigureBDE** - -Allows you to control the use of BitLocker on removable data drives. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Control use of BitLocker on removable drives* -- GP name: *RDVConfigureBDE_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - -This policy setting is used to prevent users from turning BitLocker on or off on removable data drives, and is applied when you turn on BitLocker. - -For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment) . - -The options for choosing property settings that control how users can configure BitLocker are: - -- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on removable data drives. -- **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. - -If you enable this policy setting, you can select property settings that control how users can configure BitLocker. - -Sample value for this node to enable this policy is: - -```xml - -``` -Data ID: - -- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives -- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives - -If this policy is disabled, users can't use BitLocker on removable disk drives. - -If you don't configure this policy setting, users can use BitLocker on removable disk drives. - - - -**AllowWarningForOtherDiskEncryption** - -Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is set to 1. - -> [!IMPORTANT] -> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview). - -> [!Warning] -> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -The following list shows the supported values: - -- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. Windows will attempt to silently enable BitLocker for value 0. -- 1 (default) – Warning prompt allowed. - -```xml - - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - 0 - - -``` - -> [!NOTE] ->When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key. -> ->The endpoint for a fixed data drive's backup is chosen in the following order: -> - >1. The user's Windows Server Active Directory Domain Services account. - >2. The user's Azure Active Directory account. - >3. The user's personal OneDrive (MDM/MAM only). -> ->Encryption will wait until one of these three locations backs up successfully. - - -**AllowStandardUserEncryption** - -Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user of Azure AD account. - - -> [!NOTE] -> This policy is only supported in Azure AD accounts. - -"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. - -If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -The expected values for this policy are: - -- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. -- 0 = This value is the default value, when the policy isn't set. If the current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive. - -If you want to disable this policy, use the following SyncML: - -```xml - - 111 - - - ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption - - - int - - 0 - - -``` - - - - -**ConfigureRecoveryPasswordRotation** - - -This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys. - - - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -Value type is int. - -Supported operations are Add, Delete, Get, and Replace. - - - -Supported values are: - -- 0 – Refresh off (default). -- 1 – Refresh on for Azure AD-joined devices. -- 2 – Refresh on for both Azure AD-joined and hybrid-joined devices. - - - - - - -**RotateRecoveryPasswords** - - - -This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. If errors occur, an error code will be returned so that server can take appropriate action to remediate. - - -The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. - -Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client won't retry, but if needed, the server can reissue the execute request. - -Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh. - -Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can't refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. - -Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request. -- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed. -- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -Value type is string. - -Supported operation is Execute. Request ID is expected as a parameter. + + + > [!NOTE] > Key rotation is supported only on these enrollment types. For more information, see [deviceEnrollmentType enum](/graph/api/resources/intune-devices-deviceenrollmenttype). -> - windowsAzureADJoin. -> - windowsBulkAzureDomainJoin. -> - windowsAzureADJoinUsingDeviceAuth. -> - windowsCoManagement. +> +> - windowsAzureADJoin. +> - windowsBulkAzureDomainJoin. +> - windowsAzureADJoinUsingDeviceAuth. +> - windowsCoManagement. > [!TIP] > Key rotation feature will only work when: > > - For Operating system drives: -> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required"). -> - OSActiveDirectoryBackup_Name is set to true. +> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required"). +> - OSActiveDirectoryBackup_Name is set to true. +> > - For Fixed data drives: -> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required"). -> - FDVActiveDirectoryBackup_Name is set to true. +> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required"). +> - FDVActiveDirectoryBackup_Name is set to true. + -**Status** -Interior node. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + - + + + - -**Status/DeviceEncryptionStatus** - + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/Status +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Status/DeviceEncryptionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/Status/DeviceEncryptionStatus +``` + + + + This node reports compliance state of device encryption on the system. - - +Value '0' means the device is compliant. Any other value represents a non-compliant device. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - - -Value type is int. - -Supported operation is Get. - -Supported values: - -- 0 - Indicates that the device is compliant. -- Any non-zero value - Indicates that the device isn't compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table: + + +This value represents a bitmask with each bit and the corresponding error code described in the following table: | Bit | Error Code | |-----|------------| @@ -1418,70 +1349,931 @@ Supported values: | 14 |The TPM isn't ready for BitLocker.| | 15 |The network isn't available, which is required for recovery key backup. | | 16-31 |For future use.| + - + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + - + + + -**Status/RotateRecoveryPasswordsStatus** - + -This node reports the status of RotateRecoveryPasswords request. - + +### Status/RemovableDrivesEncryptionStatus -Status code can be one of the following values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -- 2 – Not started -- 1 - Pending -- 0 - Pass -- Any other code - Failure HRESULT - + +```Device +./Device/Vendor/MSFT/BitLocker/Status/RemovableDrivesEncryptionStatus +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings. + - + + + -Value type is int. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + - + + + - + -**Status/RotateRecoveryPasswordsRequestID** + +### Status/RotateRecoveryPasswordsRequestID - -This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. -This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID. - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsRequestID +``` + - + + +This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. +This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus +To ensure the status is correctly matched to the request ID. + -Value type is string. + + + -Supported operation is Get. + +**Description framework properties**: -### SyncML example +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Status/RotateRecoveryPasswordsStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsStatus +``` + + + + +This Node reports the status of RotateRecoveryPasswords request. +Status code can be one of the following: +NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## SystemDrivesDisallowStandardUsersCanChangePIN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesDisallowStandardUsersCanChangePIN +``` + + + + +This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. + +This policy setting is applied when you turn on BitLocker. + +- If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. + +- If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords. + + + + +> [!NOTE] +> To change the PIN or password, the user must be able to provide the current PIN or password. + +Sample value for this node to disable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisallowStandardUsersCanChangePIN_Name | +| Friendly Name | Disallow standard users from changing the PIN or password | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | DisallowStandardUserPINReset | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEnablePrebootInputProtectorsOnSlates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePrebootInputProtectorsOnSlates +``` + + + + +This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability. + +The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. + +- If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard). + +- If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. + +**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include +- Configure TPM startup PIN Required/Allowed +- Configure TPM startup key and PIN Required/Allowed +- Configure use of passwords for operating system drives. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePrebootInputProtectorsOnSlates_Name | +| Friendly Name | Enable use of BitLocker authentication requiring preboot keyboard input on slates | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | OSEnablePrebootInputProtectorsOnSlates | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEnablePreBootPinExceptionOnDECapableDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePreBootPinExceptionOnDECapableDevice +``` + + + + +This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware. + +- If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. + +- If this policy is not enabled, the options of "Require additional authentication at startup" policy apply. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePreBootPinExceptionOnDECapableDevice_Name | +| Friendly Name | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | OSEnablePreBootPinExceptionOnDECapableDevice | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEncryptionType +``` + + + + +This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + +- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + +Sample value for this node to enable this policy is: + +```xml + +``` + +Possible values: + +- 0: Allow user to choose. +- 1: Full encryption. +- 2: Used space only encryption. + +>[!NOTE] +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. +> For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> +> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OSEncryptionType_Name | +| Friendly Name | Enforce drive encryption type on operating system drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | OSEncryptionType | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEnhancedPIN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEnhancedPIN +``` + + + + +This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. + +Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. + +- If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. + +> [!NOTE] +> Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. + +- If you disable or do not configure this policy setting, enhanced PINs will not be used. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnhancedPIN_Name | +| Friendly Name | Allow enhanced PINs for startup | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | UseEnhancedPin | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesMinimumPINLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength +``` + + + + +This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. + +- If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. + +- If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. + +> [!NOTE] +> If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. + + + + +> [!NOTE] +> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. + +Sample value for this node to enable this policy is: + +```xml + +``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MinimumPINLength_Name | +| Friendly Name | Configure minimum PIN length for startup | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + chr + + + + +``` + + + + + +## SystemDrivesRecoveryMessage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage +``` + + + + +This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. + +If you select the "Use default recovery message and URL" option, the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and select the "Use default recovery message and URL" option. + +If you select the "Use custom recovery message" option, the message you type in the "Custom recovery message option" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. + +If you select the "Use custom recovery URL" option, the URL you type in the "Custom recovery URL option" text box will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. + +> [!NOTE] +> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. + + + + +Data ID elements: + +- PrebootRecoveryInfoDropDown_Name: Select an option for the pre-boot recovery message. +- RecoveryMessage_Input: Custom recovery message +- RecoveryUrl_Input: Custom recovery URL + +Sample value for this node to enable this policy is: + +```xml + + + + +``` + +The possible values for 'xx' are: + +- 0 = Empty +- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). +- 2 = Custom recovery message is set. +- 3 = Custom recovery URL is set. + +The possible value for 'yy' and 'zz' is a string of max length 900 and 500 respectively. + +> [!NOTE] +> +> - When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status. +> - Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PrebootRecoveryInfo_Name | +| Friendly Name | Configure pre-boot recovery message and URL | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + chr + + + + +``` + + + + + +## SystemDrivesRecoveryOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions +``` + + + + +This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. + +The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. + +In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + +Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. + +In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS. + +Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. + +> [!NOTE] +> If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated. + +- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. + +- If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. + + + + +Data ID elements: + +- OSAllowDRA_Name: Allow certificate-based data recovery agent +- OSRecoveryPasswordUsageDropDown_Name and OSRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information +- OSHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard +- OSActiveDirectoryBackup_Name and OSActiveDirectoryBackupDropDown_Name: Save BitLocker recovery information to Active Directory Domain Services +- OSRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for operating system drives + +Sample value for this node to enable this policy is: + +```xml + + + + + + + + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + +The possible values for 'yy' are: + +- 0 = Disallowed +- 1 = Required +- 2 = Allowed + +The possible values for 'zz' are: + +- 1 = Store recovery passwords and key packages. +- 2 = Store recovery passwords only. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OSRecoveryUsage_Name | +| Friendly Name | Choose how BitLocker-protected operating system drives can be recovered | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | OSRecovery | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + chr + + + + +``` + + + + + +## SystemDrivesRequireStartupAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication +``` + + + + +This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. + +> [!NOTE] +> Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. + +If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. + +On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. + +- If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. + +> [!NOTE] +> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard. + + + + +> [!NOTE] +> +> - In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits. +> - Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. +Data ID elements: + +- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). +- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key. +- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN. +- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN. +- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup. + +Sample value for this node to enable this policy is: + +```xml + + + + + + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + +The possible values for 'yy' are: + +- 2 = Optional +- 1 = Required +- 0 = Disallowed + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureAdvancedStartup_Name | +| Friendly Name | Require additional authentication at startup | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | UseAdvancedStartup | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication + + + chr + + + + +``` + + + + + + +## SyncML example The following example is provided to show proper format and shouldn't be taken as a recommendation. @@ -1644,9 +2436,10 @@ The following example is provided to show proper format and shouldn't be taken a ``` + - + -## Related topics +## Related articles -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 5c397b3bce..081ef8b6f2 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,63 +1,65 @@ --- title: BitLocker DDF file -description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider. +description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/22/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/30/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + # BitLocker DDF file -This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the BitLocker configuration service provider. ```xml -]> +]> 1.2 - - BitLocker - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/5.0/MDM/BitLocker - - - - - RequireStorageCardEncryption - - - - - - - - Allows the Admin to require storage card encryption on the device. + + + + BitLocker + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.15063 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + RequireStorageCardEncryption + + + + + + + + 0 + Allows the Admin to require storage card encryption on the device. The format is integer. This policy is only valid for mobile SKU. Sample value for this node to enable this policy: @@ -65,99 +67,89 @@ The XML below is the current version for this CSP. Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on. If you want to disable this policy use the following SyncML: - - 100 - - - ./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - RequireDeviceEncryption - - - - - - - - Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. + 100./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryptionint0 + + + + + + + + + + + + + + + 0 + Storage cards do not need to be encrypted. + + + 1 + Require storage cards to be encrypted. + + + + + + + RequireDeviceEncryption + + + + + + + + 0 + Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. The format is integer. Sample value for this node to enable this policy: 1 Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on. If you want to disable this policy use the following SyncML: - - 101 - - - ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - EncryptionMethodByDriveType - - - - - - - - This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. + 101./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryptionint0 + + + + + + + + + + + + + + + 0 + Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. + + + 1 + Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). + + + + + + EncryptionMethodByDriveType + + + + + + + + This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.” The format is string. Sample value for this node to enable this policy and set the encryption methods is: - <enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/> + EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. @@ -170,48 +162,37 @@ The XML below is the current version for this CSP. 7 = XTS-AES 256 If you want to disable this policy use the following SyncML: - - 102 - - - ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType - - - chr - - <disabled/> - - + 102./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveTypechr Note: Maps to GP EncryptionMethodWithXts_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory - EncryptionMethodWithXts_Name - - - - SystemDrivesRequireStartupAuthentication - - - - - - - - This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. + + + + + + + + + + + + + + + + + + + SystemDrivesRequireStartupAuthentication + + + + + + + + This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both. @@ -220,7 +201,7 @@ The XML below is the current version for this CSP. Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/> + ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) All of the below settings are for computers with a TPM. @@ -240,106 +221,84 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 103 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - - - chr - - <disabled/> - - + 103./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthenticationchr Note: Maps to GP ConfigureAdvancedStartup_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - ConfigureAdvancedStartup_Name - - - - SystemDrivesMinimumPINLength - - - - - - - - This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. + + + + + + + + + + + + + + + + + + + SystemDrivesMinimumPINLength + + + + + + + + This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="MinPINLength" value="xx"/> + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 104 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - - - chr - - <disabled/> - - + 104./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLengthchr Note: Maps to GP MinimumPINLength_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - MinimumPINLength_Name - - - - SystemDrivesRecoveryMessage - - - - - - - - This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. + + + + + + + + + + + + + + + + + + + SystemDrivesRecoveryMessage + + + + + + + + This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/> + The possible values for 'xx' are: 0 = Empty @@ -351,48 +310,37 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 105 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - - - chr - - <disabled/> - - + 105./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessagechr Note: Maps to GP PrebootRecoveryInfo_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - PrebootRecoveryInfo_Name - - - - SystemDrivesRecoveryOptions - - - - - - - - This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. + + + + + + + + + + + + + + + + + + + SystemDrivesRecoveryOptions + + + + + + + + This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. @@ -403,7 +351,7 @@ The XML below is the current version for this CSP. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/> + The possible values for 'xx' are: true = Explicitly allow @@ -420,48 +368,37 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 106 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - - - chr - - <disabled/> - - + 106./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptionschr Note: Maps to GP OSRecoveryUsage_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - OSRecoveryUsage_Name - - - - FixedDrivesRecoveryOptions - - - - - - - - This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. + + + + + + + + + + + + + + + + + + + FixedDrivesRecoveryOptions + + + + + + + + This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. @@ -472,7 +409,7 @@ The XML below is the current version for this CSP. If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/> + The possible values for 'xx' are: true = Explicitly allow @@ -489,105 +426,83 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 107 - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - - - chr - - <disabled/> - - + 107./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptionschr Note: Maps to GP FDVRecoveryUsage_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory - FDVRecoveryUsage_Name - - - - FixedDrivesRequireEncryption - - - - - - - - This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. + + + + + + + + + + + + + + + + + + + FixedDrivesRequireEncryption + + + + + + + + This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. The format is string. Sample value for this node to enable this policy is: - <enabled/> + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 108 - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - - - chr - - <disabled/> - - + 108./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryptionchr Note: Maps to GP FDVDenyWriteAccess_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory - FDVDenyWriteAccess_Name - - - - RemovableDrivesRequireEncryption - - - - - - - - This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. + + + + + + + + + + + + + + + + + + + RemovableDrivesRequireEncryption + + + + + + + + This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="RDVCrossOrg" value="xx"/> + The possible values for 'xx' are: true = Explicitly allow @@ -595,48 +510,73 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 109 - - - ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - - - chr - - <disabled/> - - + 109./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryptionchr Note: Maps to GP RDVDenyWriteAccess_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory - RDVDenyWriteAccess_Name - - - - AllowWarningForOtherDiskEncryption - - - - - - - - Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption) + + + + + + + + + + + + + + + + + + + RemovableDrivesExcludedFromEncryption + + + + + + + + When enabled, allows you to exclude removable drives and devices connected over USB interface from BitLocker Device Encryption. Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004. + + + + + + + + + + + + + + + + + 10.0.22000 + 5.0 + + + + + LastWrite + + + + AllowWarningForOtherDiskEncryption + + + + + + + + 1 + Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption) and turn on encryption on the user machines silently. Warning: When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows. @@ -646,51 +586,46 @@ The XML below is the current version for this CSP. 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, - the value 0 only takes affect on Azure Active Directory-joined devices. + the value 0 only takes affect on Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. If you want to disable this policy use the following SyncML: - - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - AllowStandardUserEncryption - - - - - - - - Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user. + 110./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryptionint0 + + + + + + + + + + + + + + + 0 + Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. + + + 1 + Warning prompt allowed. + + + + + + AllowStandardUserEncryption + + + + + + + + 0 + Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user. "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced. If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. @@ -702,100 +637,107 @@ The XML below is the current version for this CSP. will not try to enable encryption on any drive. If you want to disable this policy use the following SyncML: - - 111 - - - ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - - ConfigureRecoveryPasswordRotation - - - - - - - - Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Azure Active Directory and Hybrid domain joined devices. - When not configured, Rotation is turned on by default for Azure AD only and off on Hybrid. The Policy will be effective only when + 111./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryptionint0 + + + + + + + + + + + + + + 10.0.17763 + 3.0 + + + + 0 + This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. + + + 1 + "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. + + + + + + Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption + + [0] + + + + + + + + ConfigureRecoveryPasswordRotation + + + + + + + + 0 + Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. + When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" Supported Values: 0 - Numeric Recovery Passwords rotation OFF. - 1 - Numeric Recovery Passwords Rotation upon use ON for Azure Active Directory-joined devices. Default value - 2 - Numeric Recovery Passwords Rotation upon use ON for both Azure AD and Hybrid devices + 1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value + 2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices If you want to disable this policy use the following SyncML: - - 112 - - - ./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - - - RotateRecoveryPasswords - - - - - Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. + 112./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotationint0 + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + 0 + Refresh off (default) + + + 1 + Refresh on for Azure AD-joined devices + + + 2 + Refresh on for both Azure AD-joined and hybrid-joined devices + + + + + + RotateRecoveryPasswords + + + + + Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. This policy is Execute type and rotates all numeric passwords when issued from MDM tools. The policy only comes into effect when Active Directory backup for a recovery password is configured to "required." @@ -811,133 +753,522 @@ The policy only comes into effect when Active Directory backup for a recovery pa Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\ - - 113 - - - ./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords - - - chr - - <RequestID/> - - - - - - - - - - - - - - text/plain - + 113./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswordschr + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + + Status + + + + + + + + + + + + + + + + + + 10.0.18362 + 4.0 + + + + DeviceEncryptionStatus + + + + + This node reports compliance state of device encryption on the system. + Value '0' means the device is compliant. Any other value represents a non-compliant device. + + + + + + + + + + + + + - - - - Status - - - - - - - - - - - - - - - - - - - DeviceEncryptionStatus - - - - - This node reports compliance state of device encryption on the system. - Value '0' means the device is compliant. Any other value represents a non-compliant device. - - - - - - - - - - - - text/plain - - - - - - RotateRecoveryPasswordsStatus - - - - - This Node reports the status of RotateRecoveryPasswords request. - Status code can be one of the following: - NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure - - - - - - - - - - - - - text/plain - - - - - - RotateRecoveryPasswordsRequestID - - - - - This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. - This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus - To ensure the status is correctly matched to the request ID. - - - - - - - - - - - - - text/plain - - - - + + RotateRecoveryPasswordsStatus + + + + + This Node reports the status of RotateRecoveryPasswords request. + Status code can be one of the following: + NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure + + + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + + RotateRecoveryPasswordsRequestID + + + + + This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. + This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus + To ensure the status is correctly matched to the request ID. + + + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + + RemovableDrivesEncryptionStatus + + + + + This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings. + + + + + + + + + + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + IdentificationField + + + + + + + + + This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. + The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. + You can configure the identification fields on existing drives by using manage-bde.exe. + If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. + When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. + If you disable or do not configure this policy setting, the identification field is not required. + + Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer. + + + + + + + + + + + + IdentificationField + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + FixedDrivesEncryptionType + + + + + + + + + This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + + + + + + + + FixedDrivesEncryptionType + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEnhancedPIN + + + + + + + + + This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. + Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. + If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. + Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. + If you disable or do not configure this policy setting, enhanced PINs will not be used. + + + + + + + + + + + SystemDrivesEnhancedPIN + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesDisallowStandardUsersCanChangePIN + + + + + + + + + This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. + This policy setting is applied when you turn on BitLocker. + If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. + If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords. + + + + + + + + + + + SystemDrivesDisallowStandardUsersCanChangePIN + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEnablePrebootInputProtectorsOnSlates + + + + + + + + + This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability. + + The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. + If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard). + If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. + + Note that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include: + - Configure TPM startup PIN: Required/Allowed + - Configure TPM startup key and PIN: Required/Allowed + - Configure use of passwords for operating system drives. + + + + + + + + + + + SystemDrivesEnablePrebootInputProtectorsOnSlates + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEncryptionType + + + + + + + + + This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + + + + + + + + SystemDrivesEncryptionType + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEnablePreBootPinExceptionOnDECapableDevice + + + + + + + + + This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware. + If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. + If this policy is not enabled, the options of "Require additional authentication at startup" policy apply. + + + + + + + + + + + SystemDrivesEnablePreBootPinExceptionOnDECapableDevice + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + RemovableDrivesConfigureBDE + + + + + + + + This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. + + + + + + + + + + RemovableDrivesConfigureBDE + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + RemovableDrivesEncryptionType + + + + + + + + This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + + + + + + + + + + RemovableDrivesEncryptionType + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + + + + + + + Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE + + + + + + + LastWrite + + + ``` -## Related topics +## Related articles -[BitLocker configuration service provider](bitlocker-csp.md) +[BitLocker configuration service provider reference](bitlocker-csp.md) diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 7f9a4ba349..2ea3f57533 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -1,441 +1,3114 @@ --- title: CertificateStore CSP -description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates. -ms.reviewer: +description: Learn more about the CertificateStore CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 02/28/2020 +ms.topic: reference --- + + + # CertificateStore CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates. -> [!Note] -> The CertificateStore configuration service provider does not support installing client certificates. -> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. +> [!NOTE] +> The CertificateStore configuration service provider does not support installing client certificates. The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. For the CertificateStore CSP, you can't use the Replace command unless the node already exists. + -The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. + +The following list shows the CertificateStore configuration service provider nodes: -```console -./Vendor/MSFT -CertificateStore -----ROOT ---------* -------------EncodedCertificate -------------IssuedBy -------------IssuedTo -------------ValidFrom -------------ValidTo -------------TemplateName ---------System -------------* -----------------EncodedCertificate -----------------IssuedBy -----------------IssuedTo -----------------ValidFrom -----------------ValidTo -----------------TemplateName -----MY ---------User -------------* -----------------EncodedCertificate -----------------IssuedBy -----------------IssuedTo -----------------ValidFrom -----------------ValidTo -----------------TemplateName ---------SCEP -------------* -----------------Install ---------------------ServerURL ---------------------Challenge ---------------------EKUMapping ---------------------KeyUsage ---------------------SubjectName ---------------------KeyProtection ---------------------RetryDelay ---------------------RetryCount ---------------------TemplateName ---------------------KeyLength ---------------------HashAlgrithm ---------------------CAThumbPrint ---------------------SubjectAlternativeNames ---------------------ValidPeriod ---------------------ValidPeriodUnit ---------------------Enroll -----------------CertThumbPrint -----------------Status -----------------ErrorCode ---------WSTEP -------------CertThumprint -------------Renew -----------------RenewPeriod -----------------ServerURL -----------------RetryInterval -----------------ROBOSupport -----------------Status -----------------ErrorCode -----------------LastRenewalAttemptTime (Added in Windows 10, version 1607) -----------------RenewNow (Added in Windows 10, version 1607) -----------------RetryAfterExpiryInterval (Added in Windows 10, version 1703) -----CA ---------* -------------EncodedCertificate -------------IssuedBy -------------IssuedTo -------------ValidFrom -------------ValidTo -------------TemplateName ---------System -------------* -----------------EncodedCertificate -----------------IssuedBy -----------------IssuedTo -----------------ValidFrom -----------------ValidTo -----------------TemplateName +- ./Device/Vendor/MSFT/CertificateStore + - [CA](#ca) + - [{CertHash}](#cacerthash) + - [EncodedCertificate](#cacerthashencodedcertificate) + - [IssuedBy](#cacerthashissuedby) + - [IssuedTo](#cacerthashissuedto) + - [TemplateName](#cacerthashtemplatename) + - [ValidFrom](#cacerthashvalidfrom) + - [ValidTo](#cacerthashvalidto) + - [System](#casystem) + - [{CertHash}](#casystemcerthash) + - [EncodedCertificate](#casystemcerthashencodedcertificate) + - [IssuedBy](#casystemcerthashissuedby) + - [IssuedTo](#casystemcerthashissuedto) + - [TemplateName](#casystemcerthashtemplatename) + - [ValidFrom](#casystemcerthashvalidfrom) + - [ValidTo](#casystemcerthashvalidto) + - [MY](#my) + - [SCEP](#myscep) + - [{UniqueID}](#myscepuniqueid) + - [CertThumbPrint](#myscepuniqueidcertthumbprint) + - [ErrorCode](#myscepuniqueiderrorcode) + - [Install](#myscepuniqueidinstall) + - [CAThumbPrint](#myscepuniqueidinstallcathumbprint) + - [Challenge](#myscepuniqueidinstallchallenge) + - [EKUMapping](#myscepuniqueidinstallekumapping) + - [Enroll](#myscepuniqueidinstallenroll) + - [HashAlgrithm](#myscepuniqueidinstallhashalgrithm) + - [KeyLength](#myscepuniqueidinstallkeylength) + - [KeyProtection](#myscepuniqueidinstallkeyprotection) + - [KeyUsage](#myscepuniqueidinstallkeyusage) + - [RetryCount](#myscepuniqueidinstallretrycount) + - [RetryDelay](#myscepuniqueidinstallretrydelay) + - [ServerURL](#myscepuniqueidinstallserverurl) + - [SubjectAlternativeNames](#myscepuniqueidinstallsubjectalternativenames) + - [SubjectName](#myscepuniqueidinstallsubjectname) + - [TemplateName](#myscepuniqueidinstalltemplatename) + - [ValidPeriod](#myscepuniqueidinstallvalidperiod) + - [ValidPeriodUnit](#myscepuniqueidinstallvalidperiodunit) + - [Status](#myscepuniqueidstatus) + - [User](#myuser) + - [{CertHash}](#myusercerthash) + - [EncodedCertificate](#myusercerthashencodedcertificate) + - [IssuedBy](#myusercerthashissuedby) + - [IssuedTo](#myusercerthashissuedto) + - [TemplateName](#myusercerthashtemplatename) + - [ValidFrom](#myusercerthashvalidfrom) + - [ValidTo](#myusercerthashvalidto) + - [WSTEP](#mywstep) + - [CertThumprint](#mywstepcertthumprint) + - [Renew](#mywsteprenew) + - [ErrorCode](#mywsteprenewerrorcode) + - [LastRenewalAttemptTime](#mywsteprenewlastrenewalattempttime) + - [RenewNow](#mywsteprenewrenewnow) + - [RenewPeriod](#mywsteprenewrenewperiod) + - [RetryAfterExpiryInterval](#mywsteprenewretryafterexpiryinterval) + - [RetryInterval](#mywsteprenewretryinterval) + - [ROBOSupport](#mywsteprenewrobosupport) + - [ServerURL](#mywsteprenewserverurl) + - [Status](#mywsteprenewstatus) + - [ROOT](#root) + - [{CertHash}](#rootcerthash) + - [EncodedCertificate](#rootcerthashencodedcertificate) + - [IssuedBy](#rootcerthashissuedby) + - [IssuedTo](#rootcerthashissuedto) + - [TemplateName](#rootcerthashtemplatename) + - [ValidFrom](#rootcerthashvalidfrom) + - [ValidTo](#rootcerthashvalidto) + - [System](#rootsystem) + - [{CertHash}](#rootsystemcerthash) + - [EncodedCertificate](#rootsystemcerthashencodedcertificate) + - [IssuedBy](#rootsystemcerthashissuedby) + - [IssuedTo](#rootsystemcerthashissuedto) + - [TemplateName](#rootsystemcerthashtemplatename) + - [ValidFrom](#rootsystemcerthashvalidfrom) + - [ValidTo](#rootsystemcerthashvalidto) + + + +## CA + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA ``` + -**Root/System** -Defines the certificate store that contains root, or self-signed, certificates. + + +This cryptographic store contains intermediary certification authorities. + -Supported operation is Get. + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### CA/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/{CertHash} +``` + + + + +The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | + + + + + + + + + +#### CA/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/EncodedCertificate +``` + + + + +The base64 Encoded X.509 certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### CA/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedBy +``` + + + + +The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CA/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedTo +``` + + + + +The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CA/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CA/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidFrom +``` + + + + +The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CA/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidTo +``` + + + + +The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### CA/System + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System +``` + + + + +This store holds the System portion of the CA store. + + + + +> [!NOTE] +> Use [RootCATrustedCertificates CSP](rootcacertificates-csp.md) moving forward for installing CA certificates. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### CA/System/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash} +``` + + + + +The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | + + + + + + + + + +##### CA/System/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/EncodedCertificate +``` + + + + +The base64 Encoded X.509 certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +##### CA/System/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedBy +``` + + + + +The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### CA/System/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedTo +``` + + + + +The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### CA/System/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### CA/System/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidFrom +``` + + + + +The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### CA/System/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidTo +``` + + + + +The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## MY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY +``` + + + + +This store keeps all end-user personal certificates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### MY/SCEP > [!NOTE] -> Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates. +> This policy is deprecated and may be removed in a future release. -**CA/System** -Defines the certificate store that contains cryptographic information, including intermediary certification authorities. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP +``` + + + +This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. + + + + > [!NOTE] -> CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates. +> Use [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) to install SCEP certificates moving forward. + -**My/User** -Defines the certificate store that contains public keys for client certificates. This certificate store is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -> [!NOTE] -> My/User is case sensitive. + + + -**My/System** -Defines the certificate store that contains public key for client certificate. This certificate store is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. + -Supported operation is Get. + +#### MY/SCEP/{UniqueID} -> [!NOTE] -> My/System is case sensitive. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -***CertHash*** -Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID} +``` + -Supported operations are Get, Delete, and Replace. + + +The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID. + -***CertHash*/EncodedCertificate** -Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc. + + + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -***CertHash*/IssuedBy** -Required. Returns the name of the certificate issuer. This name is equivalent to the *Issuer* member in the CERT\_INFO data structure. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + -Supported operation is Get. + + + -***CertHash*/IssuedTo** -Required. Returns the name of the certificate subject. This name is equivalent to the *Subject* member in the CERT\_INFO data structure. + -Supported operation is Get. + +##### MY/SCEP/{UniqueID}/CertThumbPrint -***CertHash*/ValidFrom** -Required. Returns the starting date of the certificate's validity. This date is equivalent to the *NotBefore* member in the CERT\_INFO structure. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/CertThumbPrint +``` + -***CertHash*/ValidTo** -Required. Returns the expiration date of the certificate. This expiration date is equivalent to the *NotAfter* member in the CERT\_INFO structure. + + +Specify the current cert's thumbprint. + -Supported operation is Get. + + +20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. + -***CertHash*/TemplateName** -Required. Returns the certificate template name. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**My/SCEP** -Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollment. The parent node grouping the SCEP certificate related settings. + + + -Supported operation is Get. + -> [!NOTE] -> Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP. + +##### MY/SCEP/{UniqueID}/ErrorCode -**My/SCEP/***UniqueID* -Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/ErrorCode +``` + -**My/SCEP/*UniqueID*/Install** -Required for SCEP certificate enrollment. Parent node to group SCEP certificate installs related request. Format is node. + + +Specify the last hresult in case enroll action failed. + -Supported operations are Add, Replace, and Delete. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +##### MY/SCEP/{UniqueID}/Install + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install +``` + + + + +The group to represent the install request. + + + + > [!NOTE] > Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values. + -**My/SCEP/*UniqueID*/Install/ServerURL** -Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string. + +**Description framework properties**: -Supported operations are Get, Add, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**My/SCEP/*UniqueID*/Install/Challenge** -Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Value type is chr. + + + -Supported operations are Get, Add, Replace, and Delete. + -Challenge will be deleted shortly after the Exec command is accepted. + +###### MY/SCEP/{UniqueID}/Install/CAThumbPrint -**My/SCEP/*UniqueID*/Install/EKUMapping** -Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs is separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/CAThumbPrint +``` + -**My/SCEP/*UniqueID*/Install/KeyUsage** -Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. Value type is an integer. + + +Specify root CA thumbprint. + -Supported operations are Get, Add, Delete, and Replace. + + +20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. + -**My/SCEP/*UniqueID*/Install/SubjectName** -Required. Specifies the subject name. + +**Description framework properties**: -The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”). +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + -For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). + + + -Value type is chr. + -Supported operations are Get, Add, Delete, and Replace. + +###### MY/SCEP/{UniqueID}/Install/Challenge -**My/SCEP/*UniqueID*/Install/KeyProtection** -Optional. Specifies the location of the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported values are one of the following values: + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Challenge +``` + -- 1 – Private key is protected by device TPM. + + +Enroll requester authentication shared secret. + -- 2 – Private key is protected by device TPM if the device supports TPM. + + +The value must be base64 encoded. Challenge is deleted shortly after the Exec command is accepted. + -- 3 (default) – Private key is only saved in the software KSP. + +**Description framework properties**: -Value type is an integer. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + -Supported operations are Get, Add, Delete, and Replace. + + + -**My/SCEP/*UniqueID*/Install/RetryDelay** -Optional. Specifies the device retry waiting time in minutes when the SCEP server sends the pending status. Default value is 5 and the minimum value is 1. Value type is an integer. + -Supported operations are Get, Add, and Delete. + +###### MY/SCEP/{UniqueID}/Install/EKUMapping -**My/SCEP/*UniqueID*/Install/RetryCount** -Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/EKUMapping +``` + -**My/SCEP/*UniqueID*/Install/TemplateName** -Optional. OID of certificate template name. + + +Specify extended key usages. The list of OIDs are separated by plus "+". + -> [!Note] -> Template name is typically ignored by the SCEP server, so the MDM server typically doesn't need to provide it. Value type is `chr`. + + + -Supported operations are Get, Add, and Delete. + +**Description framework properties**: -**My/SCEP/*UniqueID*/Install/KeyLength** -Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + -Supported operations are Get, Add, Delete, and Replace. + + + -**My/SCEP/*UniqueID*/Install/HashAlgorithm** -Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +. + -Value type is chr. + +###### MY/SCEP/{UniqueID}/Install/Enroll -Supported operations are Get, Add, Delete, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**My/SCEP/*UniqueID*/Install/CAThumbprint** -Required. Specifies the root CA thumbprint. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. Value type is chr. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Enroll +``` + -Supported operations are Get, Add, Delete, and Replace. + + +Start the cert enrollment. + -**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames** -Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *\*+*\*;*\*+*\*. Value type is chr. + + +The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value. + -Supported operations are Get, Add, Delete, and Replace. + +**Description framework properties**: -**My/SCEP/*UniqueID*/Install/ValidPeriod** -Optional. Specifies the units for the valid period. Value type is chr. +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + -Supported operations are Get, Add, Delete, and Replace. + + + -Valid values are one of the following values: + + + +###### MY/SCEP/{UniqueID}/Install/HashAlgrithm + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/HashAlgrithm +``` + + + + +Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter. + + + + +Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/KeyLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyLength +``` + + + + +Specify private key length (RSA). + + + + +Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/KeyProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyProtection +``` + + + + +Specify where to keep the private key. + + + + +Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection. Supported values are one of the following values: + +- 1: Private key is protected by device TPM. +- 2: Private key is protected by device TPM if the device supports TPM. +- 3 (default): Private key is only saved in the software KSP. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/KeyUsage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyUsage +``` + + + + +Specify the key usage bits (0x80, 0x20, 0xA0) for the cert. + + + + +The value must be specified in decimal format and should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/RetryCount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryCount +``` + + + + +When the SCEP sends pending status, specify device retry times. + + + + +Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/RetryDelay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryDelay +``` + + + + +When the SCEP server sends pending status, specify device retry waiting time in minutes. + + + + +Default value is 5 and the minimum value is 1. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/ServerURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ServerURL +``` + + + + +Specify the cert enrollment server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames +``` + + + + +Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma. + + + + +or example, multiple subject alternative names are presented in the format `+;+`. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/SubjectName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectName +``` + + + + +Specify the subject name. + + + + +The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (`,`, `=`, `+`, `;`). For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/TemplateName +``` + + + + +Certificate Template Name OID (As in AD used by PKI infrastructure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/ValidPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriod +``` + + + + +Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template. + + + + +Valid values are one of the following: - Days (default) - Months - Years + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### MY/SCEP/{UniqueID}/Install/ValidPeriodUnit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriodUnit +``` + + + + +Specify valid period unit type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get | + + + + +Default is 0. The period is defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. > [!NOTE] > The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server. + -**My/SCEP/*UniqueID*/Install/ValidPeriodUnits** -Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer. + -Supported operations are Get, Add, Delete, and Replace. + +##### MY/SCEP/{UniqueID}/Status -> [!NOTE] -> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**My/SCEP/*UniqueID*/Install/Enroll** -Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Status +``` + -Supported operation is Exec. - -**My/WSTEP/CertThumbprint** -Optional. Returns the current MDM client certificate thumbprint. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. Value type is chr. - -Supported operation is Get. - -**My/SCEP/*UniqueID*/Status** -Required. Specifies the latest status for the certificate due to enrollment request. Value type is chr. - -Supported operation is Get. + + +Specify the latest status for the certificate due to enroll request. + + + Valid values are one of the following values: -- 1 – Finished successfully. +- 1: Finished successfully. +- 2: Pending. The device hasn't finished the action, but has received the SCEP server pending response. +- 16: Action failed. +- 32: Unknown. + -- 2 – Pending. The device hasn't finished the action, but has received the SCEP server pending response. + +**Description framework properties**: -- 16 - Action failed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -- 32 – Unknown. + + + -**My/SCEP/*UniqueID*/ErrorCode** -Optional. The integer value that indicates the HRESULT of the last enrollment error code. + -Supported operation is Get. + +### MY/User -**My/SCEP/*UniqueID*/CertThumbprint** -Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User +``` + -**My/SCEP/*UniqueID*/RespondentServerUrl** -Required. Returns the URL of the SCEP server that responded to the enrollment request. Value type is string. + + +This store holds the User portion of the MY store. + -Supported operation is Get. + + + -**My/WSTEP** -Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**My/WSTEP/Renew** -Optional. The parent node to group renewal related settings. + + + -Supported operation is Get. + -**My/WSTEP/Renew/ServerURL** -Optional. Specifies the URL of certificate renewal server. If this node doesn't exist, the client uses the initial certificate enrollment URL. + +#### MY/User/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash} +``` + + + + +The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | + + + + + + + + + +##### MY/User/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/EncodedCertificate +``` + + + + +The base64 Encoded X.509 certificate. **Note** that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +##### MY/User/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedBy +``` + + + + +The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### MY/User/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedTo +``` + + + + +The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### MY/User/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### MY/User/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidFrom +``` + + + + +The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### MY/User/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidTo +``` + + + + +The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### MY/WSTEP + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP +``` + + + + +The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment. + + + + +The nodes under WSTEP are mostly for MDM client certificate renew requests. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MY/WSTEP/CertThumprint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/CertThumprint +``` + + + + +The thumb print of enrolled MDM client certificate. + + + + +If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### MY/WSTEP/Renew + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew +``` + + + + +The parent node to group renewal related settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Atomic Required | True | + + + + + + + + + +##### MY/WSTEP/Renew/ErrorCode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ErrorCode +``` + + + + +If certificate renew fails, this node provide the last hresult code during renew process. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +##### MY/WSTEP/Renew/LastRenewalAttemptTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/LastRenewalAttemptTime +``` + + + + +Time of last attempted renew. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | time | +| Access Type | Get | + + + + + + + + + +##### MY/WSTEP/Renew/RenewNow + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewNow +``` + + + + +Initiate a renew now. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +##### MY/WSTEP/Renew/RenewPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewPeriod +``` + + + + +Specify the number of days prior to the enrollment cert expiration to prompt the user to renew. + + + + +The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. + +The default value is 42 and the valid values are 1-1000. + +> [!NOTE] +> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-1000]` | +| Default Value | 42 | + + + + + + + + + +##### MY/WSTEP/Renew/RetryAfterExpiryInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryAfterExpiryInterval +``` + + + + +How long after the enrollment cert has expiried to keep trying to renew. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | time | +| Access Type | Add, Get, Replace | + + + + + + + + + +##### MY/WSTEP/Renew/RetryInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryInterval +``` + + + + +Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries. For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. The default value is 7 and the valid values are 1 - 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer. + + + + +> [!NOTE] +> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-1000]` | +| Default Value | 7 | + + + + + + + + + +##### MY/WSTEP/Renew/ROBOSupport + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ROBOSupport +``` + + + + +Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405. + + + + +> [!NOTE] +> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true (Default) | True. | + + + + + + + + + +##### MY/WSTEP/Renew/ServerURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ServerURL +``` + + + + +Optional. Specifies the cert renewal server URL which is the discovery server. + + + + +If this node doesn't exist, the client uses the initial certificate enrollment URL. > [!NOTE] > The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service. + -Supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -**My/WSTEP/Renew/RenewalPeriod** -Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -The default value is 42 and the valid values are 1 – 1000. Value type is an integer. + + + -Supported operations are Add, Get, Delete, and Replace. + -> [!NOTE] -> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + +##### MY/WSTEP/Renew/Status -**My/WSTEP/Renew/RetryInterval** -Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries. + +```Device +./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/Status +``` + -For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. + + +Show the latest action status for this certificate. Supported values are one of the following: 0 - Not started. 1 - Renewal in progress. 2 - Renewal succeeded. 3 - Renewal failed. + -The default value is 7 and the valid values are 1 – 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer. + + + -Supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -> [!NOTE] -> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -**My/WSTEP/Renew/ROBOSupport** -Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool. + + + -ROBO is the only supported renewal method for Windows 10. This value is ignored and always considered to be true. + -Supported operations are Add, Get, Delete, and Replace. + +## ROOT -> [!NOTE] -> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**My/WSTEP/Renew/Status** -Required. Shows the latest action status for this certificate. Value type is an integer. + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT +``` + -Supported operation is Get. + + +This store holds only root (self-signed) certificates. + -Supported values are one of the following values: + + + -- 0 – Not started. -- 1 – Renewal in progress. -- 2 – Renewal succeeded. -- 3 – Renewal failed. + +**Description framework properties**: -**My/WSTEP/Renew/ErrorCode** -Optional. If certificate renewal fails, this integer value indicates the HRESULT of the last error code during the renewal process. Value type is an integer. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operation is Get. + + + -**My/WSTEP/Renew/LastRenewalAttemptTime** -Added in Windows 10, version 1607. Specifies the time of the last attempted renewal. + -Supported operation is Get. + +### ROOT/{CertHash} -**My/WSTEP/Renew/RenewNow** -Added in Windows 10, version 1607. Initiates a renewal now. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operation is Execute. + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash} +``` + -**My/WSTEP/Renew/RetryAfterExpiryInterval** -Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew. + + +The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + -Supported operations are Add, Get, and Replace. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | + + + + + + + + + +#### ROOT/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/EncodedCertificate +``` + + + + +The base64 Encoded X.509 certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### ROOT/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedBy +``` + + + + +The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### ROOT/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedTo +``` + + + + +The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### ROOT/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### ROOT/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidFrom +``` + + + + +The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### ROOT/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidTo +``` + + + + +The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### ROOT/System + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System +``` + + + + +This store holds the System portion of the root store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### ROOT/System/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash} +``` + + + + +The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | + + + + + + + + + +##### ROOT/System/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/EncodedCertificate +``` + + + + +The base64 Encoded X.509 certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +##### ROOT/System/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedBy +``` + + + + +The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### ROOT/System/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedTo +``` + + + + +The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### ROOT/System/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### ROOT/System/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidFrom +``` + + + + +The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### ROOT/System/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidTo +``` + + + + +The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + + ## Examples Add a root certificate to the MDM server. @@ -703,10 +3376,10 @@ Configure the device to automatically renew an MDM client certificate with the s ``` + -## Related topics - -[Configuration service provider reference](index.yml) - + +## Related articles +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index 638bdd1748..8cf58152f0 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -1,1670 +1,1747 @@ --- title: CertificateStore DDF file -description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/16/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # CertificateStore DDF file -This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the CertificateStore configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + CertificateStore + ./Device/Vendor/MSFT + + + + + + + This object is used to add or delete a security certificate to the device's certificate store. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - CertificateStore - ./Vendor/MSFT + ROOT + + + + + This store holds only root (self-signed) certificates. + + + + + + + + + + + + + + + + - - - - This object is used to add or delete a security certificate to the device's certificate store. - - - - - - - - - - - - + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + CertHash + + + + + The SHA1 hash for the certificate. + - ROOT - - - - - This store holds only root (self-signed) certificates. - - - - - - - - - - - - - - - * - - - - - - The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - - - - - EncodedCertificate - - - - - - - The base64 Encoded X.509 certificate. - - - - - - - - - - - text/plain - - - - - IssuedBy - - - - - The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - - - - - - - - - - - text/plain - - - - - - System - - - - - This store holds the System portion of the root store. - - - - - - - - - - - - - - - * - - - - - - The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - - - - - EncodedCertificate - - - - - - - The base64 Encoded X.509 certificate. - - - - - - - - - - - text/plain - - - - - IssuedBy - - - - - The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - - - - - - - - - - - text/plain - - - - - + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. + + + + + + + + + + + + + + + - MY - - - - - This store keeps all end-user personal certificates. - - - - - - - - - - - - - - - User - - - - - This store holds the User portion of the MY store. - - - - - - - - - - - - - - - * - - - - - - The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - - - - - EncodedCertificate - - - - - - - The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. - - - - - - - - - - - text/plain - - - - - IssuedBy - - - - - The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - - - - - - - - - - - text/plain - - - - - - - SCEP - - - - - This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment. - - - - - - - - - - - - - - - * - - - - - - - The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID. - - - - - - - - - - - - - - - Install - - - - - The group to represent the install request. - - - - - - - - - - - - - - - ServerURL - - - - - - Specify the cert enrollment server. - - - - - - - - - - - text/plain - - - - - Challenge - - - - - - Enroll requester authentication shared secret. - - - - - - - - - - - text/plain - - - - - EKUMapping - - - - - - Specify extended key usages. The list of OIDs are separated by plus “+”. - - - - - - - - - - - text/plain - - - - - KeyUsage - - - - - - Specify the key usage bits (0x80, 0x20, 0xA0) for the cert. - - - - - - - - - - - text/plain - - - - - SubjectName - - - - - - Specify the subject name. - - - - - - - - - - - text/plain - - - - - KeyProtection - - - - - - Specify where to keep the private key. - - - - - - - - - - - text/plain - - - - - RetryDelay - - - - - - When the SCEP server sends pending status, specify device retry waiting time in minutes. - - - - - - - - - - - text/plain - - - - - RetryCount - - - - - - When the SCEP sends pending status, specify device retry times. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - - Certificate Template Name OID (As in AD used by PKI infrastructure. - - - - - - - - - - - text/plain - - - - - KeyLength - - - - - - Specify private key length (RSA). - - - - - - - - - - - text/plain - - - - - HashAlgrithm - - - - - - Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter. - - - - - - - - - - - text/plain - - - - - CAThumbPrint - - - - - - Specify root CA thumbprint. - - - - - - - - - - - text/plain - - - - - SubjectAlternativeNames - - - - - - Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma. - - - - - - - - - - - text/plain - - - - - ValidPeriod - - - - - Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template. - - - - - - - - - - - text/plain - - - - - ValidPeriodUnit - - - - - - Specify valid period unit type. - - - - - - - - - - - text/plain - - - - - Enroll - - - - - Start the cert enrollment. - - - - - - - - - - - text/plain - - - - - - CertThumbPrint - - - - - Specify the current cert’s thumbprint. - - - - - - - - - - - text/plain - - - - - Status - - - - - Specify the latest status for the certificate due to enroll request. - - - - - - - - - - - text/plain - - - - - ErrorCode - - - - - Specify the last hresult in case enroll action failed. - - - - - - - - - - - text/plain - - - - - - - WSTEP - - - - - The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment. - - - - - - - - - - - - - - - CertThumprint - - - - - The thumb print of enrolled MDM client certificate. - - - - - - - - - - - text/plain - - - - - Renew - - - - - Under this node are the renew properties. - - - - - - - - - - - - - - - RenewPeriod - - - - - - - - Specify the number of days prior to the enrollment cert expiration to prompt the user to renew. - - - - - - - - - - - text/plain - - - - - ServerURL - - - - - - - - Optional. Specifies the cert renewal server URL which is the discovery server. - - - - - - - - - - - text/plain - - - - - RetryInterval - - - - - - - - Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. - - - - - - - - - - - text/plain - - - - - ROBOSupport - - - - - - - - Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405. - - - - - - - - - - - text/plain - - - - - Status - - - - - Show the latest action status for this certificate. - - - - - - - - - - - text/plain - - - - - ErrorCode - - - - - If certificate renew fails, this node provides the last hresult code during renew process. - - - - - - - - - - - text/plain - - - - - LastRenewalAttemptTime - - - - - Time of last attempted renew. - - - - - - - - - - text/plain - - - - - RenewNow - - - - - Initiate a renew now. - - - - - - - - - - - text/plain - - - - - RetryAfterExpiryInterval - - - - - - How long after the enrollment cert has expired to keep trying to renew. - - - - - - - - - - - text/plain - - - - - - - - CA - - - - - This cryptographic store contains intermediary certification authorities. - - - - - - - - - - - - - - - * - - - - - - The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - - - - - EncodedCertificate - - - - - - - The base64 Encoded X.509 certificate. - - - - - - - - - - - text/plain - - - - - IssuedBy - - - - - The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - - - - - - - - - - - text/plain - - - - - - System - - - - - This store holds the System portion of the CA store. - - - - - - - - - - - - - - - * - - - - - - The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - - - - - EncodedCertificate - - - - - - - The base64 Encoded X.509 certificate. - - - - - - - - - - - text/plain - - - - - IssuedBy - - - - - The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - - - - - - - - - - - text/plain - - - - - + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + + + + + + + System + + + + + This store holds the System portion of the root store. + + + + + + + + + + + + + + + + + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + CertHash + + + + + The SHA1 hash for the certificate. + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. + + + + + + + + + + + + + + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + + + + + + + + MY + + + + + This store keeps all end-user personal certificates. + + + + + + + + + + + + + + + User + + + + + This store holds the User portion of the MY store. + + + + + + + + + + + + + + + + + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + CertHash + + + + + The SHA1 hash for the certificate. + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. + + + + + + + + + + + + + + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + + + + + + + + SCEP + + + + + This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. + + + + + + + + + + + + + + + + + + + + + + + + The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID. + + + + + + + + + + UniqueID + + + + + + Install + + + + + The group to represent the install request + + + + + + + + + + + + + + + ServerURL + + + + + + Specify the cert enrollment server. + + + + + + + + + + + + + + + + Challenge + + + + + + Enroll requester authentication shared secret. + + + + + + + + + + + + + + + + EKUMapping + + + + + + Specify extended key usages. The list of OIDs are separated by plus “+”. + + + + + + + + + + + + + + + + KeyUsage + + + + + + Specify the key usage bits (0x80, 0x20, 0xA0) for the cert. + + + + + + + + + + + + + + + + SubjectName + + + + + + Specify the subject name. + + + + + + + + + + + + + + + + KeyProtection + + + + + + Specify where to keep the private key. + + + + + + + + + + + + + + + + RetryDelay + + + + + + When the SCEP server sends pending status, specify device retry waiting time in minutes. + + + + + + + + + + + + + + + + RetryCount + + + + + + When the SCEP sends pending status, specify device retry times. + + + + + + + + + + + + + + + + TemplateName + + + + + + Certificate Template Name OID (As in AD used by PKI infrastructure. + + + + + + + + + + + + + + + + KeyLength + + + + + + Specify private key length (RSA). + + + + + + + + + + + + + + + + HashAlgrithm + + + + + + Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter. + + + + + + + + + + + + + + + + CAThumbPrint + + + + + + Specify root CA thumbprint. + + + + + + + + + + + + + + + + SubjectAlternativeNames + + + + + + Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma. + + + + + + + + + + + + + + + + ValidPeriod + + + + + Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template. + + + + + + + + + + + + + + + + ValidPeriodUnit + + + + + + Specify valid period unit type. + + + + + + + + + + + + + + + + Enroll + + + + + Start the cert enrollment. + + + + + + + + + + + + + + + + + CertThumbPrint + + + + + Specify the current cert’s thumbprint. + + + + + + + + + + + + + + + + Status + + + + + Specify the latest status for the certificate due to enroll request. + + + + + + + + + + + + + + + + ErrorCode + + + + + Specify the last hresult in case enroll action failed. + + + + + + + + + + + + + + + + + + WSTEP + + + + + The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment. + + + + + + + + + + + + + + + CertThumprint + + + + + The thumb print of enrolled MDM client certificate. + + + + + + + + + + + + + + + + Renew + + + + + The parent node to group renewal related settings. + + + + + + + + + + + + + + + + RenewPeriod + + + + + + + + 42 + Specify the number of days prior to the enrollment cert expiration to prompt the user to renew. + + + + + + + + + + + + + + [1-1000] + + + + + ServerURL + + + + + + + + Optional. Specifies the cert renewal server URL which is the discovery server. + + + + + + + + + + + + + + + + + + RetryInterval + + + + + + + + 7 + + + + + + + + + + + + + + + [1-1000] + + + + + ROBOSupport + + + + + + + + true + Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405. + + + + + + + + + + + + + + + true + True + + + + + + Status + + + + + Show the latest action status for this certificate. Supported values are one of the following: 0 – Not started. 1 – Renewal in progress. 2 – Renewal succeeded. 3 – Renewal failed. + + + + + + + + + + + + + + + + ErrorCode + + + + + If certificate renew fails, this node provide the last hresult code during renew process. + + + + + + + + + + + + + + + + LastRenewalAttemptTime + + + + + Time of last attempted renew + + + + + + + + + + + + + 10.0.14393 + 1.0 + + + + + RenewNow + + + + + Initiate a renew now + + + + + + + + + + + + + + 10.0.14393 + 1.0 + + + + + RetryAfterExpiryInterval + + + + + + + How long after the enrollment cert has expiried to keep trying to renew + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + + + + + + + CA + + + + + This cryptographic store contains intermediary certification authorities. + + + + + + + + + + + + + + + + + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + CertHash + + + + + The SHA1 hash for the certificate. + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate + + + + + + + + + + + + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + + + + + + + System + + + + + This store holds the System portion of the CA store. + + + + + + + + + + + + + + + + + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + CertHash + + + + + The SHA1 hash for the certificate. + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. + + + + + + + + + + + + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles -[CertificateStore configuration service provider](certificatestore-csp.md) \ No newline at end of file +[CertificateStore configuration service provider reference](certificatestore-csp.md) diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index c1574476c9..630acc3431 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,717 +1,3527 @@ --- title: ClientCertificateInstall CSP -description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. -ms.reviewer: +description: Learn more about the ClientCertificateInstall CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/30/2021 +ms.topic: reference --- + + + # ClientCertificateInstall CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|---|---|---| -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. -For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block. +> [!NOTE] +> For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block. + -> [!Note] -> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. + +The following list shows the ClientCertificateInstall configuration service provider nodes: -You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. +- ./Device/Vendor/MSFT/ClientCertificateInstall + - [PFXCertInstall](#devicepfxcertinstall) + - [{UniqueID}](#devicepfxcertinstalluniqueid) + - [ContainerName](#devicepfxcertinstalluniqueidcontainername) + - [KeyLocation](#devicepfxcertinstalluniqueidkeylocation) + - [PFXCertBlob](#devicepfxcertinstalluniqueidpfxcertblob) + - [PFXCertPassword](#devicepfxcertinstalluniqueidpfxcertpassword) + - [PFXCertPasswordEncryptionStore](#devicepfxcertinstalluniqueidpfxcertpasswordencryptionstore) + - [PFXCertPasswordEncryptionType](#devicepfxcertinstalluniqueidpfxcertpasswordencryptiontype) + - [PFXKeyExportable](#devicepfxcertinstalluniqueidpfxkeyexportable) + - [Status](#devicepfxcertinstalluniqueidstatus) + - [Thumbprint](#devicepfxcertinstalluniqueidthumbprint) + - [SCEP](#devicescep) + - [{UniqueID}](#devicescepuniqueid) + - [CertThumbprint](#devicescepuniqueidcertthumbprint) + - [ErrorCode](#devicescepuniqueiderrorcode) + - [Install](#devicescepuniqueidinstall) + - [AADKeyIdentifierList](#devicescepuniqueidinstallaadkeyidentifierlist) + - [CAThumbprint](#devicescepuniqueidinstallcathumbprint) + - [Challenge](#devicescepuniqueidinstallchallenge) + - [ContainerName](#devicescepuniqueidinstallcontainername) + - [CustomTextToShowInPrompt](#devicescepuniqueidinstallcustomtexttoshowinprompt) + - [EKUMapping](#devicescepuniqueidinstallekumapping) + - [Enroll](#devicescepuniqueidinstallenroll) + - [HashAlgorithm](#devicescepuniqueidinstallhashalgorithm) + - [KeyLength](#devicescepuniqueidinstallkeylength) + - [KeyProtection](#devicescepuniqueidinstallkeyprotection) + - [KeyUsage](#devicescepuniqueidinstallkeyusage) + - [RetryCount](#devicescepuniqueidinstallretrycount) + - [RetryDelay](#devicescepuniqueidinstallretrydelay) + - [ServerURL](#devicescepuniqueidinstallserverurl) + - [SubjectAlternativeNames](#devicescepuniqueidinstallsubjectalternativenames) + - [SubjectName](#devicescepuniqueidinstallsubjectname) + - [TemplateName](#devicescepuniqueidinstalltemplatename) + - [ValidPeriod](#devicescepuniqueidinstallvalidperiod) + - [ValidPeriodUnits](#devicescepuniqueidinstallvalidperiodunits) + - [RespondentServerUrl](#devicescepuniqueidrespondentserverurl) + - [Status](#devicescepuniqueidstatus) +- ./User/Vendor/MSFT/ClientCertificateInstall + - [PFXCertInstall](#userpfxcertinstall) + - [{UniqueID}](#userpfxcertinstalluniqueid) + - [ContainerName](#userpfxcertinstalluniqueidcontainername) + - [KeyLocation](#userpfxcertinstalluniqueidkeylocation) + - [PFXCertBlob](#userpfxcertinstalluniqueidpfxcertblob) + - [PFXCertPassword](#userpfxcertinstalluniqueidpfxcertpassword) + - [PFXCertPasswordEncryptionStore](#userpfxcertinstalluniqueidpfxcertpasswordencryptionstore) + - [PFXCertPasswordEncryptionType](#userpfxcertinstalluniqueidpfxcertpasswordencryptiontype) + - [PFXKeyExportable](#userpfxcertinstalluniqueidpfxkeyexportable) + - [Status](#userpfxcertinstalluniqueidstatus) + - [Thumbprint](#userpfxcertinstalluniqueidthumbprint) + - [SCEP](#userscep) + - [{UniqueID}](#userscepuniqueid) + - [CertThumbprint](#userscepuniqueidcertthumbprint) + - [ErrorCode](#userscepuniqueiderrorcode) + - [Install](#userscepuniqueidinstall) + - [AADKeyIdentifierList](#userscepuniqueidinstallaadkeyidentifierlist) + - [CAThumbprint](#userscepuniqueidinstallcathumbprint) + - [Challenge](#userscepuniqueidinstallchallenge) + - [ContainerName](#userscepuniqueidinstallcontainername) + - [CustomTextToShowInPrompt](#userscepuniqueidinstallcustomtexttoshowinprompt) + - [EKUMapping](#userscepuniqueidinstallekumapping) + - [Enroll](#userscepuniqueidinstallenroll) + - [HashAlgorithm](#userscepuniqueidinstallhashalgorithm) + - [KeyLength](#userscepuniqueidinstallkeylength) + - [KeyProtection](#userscepuniqueidinstallkeyprotection) + - [KeyUsage](#userscepuniqueidinstallkeyusage) + - [RetryCount](#userscepuniqueidinstallretrycount) + - [RetryDelay](#userscepuniqueidinstallretrydelay) + - [ServerURL](#userscepuniqueidinstallserverurl) + - [SubjectAlternativeNames](#userscepuniqueidinstallsubjectalternativenames) + - [SubjectName](#userscepuniqueidinstallsubjectname) + - [TemplateName](#userscepuniqueidinstalltemplatename) + - [ValidPeriod](#userscepuniqueidinstallvalidperiod) + - [ValidPeriodUnits](#userscepuniqueidinstallvalidperiodunits) + - [RespondentServerUrl](#userscepuniqueidrespondentserverurl) + - [Status](#userscepuniqueidstatus) + -The following example shows the ClientCertificateInstall configuration service provider in tree format. + +## Device/PFXCertInstall -```console -./Vendor/MSFT -ClientCertificateInstall -----PFXCertInstall ---------UniqueID -------------KeyLocation -------------ContainerName -------------PFXCertBlob -------------PFXCertPassword -------------PFXCertPasswordEncryptionType -------------PFXKeyExportable -------------Thumbprint -------------Status -------------PFXCertPasswordEncryptionStore (Added in Windows 10, version 1511) -----SCEP ---------UniqueID -------------Install -----------------ServerURL -----------------Challenge -----------------EKUMapping -----------------KeyUsage -----------------SubjectName -----------------KeyProtection -----------------RetryDelay -----------------RetryCount -----------------TemplateName -----------------KeyLength -----------------HashAlgorithm -----------------CAThumbprint -----------------SubjectAlternativeNames -----------------ValidPeriod -----------------ValidPeriodUnits -----------------ContainerName -----------------CustomTextToShowInPrompt -----------------Enroll -----------------AADKeyIdentifierList (Added in Windows 10, version 1703) -------------CertThumbprint -------------Status -------------ErrorCode -------------RespondentServerUrl + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall ``` + -**Device or User** -For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path. + + +Required for PFX certificate installation. The parent node grouping the PFX cert related settings. + -**ClientCertificateInstall** -The root node for the ClientCertificateInstaller configuration service provider. + + + -**ClientCertificateInstall/PFXCertInstall** -Required for PFX certificate installation. The parent node grouping the PFX certificate related settings. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**ClientCertificateInstall/PFXCertInstall/***UniqueID* + + + + + + + +### Device/PFXCertInstall/{UniqueID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID} +``` + + + + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. +Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. + -The data type format is node. + + + -Supported operations are Get, Add, and Replace. + +**Description framework properties**: -Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation** + + + + + + + +#### Device/PFXCertInstall/{UniqueID}/ContainerName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/ContainerName +``` + + + + +Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/PFXCertInstall/{UniqueID}/KeyLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/KeyLocation +``` + + + + Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. + -Supported operations are Get, Add, and Replace. + + + -The data type is an integer corresponding to one of the following values: + +**Description framework properties**: -| Value | Description | -|-------|---------------------------------------------------------------------------------------------------------------| -| 1 | Install to TPM if present, fail if not present. | -| 2 | Install to TPM if present. If not present, fall back to software. | -| 3 | Install to software. | -| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. | +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | + -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** -Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail. + +**Allowed values**: -Date type is string. +| Value | Description | +|:--|:--| +| 1 | Install to TPM if present, fail if not present. | +| 2 | Install to TPM if present. If not present, fallback to software. | +| 3 | Install to software. | +| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. | + -Supported operations are Get, Add, Delete, and Replace. + + + -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** -CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This Add operation requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before the Add operation is called. This trigger for addition also sets the Status node to the current Status of the operation. + -The data type format is binary. + +#### Device/PFXCertInstall/{UniqueID}/PFXCertBlob -Supported operations are Get, Add, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten. + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertBlob +``` + -If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail. + + +Required. +[CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. +If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. +If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate -In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)). + -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bin | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/PFXCertInstall/{UniqueID}/PFXCertPassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPassword +``` + + + + Password that protects the PFX blob. This is required if the PFX is password protected. - -Data Type is a string. - -Supported operations are Get, Add, and Replace. - -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** -Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server. - -The data type is int. Valid values: - -- 0 - Password isn't encrypted. -- 1 - Password is encrypted with the MDM certificate. -- 2 - Password is encrypted with custom certificate. - -When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. - -Supported operations are Get, Add, and Replace. - -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** -Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX isn't exportable when it's installed to TPM. - -> [!Note] -> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. - -The data type bool. - -Supported operations are Get, Add, and Replace. - -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint** -Returns the thumbprint of the installed PFX certificate. - -The datatype is a string. - -Supported operation is Get. - -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status** -Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. - -Data type is an integer. - -Supported operation is Get. - -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore** -Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword. - -Data type is string. - -Supported operations are Add, Get, and Replace. - -**ClientCertificateInstall/SCEP** -Node for SCEP. - -> [!Note] -> An alert is sent after the SCEP certificate is installed. - -**ClientCertificateInstall/SCEP/***UniqueID* -A unique ID to differentiate different certificate installation requests. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install** -A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. - -Supported operations are Get, Add, Replace, and Delete. - -> [!Note] -> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and ensure the device isn't at an unknown state before changing child node values. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** -Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. - -Data type is string. - -Supported operations are Get, Add, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge** -Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted. - -Data type is string. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** -Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs is separated by a plus +. For example, OID1+OID2+OID3. - -Data type is string. - -Supported operations are Get, Add, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** -Required. Specifies the subject name. - -The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”). - -For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). - -Data type is string. - -Supported operations are Add, Get, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** -Optional. Specifies where to keep the private key. - -> [!Note] -> Even if the private key is protected by TPM, it isn't protected with a TPM PIN. - -The data type is an integer corresponding to one of the following values: - -| Value | Description | -|---|---| -| 1 | Private key protected by TPM. | -| 2 | Private key protected by phone TPM if the device supports TPM. | -| 3 | (Default) Private key saved in software KSP. | -| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** -Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. - -Data type is int. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** -Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. - -Data type format is an integer. - -The default value is 5. - -The minimum value is 1. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount** -Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status. - -Data type is integer. - -Default value is 3. - -Maximum value is 30. If the value is larger than 30, the device will use 30. - -Minimum value is 0, which indicates no retry. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** -Optional. OID of certificate template name. - -> [!Note] -> This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. - -Data type is string. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength** -Required for enrollment. Specify private key length (RSA). - -Data type is integer. - -Valid values are 1024, 2048, and 4096. - -For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** -Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +. - -For Windows Hello for Business, only SHA256 is the supported algorithm. - -Data type is string. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** -Required. Specifies Root CA thumbprint. This thumbprint is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it isn't a match, the authentication will fail. - -Data type is string. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** -Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. For more information, see the name type definitions in MSDN. - -Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2]. - -Data type is string. - -Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod** -Optional. Specifies the units for the valid certificate period. - -Data type is string. - -Valid values are: - -- Days (Default) -- Months -- Years + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore +``` + + + + +Optional. +When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | +| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
    Dependency Allowed Value: `[2]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +#### Device/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType +``` + + + + +Optional. Used to specify if the PFX certificate password is encrypted with a certificate. +If the value is +0 - Password is not encrypted +1- Password is encrypted using the MDM certificate by the MDM server +2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Password is not encrypted. | +| 1 | Password is encrypted with the MDM certificate. | +| 2 | Password is encrypted with custom certificate. | + + + + + + + + + +#### Device/PFXCertInstall/{UniqueID}/PFXKeyExportable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXKeyExportable +``` + + + + +Optional. Used to specify if the private key installed is exportable (can be exported later). + + + + +The PFX isn't exportable when it's installed to TPM. > [!NOTE] -> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. +> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. + -Supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** -Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | +| Default Value | true | +| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
    Dependency Allowed Value: `[3]`
    Dependency Allowed Value Type: `Range`
    | + -> [!Note] -> The valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + +**Allowed values**: -Data type is string. +| Value | Description | +|:--|:--| +| false | False. | +| true (Default) | True. | + -> [!Note] -> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. + + + -Supported operations are Add, Get, Delete, and Replace. + -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** -Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node isn't specified when Windows Hello for Business KSP is chosen, the enrollment will fail. + +#### Device/PFXCertInstall/{UniqueID}/Status -Data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Add, Get, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Status +``` + -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt** -Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for. + + +Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. + -Data type is string. + + + -Supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** -Required. Triggers the device to start the certificate enrollment. The device won't notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -The date type format is Null, meaning this node doesn’t contain a value. + + + -The only supported operation is Execute. + -**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** -Optional. Specify the Azure Active Directory Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail. + +#### Device/PFXCertInstall/{UniqueID}/Thumbprint -Data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Add, Get, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Thumbprint +``` + -**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** -Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. + + +Returns the thumbprint of the PFX certificate installed. + -If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted) then it will return an empty string. + + + -Data type is string. + +**Description framework properties**: -The only supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**ClientCertificateInstall/SCEP/*UniqueID*/Status** -Required. Specifies latest status of the certificated during the enrollment request. + + + -Data type is string. Valid values: + -The only supported operation is Get. + +## Device/SCEP -| Value | Description | -|-------|---------------------------------------------------------------------------------------------------| -| 1 | Finished successfully | -| 2 | Pending (the device hasn’t finished the action but has received the SCEP server pending response) | -| 16 | Action failed | -| 32 | Unknown | + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** -Optional. An integer value that indicates the HRESULT of the last enrollment error code. + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP +``` + -The only supported operation is Get. + + +Node for SCEP. An alert is sent after the SCEP certificate is installed. + -**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl** + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/SCEP/{UniqueID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID} +``` + + + + +Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. +Calling Delete on the this node, should delete the corresponding SCEP certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### Device/SCEP/{UniqueID}/CertThumbprint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/CertThumbprint +``` + + + + +Optional. Specify the current cert's thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. + + + + +> [!NOTE] +> If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted, etc.) then it will return an empty string. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/SCEP/{UniqueID}/ErrorCode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/ErrorCode +``` + + + + +Optional. The integer value that indicates the HRESULT of the last enrollment error code. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/SCEP/{UniqueID}/Install + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install +``` + + + + +Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/AADKeyIdentifierList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AADKeyIdentifierList +``` + + + + +Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/CAThumbprint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CAThumbprint +``` + + + + +Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If no match is found, authentication will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/Challenge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Challenge +``` + + + + +Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/ContainerName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ContainerName +``` + + + + +Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt +``` + + + + +Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/EKUMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/EKUMapping +``` + + + + +Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus "+". Sample format: OID1+OID2+OID3. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/Enroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Enroll +``` + + + + +Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/HashAlgorithm + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/HashAlgorithm +``` + + + + +Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + +For NGC, only SHA256 is supported as the supported algorithm. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/KeyLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyLength +``` + + + + +Required for enrollment. Specify private key length (RSA). +Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. + + + + +> [!NOTE] +> For Windows Hello for Business (formerly known as Microsoft Passport for Work) , 2048 is the only supported key length. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1024 | 1024. | +| 2048 | 2048. | +| 4096 | 4096. | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/KeyProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyProtection +``` + + + + +Optional. Specify where to keep the private key. **Note** that even it is protected by TPM, it is not guarded with TPM PIN. +SCEP enrolled cert doesn't support TPM PIN protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Private key protected by TPM. | +| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. | +| 3 (Default) | (Default) Private key saved in software KSP. | +| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/KeyUsage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyUsage +``` + + + + +Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/RetryCount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryCount +``` + + + + +Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. +The min value is 0 which means no retry. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 3 | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/RetryDelay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryDelay +``` + + + + +Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + +Default value is: 5 +The min value is 1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 5 | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/ServerURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ServerURL +``` + + + + +Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/SubjectAlternativeNames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectAlternativeNames +``` + + + + +Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2]. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/SubjectName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectName +``` + + + + +Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: ("," "=" "+" ";" ). + + + + +For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/TemplateName +``` + + + + +Optional. OID of certificate template name. **Note** that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn't need to provide it. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/ValidPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriod +``` + + + + +Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. +MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Days | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Days (Default) | Days. | +| Months | Months. | +| Years | Years. | + + + + + + + + + +##### Device/SCEP/{UniqueID}/Install/ValidPeriodUnits + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriodUnits +``` + + + + +Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. **Note** the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + +> [!NOTE] +> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + + + + + + + +#### Device/SCEP/{UniqueID}/RespondentServerUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/RespondentServerUrl +``` + + + + Required. Returns the URL of the SCEP server that responded to the enrollment request. + -Data type is string. + + + -The only supported operation is Get. + +**Description framework properties**: -## Example +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Enroll a client certificate through SCEP. + + + -```xml - - - - - 301 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/ - - - node - - - - - 302 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryCount - - - int - - 1 - - - - 303 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryDelay - - - int - - 1 - - - - 304 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyUsage - - - int - - 160 - - - - 305 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyLength - - - int - - 1024 - - - - 306 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/HashAlgorithm - - - chr - - SHA-1 - - - - 307 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectName - - - chr - - CN=ContosoCSP - - - - 308 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectAlternativeNames - - - chr - - - - - - 309 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriod - - - chr - - Years - - - - 310 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriodUnits - - - int - - 1 - - - - 311 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/EKUMapping - - - chr - - 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2 - - - - 312 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyProtection - - - int - - 3 - - - - 313$ - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ServerURL - - - chr - - http://constoso.com/certsrv/mscep/mscep.dll - - - - 314 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Challenge - - - chr - - 1234CB055B7EBF384A9486A22B7559A5 - - - - 315 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/CAThumbprint - - - chr - - 12345087E648875D1DF5D9F9FF89DD10 - - - - 316 - - - ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Enroll - - - - + + + +#### Device/SCEP/{UniqueID}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Status +``` + + + + +Required. Specify the latest status for the certificate due to enroll request. +Valid values are: +1 - finished successfully +2 - pending (the device hasn't finished the action but has received the SCEP server pending response) +32 - unknown +16 - action failed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## User/PFXCertInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall +``` + + + + +Required for PFX certificate installation. The parent node grouping the PFX cert related settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/PFXCertInstall/{UniqueID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID} +``` + + + + +Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. +Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/ContainerName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/ContainerName +``` + + + + +Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/KeyLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/KeyLocation +``` + + + + +Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Install to TPM if present, fail if not present. | +| 2 | Install to TPM if present. If not present, fallback to software. | +| 3 | Install to software. | +| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/PFXCertBlob + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertBlob +``` + + + + +Required. +[CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. +If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. +If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bin | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/PFXCertPassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPassword +``` + + + + +Password that protects the PFX blob. This is required if the PFX is password protected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore +``` + + + + +Optional. +When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | +| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
    Dependency Allowed Value: `[2]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType +``` + + + + +Optional. Used to specify if the PFX certificate password is encrypted with a certificate. +If the value is +0 - Password is not encrypted +1- Password is encrypted using the MDM certificate by the MDM server +2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Password is not encrypted. | +| 1 | Password is encrypted with the MDM certificate. | +| 2 | Password is encrypted with custom certificate. | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/PFXKeyExportable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXKeyExportable +``` + + + + +Optional. Used to specify if the private key installed is exportable (can be exported later). + + + + +> [!NOTE] +> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | +| Default Value | true | +| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
    Dependency Allowed Value: `[3]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | False. | +| true (Default) | True. | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Status +``` + + + + +Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/PFXCertInstall/{UniqueID}/Thumbprint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Thumbprint +``` + + + + +Returns the thumbprint of the PFX certificate installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/SCEP + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP +``` + + + + +Node for SCEP. An alert is sent after the SCEP certificate is installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/SCEP/{UniqueID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID} +``` + + + + +Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. +Calling Delete on the this node, should delete the corresponding SCEP certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### User/SCEP/{UniqueID}/CertThumbprint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/CertThumbprint +``` + + + + +Optional. Specify the current cert's thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. + + + + +> [!NOTE] +> If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted, etc.) then it will return an empty string. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/SCEP/{UniqueID}/ErrorCode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/ErrorCode +``` + + + + +Optional. The integer value that indicates the HRESULT of the last enrollment error code. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/SCEP/{UniqueID}/Install + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install +``` + + + + +Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/AADKeyIdentifierList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AADKeyIdentifierList +``` + + + + +Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/CAThumbprint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CAThumbprint +``` + + + + +Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If no match is found, authentication will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/Challenge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Challenge +``` + + + + +Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/ContainerName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ContainerName +``` + + + + +Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt +``` + + + + +Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/EKUMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/EKUMapping +``` + + + + +Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus "+". Sample format: OID1+OID2+OID3. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/Enroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Enroll +``` + + + + +Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/HashAlgorithm + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/HashAlgorithm +``` + + + + +Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + +For NGC, only SHA256 is supported as the supported algorithm. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/KeyLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyLength +``` + + + + +Required for enrollment. Specify private key length (RSA). +Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. + + + + +> [!NOTE] +> For Windows Hello for Business (formerly known as Microsoft Passport for Work) , 2048 is the only supported key length. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1024 | 1024. | +| 2048 | 2048. | +| 4096 | 4096. | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/KeyProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyProtection +``` + + + + +Optional. Specify where to keep the private key. **Note** that even it is protected by TPM, it is not guarded with TPM PIN. +SCEP enrolled cert doesn't support TPM PIN protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Private key protected by TPM. | +| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. | +| 3 (Default) | (Default) Private key saved in software KSP. | +| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/KeyUsage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyUsage +``` + + + + +Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/RetryCount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryCount +``` + + + + +Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. +The min value is 0 which means no retry. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 3 | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/RetryDelay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryDelay +``` + + + + +Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + +Default value is: 5 +The min value is 1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 5 | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/ServerURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ServerURL +``` + + + + +Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/SubjectAlternativeNames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectAlternativeNames +``` + + + + +Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2]. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/SubjectName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectName +``` + + + + +Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: ("," "=" "+" ";" ). + + + + +For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/TemplateName +``` + + + + +Optional. OID of certificate template name. **Note** that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn't need to provide it. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/ValidPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriod +``` + + + + +Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. +MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Days | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Days (Default) | Days. | +| Months | Months. | +| Years | Years. | + + + + + + + + + +##### User/SCEP/{UniqueID}/Install/ValidPeriodUnits + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriodUnits +``` + + + + +Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. **Note** the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + +> [!NOTE] +> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + + + + + + + +#### User/SCEP/{UniqueID}/RespondentServerUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/RespondentServerUrl +``` + + + + +Required. Returns the URL of the SCEP server that responded to the enrollment request. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/SCEP/{UniqueID}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Status +``` + + + + +Required. Specify the latest status for the certificate due to enroll request. +Valid values are: +1 - finished successfully +2 - pending (the device hasn't finished the action but has received the SCEP server pending response) +32 - unknown +16 - action failed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + + +## Examples + +- Enroll a client certificate through SCEP. + + ```xml + + + + + 301 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/ + + + node + + + + + 302 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryCount + + + int + + 1 + + + + 303 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryDelay + + + int + + 1 + + + + 304 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyUsage + + + int + + 160 + + + + 305 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyLength + + + int + + 1024 + + + + 306 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/HashAlgorithm + + + chr + + SHA-1 + + + + 307 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectName + + + chr + + CN=ContosoCSP + + + + 308 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectAlternativeNames + + + chr + + + + + + 309 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriod + + + chr + + Years + + + + 310 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriodUnits + + + int + + 1 + + + + 311 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/EKUMapping + + + chr + + 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2 + + + + 312 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyProtection + + + int + + 3 + + + + 313$ + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ServerURL + + + chr + + http://constoso.com/certsrv/mscep/mscep.dll + + + + 314 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Challenge + + + chr + + 1234CB055B7EBF384A9486A22B7559A5 + + + + 315 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/CAThumbprint + + + chr + + 12345087E648875D1DF5D9F9FF89DD10 + + + + 316 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Enroll + + + + + + + + ``` + +- Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store. + + ```xml + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C + + + + + $CmdID$ + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation + + + int + + 2 + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob + + + chr + + Base64_Encode_Cert_Blob + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword + + + chr + + Base64Encoded_Encrypted_Password_Blog + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType + + + int + + 2 + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore + + + chr + + My + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable + + + bool + + true + + + - - -``` +     +     + ``` + -Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store. + -```xml - - - - $CmdID$ - - - ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C - - - - - $CmdID$ - - $CmdID$ - - - ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation - - - int - - 2 - - - - $CmdID$ - - - ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob - - - chr - - Base64_Encode_Cert_Blob - - - - $CmdID$ - - - ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword - - - chr - - Base64Encoded_Encrypted_Password_Blog - - - - $CmdID$ - - - ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType - - - int - - 2 - - - - $CmdID$ - - - ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore - - - chr - - My - - +## Related articles - - $CmdID$ - - - ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable - - - bool - - true - - - - - - -``` - -## Related topics - -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 8d8a117d95..08abb4da3e 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -1,1055 +1,2198 @@ --- title: ClientCertificateInstall DDF file -description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/24/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # ClientCertificateInstall DDF file -This topic shows the OMA DM device description framework (DDF) for the **ClientCertificateInstall** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the ClientCertificateInstall configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + ClientCertificateInstall + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - ClientCertificateInstall - ./Vendor/MSFT + PFXCertInstall + + + + + Required for PFX certificate installation. The parent node grouping the PFX cert related settings. + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - com.microsoft/1.1/MDM/ClientCertificateInstall - - - - PFXCertInstall - - - - - Required for PFX certificate installation. The parent node grouping the PFX cert related settings. Supported operation is Get. - - - - - - - - - - - - - - - - - - - - - - - Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. -Format is node. -Supported operations are Get, Add, Delete + + + + + + + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. - - - - - - - - - - UniqueID - - - - - - KeyLocation - - - - - - - Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add. - Datatype will be int -1- Install to TPM, fail if not present -2 – Install to TPM if present, if not present fallback to Software -3 – Install to software -4 – Install to NGC container whose name is specified - - - - - - - - - - - - text/plain - - - - - ContainerName - - - - - - - Optional. -Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. -Format is chr. -Supported operations are Get, Add, Delete and Replace. - - - - - - - - - - - - text/plain - - - - - PFXCertBlob - - - - - - - Required. + + + + + + + + + + UniqueID + + + + + + + + + + KeyLocation + + + + + + + Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. + + + + + + + + + + + + + + + 1 + Install to TPM if present, fail if not present. + + + 2 + Install to TPM if present. If not present, fallback to software. + + + 3 + Install to software. + + + 4 + Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified + + + + + + ContainerName + + + + + + + Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + + + + + + + + + + + + PFXCertBlob + + + + + + + Required. CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. -Format is Binary64. -Supported operations are Get, Add, Replace. If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate -CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windows/desktop/aa381414(v=vs.85).aspx +CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx - - - - - - - - - - - text/plain - - - - - PFXCertPassword - - - - - - - -Required if PFX is password protected. -Password that protects the PFX blob. -Format is chr. Supported operations are Add, Get. - - - - - - - - - - - - text/plain - - - - - PFXCertPasswordEncryptionType - - - - - - - 0 - Optional. Used to specify if the PFX certificate password is encrypted with a certificate. -If the value is -0 - Password is not encrypted -1- Password is encrypted using the MDM certificate by the MDM server -2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. -The datatype for this node is int. -Supported operations are Add, Replace. - - - - - - - - - - - - text/plain - - - - - PFXKeyExportable - - - - - - - true - Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool. -Supported operations are Add, Get. - - - - - - - - - - - - text/plain - - - - - Thumbprint - - - - - Returns the thumbprint of the PFX certificate installed. Format is string.Supported operations are Get. - - - - - - - - - - - - text/plain - - - - - Status - - - - - Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int. -Support operations are Get. - - - - - - - - - - - - text/plain - - - - - PFXCertPasswordEncryptionStore - - - - - - - Optional. -When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. -Datatype is string, -Support operation are Add, Get and Replace. - - - - - - - - - - - - text/plain - - - - + + + + + + + + + + + + + + + - SCEP - - - - - - - - - - - - - - - - - - - - - - - - - - - Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. -Format is node. -Supported operations are Get, Add, Delete. + PFXCertPassword + + + + + + + Password that protects the PFX blob. This is required if the PFX is password protected. + + + + + + + + + + + + + + + + + + PFXCertPasswordEncryptionType + + + + + + + 0 + Optional. Used to specify if the PFX certificate password is encrypted with a certificate. +If the value is +0 - Password is not encrypted +1- Password is encrypted using the MDM certificate by the MDM server +2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. + + + + + + + + + + + + + + + 0 + Password is not encrypted. + + + 1 + Password is encrypted with the MDM certificate. + + + 2 + Password is encrypted with custom certificate. + + + + + + PFXKeyExportable + + + + + + + true + Optional. Used to specify if the private key installed is exportable (can be exported later). + + + + + + + + + + + + + + + false + False + + + true + True + + + + + + Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation + + [3] + + + + + + + + Thumbprint + + + + + Returns the thumbprint of the PFX certificate installed. + + + + + + + + + + + + + + + + Status + + + + + Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. + + + + + + + + + + + + + + + + PFXCertPasswordEncryptionStore + + + + + + + Optional. +When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. + + + + + + + + + + + + + + + + + + Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType + + [2] + + + + + + + + + + SCEP + + + + + Node for SCEP. An alert is sent after the SCEP certificate is installed. + + + + + + + + + + + + + + + + + + + + + + + + Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. Calling Delete on the this node, should delete the corresponding SCEP certificate - - - - - - - - - - UniqueID - - - - - - Install - - - - - - - - Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete. - -NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. - - - - - - - - - - - - - - - ServerURL - - - - - - - - Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon. -Format is string. -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - Challenge - - - - - - - - Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Format is chr. Supported operations are Get, Add, Replace, Delete. Challenge will be deleted shortly after the Exec command is accepted. - - - - - - - - - - - text/plain - - - - - EKUMapping - - - - - - - - Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3. - -Format is chr. - -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - KeyUsage - - - - - - - - Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. - -Format is int. - -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - SubjectName - - - - - - - - Required. Specify the subject name. Format is chr. Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - KeyProtection - - - - - - - - 3 - Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. - -SCEP enrolled cert doesn’t support TPM PIN protection. Supported values: - -1 – private key protected by TPM, - -2 – private key protected by phone TPM if the device supports TPM. - -3 (default) – private key saved in software KSP - -4 – private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail. - - -Format is int. - -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - - - text/plain - - - - - RetryDelay - - - - - - - - 5 - Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + + + + + + + + + + UniqueID + + + + + + + + + + Install + + + + + + + + Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. + + + + + + + + + + + + + + + ServerURL + + + + + + + + Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon. + + + + + + + + + + + + + + + + + + Challenge + + + + + + + + Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted. + + + + + + + + + + + + + + + + + + EKUMapping + + + + + + + + Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3. + + + + + + + + + + + + + + + + + + KeyUsage + + + + + + + + Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. + + + + + + + + + + + + + + + + + + SubjectName + + + + + + + + Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). + + + + + + + + + + + + + + + + + + KeyProtection + + + + + + + + 3 + Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. +SCEP enrolled cert doesn’t support TPM PIN protection. + + + + + + + + + + + + + + + 1 + Private key protected by TPM. + + + 2 + Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. + + + 3 + (Default) Private key saved in software KSP. + + + 4 + Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. + + + + + + RetryDelay + + + + + + + + 5 + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is: 5 -The min value is 1. - -Format is int. - -Supported operations are Get, Add, Delete noreplace. - - - - - - - - - - - text/plain - - - - - RetryCount - - - - - - - - 3 - Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. -The min value is 0 which means no retry. Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - - - - Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace. - - - - - - - - - - - text/plain - - - - - KeyLength - - - - - - - - Required for enrollment. Specify private key length (RSA). Format is int. - -Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. - -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - HashAlgorithm - - - - - - - - Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. - -For NGC, only SHA256 is supported as the supported algorithm - -Format is chr. -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - CAThumbprint - - - - - - - - Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication. -Format is chr. -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - SubjectAlternativeNames - - - - - - - - Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2]. - -Format is chr. - -Supported operations are Get, Add, Delete, Replace. - - - - - - - - - - - text/plain - - - - - ValidPeriod - - - - - - - - Days - Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. -Format is chr. -Supported operations are Get, Add, Delete, Replace. +The min value is 1. + + + + + + + + + + + + + + [0-4294967295] + + + + + RetryCount + + + + + + + + 3 + Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. +The min value is 0 which means no retry. + + + + + + + + + + + + + + [0-30] + + + + + TemplateName + + + + + + + + Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. + + + + + + + + + + + + + + + + + + KeyLength + + + + + + + + Required for enrollment. Specify private key length (RSA). +Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. + + + + + + + + + + + + + + + 1024 + 1024 + + + 2048 + 2048 + + + 4096 + 4096 + + + + + + HashAlgorithm + + + + + + + + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. +For NGC, only SHA256 is supported as the supported algorithm + + + + + + + + + + + + + + + + + + CAThumbprint + + + + + + + + Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication. + + + + + + + + + + + + + + + + + + SubjectAlternativeNames + + + + + + + + Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2]. + + + + + + + + + + + + + + + + + + ValidPeriod + + + + + + + + Days + Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. +MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. + + + + + + + + + + + + + + + Days + Days + + + Months + Months + + + Years + Years + + + + + + ValidPeriodUnits + + + + + + + + 0 + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. - - - - - - - - - - - text/plain - - - - - ValidPeriodUnits - - - - - - - - 0 - Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. - -Format is int. - -Supported operations are Get, Add, Delete, Replace. - -NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. - - - - - - - - - - - text/plain - - - - - ContainerName - - - - - - - - Optional. -Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. - -Format is chr. - -Supported operations are Get, Add, Delete and Replace. - - - - - - - - - - - text/plain - - - - - CustomTextToShowInPrompt - - - - - - - - Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. - -Format is chr. - -Supported operations are Get, Add, Delete and Replace. - - - - - - - - - - - text/plain - - - - - Enroll - - - - - Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added. - -Format is null, e.g. this node doesn’t contain a value. - -Supported operation is Exec. - - - - - - - - - - - text/plain - - - - - AADKeyIdentifierList - - - - - - - - Optional. Specify the Azure Active Directory Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail. - - - - - - - - - - - text/plain - - - - - - CertThumbprint - - - - - Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Format is chr. Supported operation is Get. - - - - - - - - - - - text/plain - - - - - Status - - - - - Required. Specify the latest status for the certificate due to enroll request. - -Format is chr. - -Supported operation is Get. - + + + + + + + + + + + + + + + + + + ContainerName + + + + + + + + Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + + + + + + + + + + + + CustomTextToShowInPrompt + + + + + + + + Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. + + + + + + + + + + + + + + + + + + Enroll + + + + + Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added. + + + + + + + + + + + + + + + + AADKeyIdentifierList + + + + + + + + Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + + + + + CertThumbprint + + + + + Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. + + + + + + + + + + + + + + + + Status + + + + + Required. Specify the latest status for the certificate due to enroll request. Valid values are: 1 – finished successfully 2 – pending (the device hasn’t finished the action but has received the SCEP server pending response) 32 – unknown 16 - action failed - - - - - - - - - - - text/plain - - - - - ErrorCode - - - - - Optional. The integer value that indicates the HRESULT of the last enrollment error code. -Supported operation is Get. - - - - - - - - - - - text/plain - - - - - RespondentServerUrl - - - - - Required. Returns the URL of the SCEP server that responded to the enrollment request. - -Format is String. - -Supported operation is Get. - - - - - - - - - - - text/plain - - - - + + + + + + + + + + + + + + + ErrorCode + + + + + Optional. The integer value that indicates the HRESULT of the last enrollment error code. + + + + + + + + + + + + + + + + RespondentServerUrl + + + + + Required. Returns the URL of the SCEP server that responded to the enrollment request. + + + + + + + + + + + + + + + + + + ClientCertificateInstall + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + PFXCertInstall + + + + + Required for PFX certificate installation. The parent node grouping the PFX cert related settings. + + + + + + + + + + + + + + + + + + + + + + + + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. +Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. + + + + + + + + + + + UniqueID + + + + + + + + + + KeyLocation + + + + + + + Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. + + + + + + + + + + + + + + + 1 + Install to TPM if present, fail if not present. + + + 2 + Install to TPM if present. If not present, fallback to software. + + + 3 + Install to software. + + + 4 + Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified + + + + + + ContainerName + + + + + + + Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + + + + + + + + + + + + PFXCertBlob + + + + + + + Required. +CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. +If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. +If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate +CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx + + + + + + + + + + + + + + + + + + + PFXCertPassword + + + + + + + Password that protects the PFX blob. This is required if the PFX is password protected. + + + + + + + + + + + + + + + + + + PFXCertPasswordEncryptionType + + + + + + + 0 + Optional. Used to specify if the PFX certificate password is encrypted with a certificate. +If the value is +0 - Password is not encrypted +1- Password is encrypted using the MDM certificate by the MDM server +2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. + + + + + + + + + + + + + + + 0 + Password is not encrypted. + + + 1 + Password is encrypted with the MDM certificate. + + + 2 + Password is encrypted with custom certificate. + + + + + + PFXKeyExportable + + + + + + + true + Optional. Used to specify if the private key installed is exportable (can be exported later). + + + + + + + + + + + + + + + false + False + + + true + True + + + + + + Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation + + [3] + + + + + + + + Thumbprint + + + + + Returns the thumbprint of the PFX certificate installed. + + + + + + + + + + + + + + + + Status + + + + + Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. + + + + + + + + + + + + + + + + PFXCertPasswordEncryptionStore + + + + + + + Optional. +When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. + + + + + + + + + + + + + + + + + + Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType + + [2] + + + + + + + + + + SCEP + + + + + Node for SCEP. An alert is sent after the SCEP certificate is installed. + + + + + + + + + + + + + + + + + + + + + + + + Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. +Calling Delete on the this node, should delete the corresponding SCEP certificate + + + + + + + + + + UniqueID + + + + + + + + + + Install + + + + + + + + Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. + + + + + + + + + + + + + + + ServerURL + + + + + + + + Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon. + + + + + + + + + + + + + + + + + + Challenge + + + + + + + + Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted. + + + + + + + + + + + + + + + + + + EKUMapping + + + + + + + + Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3. + + + + + + + + + + + + + + + + + + KeyUsage + + + + + + + + Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. + + + + + + + + + + + + + + + + + + SubjectName + + + + + + + + Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). + + + + + + + + + + + + + + + + + + KeyProtection + + + + + + + + 3 + Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. +SCEP enrolled cert doesn’t support TPM PIN protection. + + + + + + + + + + + + + + + 1 + Private key protected by TPM. + + + 2 + Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. + + + 3 + (Default) Private key saved in software KSP. + + + 4 + Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. + + + + + + RetryDelay + + + + + + + + 5 + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + +Default value is: 5 +The min value is 1. + + + + + + + + + + + + + + [0-4294967295] + + + + + RetryCount + + + + + + + + 3 + Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. +The min value is 0 which means no retry. + + + + + + + + + + + + + + [0-30] + + + + + TemplateName + + + + + + + + Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. + + + + + + + + + + + + + + + + + + KeyLength + + + + + + + + Required for enrollment. Specify private key length (RSA). +Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. + + + + + + + + + + + + + + + 1024 + 1024 + + + 2048 + 2048 + + + 4096 + 4096 + + + + + + HashAlgorithm + + + + + + + + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + +For NGC, only SHA256 is supported as the supported algorithm + + + + + + + + + + + + + + + + + + CAThumbprint + + + + + + + + Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication. + + + + + + + + + + + + + + + + + + SubjectAlternativeNames + + + + + + + + Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2]. + + + + + + + + + + + + + + + + + + ValidPeriod + + + + + + + + Days + Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. +MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. + + + + + + + + + + + + + + + Days + Days + + + Months + Months + + + Years + Years + + + + + + ValidPeriodUnits + + + + + + + + 0 + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. +NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. + + + + + + + + + + + + + + + + + + ContainerName + + + + + + + + Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + + + + + + + + + + + + + + + + + + CustomTextToShowInPrompt + + + + + + + + Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. + + + + + + + + + + + + + + + + + + Enroll + + + + + Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added. + + + + + + + + + + + + + + + + AADKeyIdentifierList + + + + + + + + Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + + + + + CertThumbprint + + + + + Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. + + + + + + + + + + + + + + + + Status + + + + + Required. Specify the latest status for the certificate due to enroll request. +Valid values are: +1 – finished successfully +2 – pending (the device hasn’t finished the action but has received the SCEP server pending response) +32 – unknown +16 - action failed + + + + + + + + + + + + + + + + ErrorCode + + + + + Optional. The integer value that indicates the HRESULT of the last enrollment error code. + + + + + + + + + + + + + + + + RespondentServerUrl + + + + + Required. Returns the URL of the SCEP server that responded to the enrollment request. + + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles -[ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md) +[ClientCertificateInstall configuration service provider reference](clientcertificateinstall-csp.md) diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index 4a903492c4..c8fad72461 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -1,7 +1,7 @@ --- title: Configuration service provider DDF files description: Learn more about the OMA DM device description framework (DDF) for various configuration service providers -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,14 +9,578 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider DDF files -This topic shows the OMA DM device description framework (DDF) for various configuration service providers. DDF files are used only with OMA DM provisioning XML. +This article lists the OMA DM device description framework (DDF) files for various configuration service providers. DDF files are used only with OMA DM provisioning XML. -You can download the DDF files for various CSPs from the links below: +As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download: + +- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip) + +## DDF v2 schema + +DDF v2 XML schema definition is listed below along with the schema definition for the referenced `MSFT` namespace. + +- Schema definition for DDF v2: + + ```xml + + + + + + Starting point for DDF + + + + + + + + + + + + + Main Recurring XML tag describing nodes of the CSP + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +- Schema definition for the `MSFT` namespace: + + ```xml + + + + + This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature. + + + + + This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set. + + + + + + + + This node contains information on how to dynamically name the node such that the name is valid. + + + + + + This indicates that the server should generate a unique identifier for the node. + + + + + This indicates that the client will generate the name of the node based on the device state (such as inventorying apps). + + + + + This indicates that the server should name the node, and the value listed gives a regex to define what is allowed. + + + + + + + + + The type of the conflict resolution. + + + + + No policy merge. + + + + + The lowest value is the most secure policy value. + + + + + The highest value is the most secure policy value. + + + + + The last written value is current value + + + + + The lowest value is the most secure policy value unless the value is zero. + + + + + The highest value is the most secure policy value unless the value is zero. + + + + + + + + These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes. + + + + + + This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release." + + + + + This tag describes the lowest CSP Version that the node was released to. + + + + + This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business. + + + + + This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable. + + + + + + + + These tags describe what values are allowed to be set for this particular node. + + + + + + + + + + This attribute describes what kind of Allowed Values tag this is. + + + + + + This attribute indicates that the Value tag contains an XSD for the node. + + + + + This attribute indicates that the Value tag contains a RegEx for the node. + + + + + This attribute indicates that the node can be described by an external ADMX file. + + + + + This attribute indicates that the node can be described by a JSON schema. + + + + + This attribute indicates that the allowed values are an enumeration. + + + + + This attribute indicates that the allowed values can be combined into a bitwise flag. + + + + + This attribute indicates that the allowed values are a numerical range. + + + + + This attribute indicates that the allowed values are a string in the SDDL format. + + + + + This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values. + + + + + + + + + + + + This tag indicates that the node input can contain multiple, delimited values. + + + + + This attribute details the delimeter used for the list of values. + + + + + + + + + + + This tag indicates an allowed value. + + + + + This tag gives further description to an allowed value, such as for an enumeration. + + + + + + + + + + + + + + This tag gives details for one particular enumeration of the allowed values. + + + + + + + + + + This tag indicates the relevent details for the corresponding ADMX policy for this node. + + + + + This attribute gives the area path of the ADMX policy. + + + + + This attribute gives the name of the ADMX policy. + + + + + This attribute gives the filename for the ADMX policy. + + + + + + + This tag details the replace behavior of the node. + + + + + + When performing a replace operation on this node, the value is appending to the existing node data. + + + + + When performing a replace operation on this node, the existing node data is removed before new data is added. + + + + + + + + This tag describes the reboot behavior of the node. + + + + + + No reboot is required for this node. + + + + + This node will automatically perform a reboot to take effect. + + + + + This node needs a reboot initiated from an external source to take effect. + + + + + + + + This tag details the information necessary to map this node to an existing group policy. + + + + + This attribute details the English name of the GP. + + + + + This attribute details the area path of the GP. + + + + + This attribute details a particular element of a GP that the CSP node maps to. + + + + + + + This tag lists out common error HRESULTS reported by the CSP and English text to associate with them. + + + + + + + + + + + + + + + + + + + This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client. + + + + + These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP. + + + + + + + + + + This tag describes a dependency that the current CSP node has on another nodes in the same CSP. + + + + + + The URI that the current CSP node has a dependency on. + + + + + + + This tag details the kind of dependency. + + + + + + The current node depends on the dependency holding a certain value. + + + + + The current node depends on the dependency not holding a certain value. + + + + + + + + + + This tag details one specific dependency. A node might have multiple different dependencies. + + + + + + + + + This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies. + + + + + + + This tag details the values that the dependency must be set to for the dependency to be satisfied. + + + + + + + + + This tag details a change to the current node's allowed values if the dependency is satisfied. + + + + + + + + ``` + +## Older DDF files + +You can download the older DDF files for various CSPs from the links below: - [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip) @@ -26,4 +590,15 @@ You can download the DDF files for various CSPs from the links below: - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -You can download DDF file for Policy CSP from [Policy DDF file](policy-ddf-file.md). +You can download the older Policy area DDF files by clicking the following links: + +- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) +- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) +- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) +- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) +- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) +- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) +- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) diff --git a/windows/client-management/mdm/configuration-service-provider-support.md b/windows/client-management/mdm/configuration-service-provider-support.md index 4afed5993c..80f903585c 100644 --- a/windows/client-management/mdm/configuration-service-provider-support.md +++ b/windows/client-management/mdm/configuration-service-provider-support.md @@ -1,7 +1,7 @@ --- title: Configuration service provider support description: Learn more about configuration service provider (CSP) supported scenarios. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider support diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index dd6034f807..40d679359a 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,10 +1,10 @@ --- title: Defender CSP -description: Learn more about the Defender CSP +description: Learn more about the Defender CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 02/28/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -21,92 +21,90 @@ ms.topic: reference -The following example shows the Defender configuration service provider in tree format. +The following list shows the Defender configuration service provider nodes: -```text -./Device/Vendor/MSFT/Defender ---- Configuration ------- AllowDatagramProcessingOnWinServer ------- AllowNetworkProtectionDownLevel ------- AllowNetworkProtectionOnWinServer ------- ASROnlyPerRuleExclusions ------- DataDuplicationDirectory ------- DataDuplicationRemoteLocation ------- DefaultEnforcement ------- DeviceControl ---------- PolicyGroups ------------- {GroupId} ---------------- GroupData ---------- PolicyRules ------------- {RuleId} ---------------- RuleData ------- DeviceControlEnabled ------- DisableCpuThrottleOnIdleScans ------- DisableDnsOverTcpParsing ------- DisableDnsParsing ------- DisableFtpParsing ------- DisableGradualRelease ------- DisableHttpParsing ------- DisableInboundConnectionFiltering ------- DisableLocalAdminMerge ------- DisableNetworkProtectionPerfTelemetry ------- DisableRdpParsing ------- DisableSshParsing ------- DisableTlsParsing ------- EnableDnsSinkhole ------- EnableFileHashComputation ------- EngineUpdatesChannel ------- ExcludedIpAddresses ------- HideExclusionsFromLocalAdmins ------- MeteredConnectionUpdates ------- PassiveRemediation ------- PauseUpdateExpirationTime ------- PauseUpdateFlag ------- PauseUpdateStartTime ------- PlatformUpdatesChannel ------- SchedulerRandomizationTime ------- SecurityIntelligenceUpdatesChannel ------- SupportLogLocation ------- TamperProtection ------- TDTFeatureEnabled ------- ThrottleForScheduledScanOnly ---- Detections ------- {ThreatId} ---------- Category ---------- CurrentStatus ---------- ExecutionStatus ---------- InitialDetectionTime ---------- LastThreatStatusChangeTime ---------- Name ---------- NumberOfDetections ---------- Severity ---------- URL ---- Health ------- ComputerState ------- DefenderEnabled ------- DefenderVersion ------- EngineVersion ------- FullScanOverdue ------- FullScanRequired ------- FullScanSigVersion ------- FullScanTime ------- IsVirtualMachine ------- NisEnabled ------- ProductStatus ------- QuickScanOverdue ------- QuickScanSigVersion ------- QuickScanTime ------- RebootRequired ------- RtpEnabled ------- SignatureOutOfDate ------- SignatureVersion ------- TamperProtectionEnabled ---- OfflineScan ---- RollbackEngine ---- RollbackPlatform ---- Scan ---- UpdateSignature -``` +- ./Device/Vendor/MSFT/Defender + - [Configuration](#configuration) + - [AllowDatagramProcessingOnWinServer](#configurationallowdatagramprocessingonwinserver) + - [AllowNetworkProtectionDownLevel](#configurationallownetworkprotectiondownlevel) + - [AllowNetworkProtectionOnWinServer](#configurationallownetworkprotectiononwinserver) + - [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions) + - [DataDuplicationDirectory](#configurationdataduplicationdirectory) + - [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod) + - [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation) + - [DefaultEnforcement](#configurationdefaultenforcement) + - [DeviceControl](#configurationdevicecontrol) + - [PolicyGroups](#configurationdevicecontrolpolicygroups) + - [{GroupId}](#configurationdevicecontrolpolicygroupsgroupid) + - [GroupData](#configurationdevicecontrolpolicygroupsgroupidgroupdata) + - [PolicyRules](#configurationdevicecontrolpolicyrules) + - [{RuleId}](#configurationdevicecontrolpolicyrulesruleid) + - [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata) + - [DeviceControlEnabled](#configurationdevicecontrolenabled) + - [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans) + - [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing) + - [DisableDnsParsing](#configurationdisablednsparsing) + - [DisableFtpParsing](#configurationdisableftpparsing) + - [DisableGradualRelease](#configurationdisablegradualrelease) + - [DisableHttpParsing](#configurationdisablehttpparsing) + - [DisableInboundConnectionFiltering](#configurationdisableinboundconnectionfiltering) + - [DisableLocalAdminMerge](#configurationdisablelocaladminmerge) + - [DisableNetworkProtectionPerfTelemetry](#configurationdisablenetworkprotectionperftelemetry) + - [DisableRdpParsing](#configurationdisablerdpparsing) + - [DisableSmtpParsing](#configurationdisablesmtpparsing) + - [DisableSshParsing](#configurationdisablesshparsing) + - [DisableTlsParsing](#configurationdisabletlsparsing) + - [EnableDnsSinkhole](#configurationenablednssinkhole) + - [EnableFileHashComputation](#configurationenablefilehashcomputation) + - [EngineUpdatesChannel](#configurationengineupdateschannel) + - [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins) + - [IntelTDTEnabled](#configurationinteltdtenabled) + - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) + - [PassiveRemediation](#configurationpassiveremediation) + - [PlatformUpdatesChannel](#configurationplatformupdateschannel) + - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) + - [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled) + - [SchedulerRandomizationTime](#configurationschedulerrandomizationtime) + - [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel) + - [SupportLogLocation](#configurationsupportloglocation) + - [TamperProtection](#configurationtamperprotection) + - [ThrottleForScheduledScanOnly](#configurationthrottleforscheduledscanonly) + - [Detections](#detections) + - [{ThreatId}](#detectionsthreatid) + - [Category](#detectionsthreatidcategory) + - [CurrentStatus](#detectionsthreatidcurrentstatus) + - [ExecutionStatus](#detectionsthreatidexecutionstatus) + - [InitialDetectionTime](#detectionsthreatidinitialdetectiontime) + - [LastThreatStatusChangeTime](#detectionsthreatidlastthreatstatuschangetime) + - [Name](#detectionsthreatidname) + - [NumberOfDetections](#detectionsthreatidnumberofdetections) + - [Severity](#detectionsthreatidseverity) + - [URL](#detectionsthreatidurl) + - [Health](#health) + - [ComputerState](#healthcomputerstate) + - [DefenderEnabled](#healthdefenderenabled) + - [DefenderVersion](#healthdefenderversion) + - [EngineVersion](#healthengineversion) + - [FullScanOverdue](#healthfullscanoverdue) + - [FullScanRequired](#healthfullscanrequired) + - [FullScanSigVersion](#healthfullscansigversion) + - [FullScanTime](#healthfullscantime) + - [IsVirtualMachine](#healthisvirtualmachine) + - [NisEnabled](#healthnisenabled) + - [ProductStatus](#healthproductstatus) + - [QuickScanOverdue](#healthquickscanoverdue) + - [QuickScanSigVersion](#healthquickscansigversion) + - [QuickScanTime](#healthquickscantime) + - [RebootRequired](#healthrebootrequired) + - [RtpEnabled](#healthrtpenabled) + - [SignatureOutOfDate](#healthsignatureoutofdate) + - [SignatureVersion](#healthsignatureversion) + - [TamperProtectionEnabled](#healthtamperprotectionenabled) + - [OfflineScan](#offlinescan) + - [RollbackEngine](#rollbackengine) + - [RollbackPlatform](#rollbackplatform) + - [Scan](#scan) + - [UpdateSignature](#updatesignature) @@ -125,6 +123,7 @@ The following example shows the Defender configuration service provider in tree + An interior node to group Windows Defender configuration information. @@ -163,6 +162,7 @@ An interior node to group Windows Defender configuration information. + This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection. @@ -177,6 +177,7 @@ This settings controls whether Network Protection is allowed to enable datagram |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -185,7 +186,7 @@ This settings controls whether Network Protection is allowed to enable datagram | Value | Description | |:--|:--| | 1 | Datagram processing on Windows Server is enabled. | -| 0 | Datagram processing on Windows Server is disabled. | +| 0 (Default) | Datagram processing on Windows Server is disabled. | @@ -210,6 +211,7 @@ This settings controls whether Network Protection is allowed to enable datagram + This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored. @@ -224,6 +226,7 @@ This settings controls whether Network Protection is allowed to be configured in |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -232,7 +235,7 @@ This settings controls whether Network Protection is allowed to be configured in | Value | Description | |:--|:--| | 1 | Network protection will be enabled downlevel. | -| 0 | Network protection will be disabled downlevel. | +| 0 (Default) | Network protection will be disabled downlevel. | @@ -257,6 +260,7 @@ This settings controls whether Network Protection is allowed to be configured in + This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. @@ -279,8 +283,8 @@ This settings controls whether Network Protection is allowed to be configured in | Value | Description | |:--|:--| -| 1 (Default) | Allow | -| 0 | Disallow | +| 1 (Default) | Allow. | +| 0 | Disallow. | @@ -305,6 +309,7 @@ This settings controls whether Network Protection is allowed to be configured in + Apply ASR only per rule exclusions. @@ -343,6 +348,7 @@ Apply ASR only per rule exclusions. + Define data duplication directory for device control. @@ -365,6 +371,47 @@ Define data duplication directory for device control. + +### Configuration/DataDuplicationLocalRetentionPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationLocalRetentionPeriod +``` + + + + +Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-120]` | +| Default Value | 60 | + + + + + + + + ### Configuration/DataDuplicationRemoteLocation @@ -381,6 +428,7 @@ Define data duplication directory for device control. + Define data duplication remote location for device control. @@ -419,6 +467,7 @@ Define data duplication remote location for device control. + Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. @@ -433,6 +482,7 @@ Control Device Control default enforcement. This is the enforcement applied if t |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | @@ -440,8 +490,8 @@ Control Device Control default enforcement. This is the enforcement applied if t | Value | Description | |:--|:--| -| 1 | Default Allow Enforcement | -| 2 | Default Deny Enforcement | +| 1 (Default) | Default Allow Enforcement. | +| 2 | Default Deny Enforcement. | @@ -466,7 +516,7 @@ Control Device Control default enforcement. This is the enforcement applied if t - + @@ -504,7 +554,7 @@ Control Device Control default enforcement. This is the enforcement applied if t - + @@ -542,7 +592,7 @@ Control Device Control default enforcement. This is the enforcement applied if t - + @@ -580,7 +630,8 @@ Control Device Control default enforcement. This is the enforcement applied if t - + +For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control). @@ -618,7 +669,7 @@ Control Device Control default enforcement. This is the enforcement applied if t - + @@ -656,7 +707,7 @@ Control Device Control default enforcement. This is the enforcement applied if t - + @@ -694,7 +745,8 @@ Control Device Control default enforcement. This is the enforcement applied if t - + +For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control). @@ -732,6 +784,7 @@ Control Device Control default enforcement. This is the enforcement applied if t + Control Device Control feature. @@ -746,6 +799,7 @@ Control Device Control feature. |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -753,8 +807,8 @@ Control Device Control feature. | Value | Description | |:--|:--| -| 1 | | -| 0 | | +| 1 | . | +| 0 (Default) | . | @@ -779,7 +833,8 @@ Control Device Control feature. -Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. + +Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. @@ -801,8 +856,8 @@ Indicates whether the CPU will be throttled for scheduled scans while the device | Value | Description | |:--|:--| -| 1 (Default) | Disable CPU Throttle on idle scans | -| 0 | Enable CPU Throttle on idle scans | +| 1 (Default) | Disable CPU Throttle on idle scans. | +| 0 | Enable CPU Throttle on idle scans. | @@ -827,6 +882,7 @@ Indicates whether the CPU will be throttled for scheduled scans while the device + This setting disables DNS over TCP Parsing for Network Protection. @@ -849,8 +905,8 @@ This setting disables DNS over TCP Parsing for Network Protection. | Value | Description | |:--|:--| -| 1 | DNS over TCP parsing is disabled | -| 0 (Default) | DNS over TCP parsing is enabled | +| 1 | DNS over TCP parsing is disabled. | +| 0 (Default) | DNS over TCP parsing is enabled. | @@ -875,6 +931,7 @@ This setting disables DNS over TCP Parsing for Network Protection. + This setting disables DNS Parsing for Network Protection. @@ -897,8 +954,8 @@ This setting disables DNS Parsing for Network Protection. | Value | Description | |:--|:--| -| 1 | DNS parsing is disabled | -| 0 (Default) | DNS parsing is enabled | +| 1 | DNS parsing is disabled. | +| 0 (Default) | DNS parsing is enabled. | @@ -923,6 +980,7 @@ This setting disables DNS Parsing for Network Protection. + This setting disables FTP Parsing for Network Protection. @@ -945,8 +1003,8 @@ This setting disables FTP Parsing for Network Protection. | Value | Description | |:--|:--| -| 1 | FTP parsing is disabled | -| 0 (Default) | FTP parsing is enabled | +| 1 | FTP parsing is disabled. | +| 0 (Default) | FTP parsing is enabled. | @@ -971,6 +1029,7 @@ This setting disables FTP Parsing for Network Protection. + Enable this policy to disable gradual rollout of Defender updates. @@ -985,6 +1044,7 @@ Enable this policy to disable gradual rollout of Defender updates. |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -992,8 +1052,8 @@ Enable this policy to disable gradual rollout of Defender updates. | Value | Description | |:--|:--| -| 1 | Gradual release is disabled | -| 0 | Gradual release is enabled | +| 1 | Gradual release is disabled. | +| 0 (Default) | Gradual release is enabled. | @@ -1018,6 +1078,7 @@ Enable this policy to disable gradual rollout of Defender updates. + This setting disables HTTP Parsing for Network Protection. @@ -1040,8 +1101,8 @@ This setting disables HTTP Parsing for Network Protection. | Value | Description | |:--|:--| -| 1 | HTTP parsing is disabled | -| 0 (Default) | HTTP parsing is enabled | +| 1 | HTTP parsing is disabled. | +| 0 (Default) | HTTP parsing is enabled. | @@ -1066,6 +1127,7 @@ This setting disables HTTP Parsing for Network Protection. + This setting disables Inbound connection filtering for Network Protection. @@ -1080,6 +1142,7 @@ This setting disables Inbound connection filtering for Network Protection. |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1087,8 +1150,8 @@ This setting disables Inbound connection filtering for Network Protection. | Value | Description | |:--|:--| -| 1 | Inbound connection filtering is disabled | -| 0 | Inbound connection filtering is enabled | +| 1 | Inbound connection filtering is disabled. | +| 0 (Default) | Inbound connection filtering is enabled. | @@ -1113,7 +1176,8 @@ This setting disables Inbound connection filtering for Network Protection. -When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings + +When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings. @@ -1127,6 +1191,7 @@ When this value is set to false, it allows a local admin the ability to specify |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1134,8 +1199,8 @@ When this value is set to false, it allows a local admin the ability to specify | Value | Description | |:--|:--| -| 1 | Disable Local Admin Merge | -| 0 | Enable Local Admin Merge | +| 1 | Disable Local Admin Merge. | +| 0 (Default) | Enable Local Admin Merge. | @@ -1160,6 +1225,7 @@ When this value is set to false, it allows a local admin the ability to specify + This setting disables the gathering and send of performance telemetry from Network Protection. @@ -1174,6 +1240,7 @@ This setting disables the gathering and send of performance telemetry from Netwo |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1181,8 +1248,8 @@ This setting disables the gathering and send of performance telemetry from Netwo | Value | Description | |:--|:--| -| 1 | Network protection telemetry is disabled | -| 0 | Network protection telemetry is enabled | +| 1 | Network protection telemetry is disabled. | +| 0 (Default) | Network protection telemetry is enabled. | @@ -1207,6 +1274,7 @@ This setting disables the gathering and send of performance telemetry from Netwo + This setting disables RDP Parsing for Network Protection. @@ -1221,6 +1289,7 @@ This setting disables RDP Parsing for Network Protection. |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1228,8 +1297,8 @@ This setting disables RDP Parsing for Network Protection. | Value | Description | |:--|:--| -| 1 | RDP Parsing is disabled | -| 0 | RDP Parsing is enabled | +| 1 | RDP Parsing is disabled. | +| 0 (Default) | RDP Parsing is enabled. | @@ -1238,6 +1307,55 @@ This setting disables RDP Parsing for Network Protection. + +### Configuration/DisableSmtpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableSmtpParsing +``` + + + + +This setting disables SMTP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | SMTP parsing is disabled. | +| 0 (Default) | SMTP parsing is enabled. | + + + + + + + + ### Configuration/DisableSshParsing @@ -1254,6 +1372,7 @@ This setting disables RDP Parsing for Network Protection. + This setting disables SSH Parsing for Network Protection. @@ -1276,8 +1395,8 @@ This setting disables SSH Parsing for Network Protection. | Value | Description | |:--|:--| -| 1 | SSH parsing is disabled | -| 0 (Default) | SSH parsing is enabled | +| 1 | SSH parsing is disabled. | +| 0 (Default) | SSH parsing is enabled. | @@ -1302,6 +1421,7 @@ This setting disables SSH Parsing for Network Protection. + This setting disables TLS Parsing for Network Protection. @@ -1324,8 +1444,8 @@ This setting disables TLS Parsing for Network Protection. | Value | Description | |:--|:--| -| 1 | TLS parsing is disabled | -| 0 (Default) | TLS parsing is enabled | +| 1 | TLS parsing is disabled. | +| 0 (Default) | TLS parsing is enabled. | @@ -1350,6 +1470,7 @@ This setting disables TLS Parsing for Network Protection. + This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode. @@ -1364,6 +1485,7 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | @@ -1371,8 +1493,8 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting | Value | Description | |:--|:--| -| 1 | DNS Sinkhole is disabled | -| 0 | DNS Sinkhole is enabled | +| 1 (Default) | DNS Sinkhole is disabled. | +| 0 | DNS Sinkhole is enabled. | @@ -1397,6 +1519,7 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting + Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. @@ -1419,8 +1542,8 @@ Enables or disables file hash computation feature. When this feature is enabled | Value | Description | |:--|:--| -| 0 (Default) | Disable | -| 1 | Enable | +| 0 (Default) | Disable. | +| 1 | Enable. | @@ -1445,6 +1568,7 @@ Enables or disables file hash computation feature. When this feature is enabled + Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. @@ -1459,6 +1583,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1466,7 +1591,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd | Value | Description | |:--|:--| -| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | | 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. | | 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. | | 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). | @@ -1480,45 +1605,6 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd - -### Configuration/ExcludedIpAddresses - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses -``` - - - -This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | List (Delimiter: `|`) | - - - - - - - - ### Configuration/HideExclusionsFromLocalAdmins @@ -1535,7 +1621,8 @@ This node contains a list of values specifying any IP addresses that wdnisdrv wi -This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. + +This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. @@ -1551,6 +1638,7 @@ This policy setting controls whether or not exclusions are visible to local admi |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1559,7 +1647,7 @@ This policy setting controls whether or not exclusions are visible to local admi | Value | Description | |:--|:--| | 1 | If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. | -| 0 | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. | +| 0 (Default) | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. | @@ -1568,6 +1656,55 @@ This policy setting controls whether or not exclusions are visible to local admi + +### Configuration/IntelTDTEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/IntelTDTEnabled +``` + + + + +This policy setting configures the Intel TDT integration level for Intel TDT-capable devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat. | +| 2 | If you configure this setting to disabled, Intel TDT integration will turn off. | + + + + + + + + ### Configuration/MeteredConnectionUpdates @@ -1584,7 +1721,8 @@ This policy setting controls whether or not exclusions are visible to local admi -Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed + +Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed. @@ -1606,8 +1744,8 @@ Allow managed devices to update through metered connections. Default is 0 - not | Value | Description | |:--|:--| -| 1 | Allowed | -| 0 (Default) | Not Allowed | +| 1 | Allowed. | +| 0 (Default) | Not Allowed. | @@ -1632,6 +1770,7 @@ Allow managed devices to update through metered connections. Default is 0 - not + Setting to control automatic remediation for Sense scans. @@ -1646,6 +1785,7 @@ Setting to control automatic remediation for Sense scans. |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1653,9 +1793,9 @@ Setting to control automatic remediation for Sense scans. | Flag | Description | |:--|:--| -| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation | -| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit | -| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation | +| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation. | +| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit. | +| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation. | @@ -1664,129 +1804,6 @@ Setting to control automatic remediation for Sense scans. - -### Configuration/PauseUpdateExpirationTime - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateExpirationTime -``` - - - -Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - - - - - - - -### Configuration/PauseUpdateFlag - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateFlag -``` - - - -Setting to control automatic remediation for Sense scans. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Update not paused | -| 1 | Update paused | - - - - - - - - - -### Configuration/PauseUpdateStartTime - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateStartTime -``` - - - -Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - - - - - - ### Configuration/PlatformUpdatesChannel @@ -1803,6 +1820,7 @@ Pause update from the UTC time in ISO string format without milliseconds, for ex + Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. @@ -1817,6 +1835,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1824,7 +1843,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u | Value | Description | |:--|:--| -| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | | 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. | | 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. | | 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). | @@ -1838,6 +1857,104 @@ Enable this policy to specify when devices receive Microsoft Defender platform u + +### Configuration/RandomizeScheduleTaskTimes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/RandomizeScheduleTaskTimes +``` + + + + +In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. This can be useful in virtual machines or VDI deployments. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. | +| 0 | Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. | + + + + + + + + + +### Configuration/ScanOnlyIfIdleEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/ScanOnlyIfIdleEnabled +``` + + + + +In Microsoft Defender Antivirus, this setting will run scheduled scans only if the system is idle. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Runs scheduled scans only if the system is idle. | +| 0 | Runs scheduled scans regardless of whether the system is idle. | + + + + + + + + ### Configuration/SchedulerRandomizationTime @@ -1854,6 +1971,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u + This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting. @@ -1894,6 +2012,7 @@ This setting allows you to configure the scheduler randomization in hours. The r + Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. @@ -1908,6 +2027,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -1915,7 +2035,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i | Value | Description | |:--|:--| -| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | | 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). | | 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | @@ -1942,6 +2062,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i + The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. @@ -1992,6 +2113,7 @@ More details: + Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. @@ -2006,6 +2128,7 @@ Tamper protection helps protect important security features from unwanted change |:--|:--| | Format | chr (string) | | Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | @@ -2014,54 +2137,6 @@ Tamper protection helps protect important security features from unwanted change - -### Configuration/TDTFeatureEnabled - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | - - - -```Device -./Device/Vendor/MSFT/Defender/Configuration/TDTFeatureEnabled -``` - - - -This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. | -| 2 | If you configure this setting to disabled, Intel TDT integration will be turned off. | - - - - - - - - ### Configuration/ThrottleForScheduledScanOnly @@ -2078,6 +2153,7 @@ This policy setting configures the integration level for Intel TDT integration f + A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only. @@ -2126,6 +2202,7 @@ A CPU usage limit can be applied to scheduled scans only, or to scheduled and cu + An interior node to group all threats detected by Windows Defender. @@ -2164,6 +2241,7 @@ An interior node to group all threats detected by Windows Defender. + The ID of a threat that has been detected by Windows Defender. @@ -2203,7 +2281,8 @@ The ID of a threat that has been detected by Windows Defender. -Threat category ID. Supported values: + +Threat category ID. Supported values: | Value | Description | |:--|:--| @@ -2294,6 +2373,7 @@ Threat category ID. Supported values: + Information about the current status of the threat. The following list shows the supported values: | Value | Description | @@ -2346,6 +2426,7 @@ Information about the current status of the threat. The following list shows the + Information about the execution status of the threat. @@ -2384,6 +2465,7 @@ Information about the execution status of the threat. + The first time this particular threat was detected. @@ -2422,6 +2504,7 @@ The first time this particular threat was detected. + The last time this particular threat was changed. @@ -2460,6 +2543,7 @@ The last time this particular threat was changed. + The name of the specific threat. @@ -2498,6 +2582,7 @@ The name of the specific threat. + Number of times this threat has been detected on a particular client. @@ -2536,6 +2621,7 @@ Number of times this threat has been detected on a particular client. + Threat severity ID. The following list shows the supported values: | Value | Description | @@ -2582,6 +2668,7 @@ Threat severity ID. The following list shows the supported values: + URL link for additional threat information. @@ -2620,6 +2707,7 @@ URL link for additional threat information. + An interior node to group information about Windows Defender health status. @@ -2658,6 +2746,7 @@ An interior node to group information about Windows Defender health status. + Provide the current state of the device. The following list shows the supported values: | Value | Description | @@ -2705,6 +2794,7 @@ Provide the current state of the device. The following list shows the supported + Indicates whether the Windows Defender service is running. @@ -2743,6 +2833,7 @@ Indicates whether the Windows Defender service is running. + Version number of Windows Defender on the device. @@ -2781,6 +2872,7 @@ Version number of Windows Defender on the device. + Version number of the current Windows Defender engine on the device. @@ -2819,6 +2911,7 @@ Version number of the current Windows Defender engine on the device. + Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default). @@ -2857,6 +2950,7 @@ Indicates whether a Windows Defender full scan is overdue for the device. A Full + Indicates whether a Windows Defender full scan is required. @@ -2895,6 +2989,7 @@ Indicates whether a Windows Defender full scan is required. + Signature version used for the last full scan of the device. @@ -2933,6 +3028,7 @@ Signature version used for the last full scan of the device. + Time of the last Windows Defender full scan of the device. @@ -2971,6 +3067,7 @@ Time of the last Windows Defender full scan of the device. + Indicates whether the device is a virtual machine. @@ -3009,6 +3106,7 @@ Indicates whether the device is a virtual machine. + Indicates whether network protection is running. @@ -3047,6 +3145,7 @@ Indicates whether network protection is running. + Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values: | Value | Description | @@ -3131,6 +3230,7 @@ Provide the current state of the product. This is a bitmask flag value that can + Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default). @@ -3169,6 +3269,7 @@ Indicates whether a Windows Defender quick scan is overdue for the device. A Qui + Signature version used for the last quick scan of the device. @@ -3207,6 +3308,7 @@ Signature version used for the last quick scan of the device. + Time of the last Windows Defender quick scan of the device. @@ -3245,6 +3347,7 @@ Time of the last Windows Defender quick scan of the device. + Indicates whether a device reboot is needed. @@ -3283,6 +3386,7 @@ Indicates whether a device reboot is needed. + Indicates whether real-time protection is running. @@ -3321,6 +3425,7 @@ Indicates whether real-time protection is running. + Indicates whether the Windows Defender signature is outdated. @@ -3359,6 +3464,7 @@ Indicates whether the Windows Defender signature is outdated. + Version number of the current Windows Defender signatures on the device. @@ -3397,6 +3503,7 @@ Version number of the current Windows Defender signatures on the device. + Indicates whether the Windows Defender tamper protection feature is enabled. @@ -3435,6 +3542,7 @@ Indicates whether the Windows Defender tamper protection feature is enabled. + OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. @@ -3474,6 +3582,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher + RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. @@ -3513,6 +3622,7 @@ RollbackEngine action rolls back Microsoft Defender engine to it's last known go + RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command. @@ -3552,6 +3662,7 @@ RollbackPlatform action rolls back Microsoft Defender to it's last known good in + Node that can be used to start a Windows Defender scan on a device. @@ -3573,8 +3684,8 @@ Node that can be used to start a Windows Defender scan on a device. | Value | Description | |:--|:--| -| 1 | quick scan | -| 2 | full scan | +| 1 | Quick scan. | +| 2 | Full scan. | @@ -3599,6 +3710,7 @@ Node that can be used to start a Windows Defender scan on a device. + Node that can be used to perform signature updates for Windows Defender. diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 661c491b22..b540c17da8 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 02/17/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -816,6 +816,7 @@ The following XML file contains the device description framework (DDF) for the D + Follow the instructions provided here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide @@ -884,6 +885,7 @@ The following XML file contains the device description framework (DDF) for the D + Follow the instructions provided here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide @@ -910,6 +912,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. @@ -1024,7 +1027,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.14393 - 9.9 + 1.3 @@ -1069,37 +1072,6 @@ The following XML file contains the device description framework (DDF) for the D - - ExcludedIpAddresses - - - - - - - - This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic. - - - - - - - - - - - - - - 10.0.14393 - 1.3 - - - - - - DisableCpuThrottleOnIdleScans @@ -1148,6 +1120,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings @@ -1452,6 +1425,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. @@ -1506,6 +1480,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. @@ -1560,6 +1535,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. @@ -1602,6 +1578,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 Enable this policy to disable gradual rollout of Defender updates. @@ -1640,6 +1617,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored. @@ -1678,6 +1656,7 @@ The following XML file contains the device description framework (DDF) for the D + 1 This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode. @@ -1716,6 +1695,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 This setting disables Inbound connection filtering for Network Protection. @@ -1754,6 +1734,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 This setting disables RDP Parsing for Network Protection. @@ -1792,6 +1773,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection. @@ -1830,6 +1812,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 This setting disables the gathering and send of performance telemetry from Network Protection. @@ -1868,6 +1851,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. @@ -2026,6 +2010,38 @@ The following XML file contains the device description framework (DDF) for the D + + DataDuplicationLocalRetentionPeriod + + + + + + + + 60 + Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + [1-120] + + + DeviceControlEnabled @@ -2035,6 +2051,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 Control Device Control feature. @@ -2075,6 +2092,7 @@ The following XML file contains the device description framework (DDF) for the D + 1 Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. @@ -2113,6 +2131,7 @@ The following XML file contains the device description framework (DDF) for the D + 0 Setting to control automatic remediation for Sense scans. @@ -2147,105 +2166,7 @@ The following XML file contains the device description framework (DDF) for the D - PauseUpdateStartTime - - - - - - - - Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. - - - - - - - - - - - - - - 10.0.14393 - 1.3 - - - - - - - PauseUpdateExpirationTime - - - - - - - - Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. - - - - - - - - - - - - - - 10.0.14393 - 1.3 - - - - - - - PauseUpdateFlag - - - - - - - - Setting to control automatic remediation for Sense scans. - - - - - - - - - - - - - - 10.0.14393 - 1.3 - - - - 0 - Update not paused - - - 1 - Update paused - - - - - - TDTFeatureEnabled + IntelTDTEnabled @@ -2254,7 +2175,7 @@ The following XML file contains the device description framework (DDF) for the D 0 - This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices. + This policy setting configures the Intel TDT integration level for Intel TDT-capable devices. @@ -2274,11 +2195,128 @@ The following XML file contains the device description framework (DDF) for the D 0 - If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. + If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat. 2 - If you configure this setting to disabled, Intel TDT integration will be turned off. + If you configure this setting to disabled, Intel TDT integration will turn off. + + + + + + DisableSmtpParsing + + + + + + + + 0 + This setting disables SMTP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + SMTP parsing is disabled + + + 0 + SMTP parsing is enabled + + + + + + RandomizeScheduleTaskTimes + + + + + + + + 1 + In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. This can be useful in virtual machines or VDI deployments. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. + + + 0 + Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. + + + + + + ScanOnlyIfIdleEnabled + + + + + + + + 1 + In Microsoft Defender Antivirus, this setting will run scheduled scans only if the system is idle. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Runs scheduled scans only if the system is idle. + + + 0 + Runs scheduled scans regardless of whether the system is idle. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index ac1777a84f..4b35dd3c12 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -1,251 +1,1454 @@ --- title: DevDetail CSP -description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server. -ms.reviewer: +description: Learn more about the DevDetail CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/27/2020 +ms.topic: reference --- + + + # DevDetail CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - + + The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -For the DevDetail CSP, you can't use the Replace command unless the node already exists. +For the DevDetail CSP, you can't use the Replace command unless the node already exists. The OMA Client Provisioning protocol isn't supported for this configuration service provider. + -The following information shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol isn't supported for this configuration service provider. + +The following list shows the DevDetail configuration service provider nodes: -```console -. -DevDetail -----URI ---------MaxDepth ---------MaxTotLen ---------MaxSegLen -----DevTyp -----OEM -----FwV -----SwV -----HwV -----LrgObj -----Ext ---------Microsoft -------------MobileID -------------RadioSwV -------------Resolution -------------CommercializationOperator -------------ProcessorArchitecture -------------ProcessorType -------------OSPlatform -------------LocalTime -------------DeviceName -------------DNSComputerName (Added in Windows 10, version 2004) -------------TotalStorage -------------TotalRAM -------------SMBIOSSerialNumber (Added in Windows 10, version 1809) ---------WLANMACAddress ---------VoLTEServiceSetting ---------WlanIPv4Address ---------WlanIPv6Address ---------WlanDnsSuffix ---------WlanSubnetMask ---------DeviceHardwareData (Added in Windows 10, version 1703) +- ./DevDetail + - [DevTyp](#devtyp) + - [Ext](#ext) + - [DeviceHardwareData](#extdevicehardwaredata) + - [Microsoft](#extmicrosoft) + - [CommercializationOperator](#extmicrosoftcommercializationoperator) + - [DeviceName](#extmicrosoftdevicename) + - [DNSComputerName](#extmicrosoftdnscomputername) + - [FreeStorage](#extmicrosoftfreestorage) + - [LocalTime](#extmicrosoftlocaltime) + - [MobileID](#extmicrosoftmobileid) + - [OSPlatform](#extmicrosoftosplatform) + - [ProcessorArchitecture](#extmicrosoftprocessorarchitecture) + - [ProcessorType](#extmicrosoftprocessortype) + - [RadioSwV](#extmicrosoftradioswv) + - [Resolution](#extmicrosoftresolution) + - [SMBIOSSerialNumber](#extmicrosoftsmbiosserialnumber) + - [SMBIOSVersion](#extmicrosoftsmbiosversion) + - [SystemSKU](#extmicrosoftsystemsku) + - [TotalRAM](#extmicrosofttotalram) + - [TotalStorage](#extmicrosofttotalstorage) + - [VoLTEServiceSetting](#extvolteservicesetting) + - [WlanDnsSuffix](#extwlandnssuffix) + - [WlanIPv4Address](#extwlanipv4address) + - [WlanIPv6Address](#extwlanipv6address) + - [WLANMACAddress](#extwlanmacaddress) + - [WlanSubnetMask](#extwlansubnetmask) + - [FwV](#fwv) + - [HwV](#hwv) + - [LrgObj](#lrgobj) + - [OEM](#oem) + - [SwV](#swv) + - [URI](#uri) + - [MaxDepth](#urimaxdepth) + - [MaxSegLen](#urimaxseglen) + - [MaxTotLen](#urimaxtotlen) + + + +## DevTyp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/DevTyp ``` -**DevTyp** -Required. Returns the device model name /SystemProductName as a string. + -Supported operation is Get. + + +Returns the device model name /SystemProductName as a string. + -**OEM** -Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2. + + + -Supported operation is Get. + +**Description framework properties**: -**FwV** -Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. + + + -Supported operation is Get. + -**SwV** -Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the client device. In the future, the build numbers may converge. + +## Ext -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**HwV** -Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. + +```Device +./DevDetail/Ext +``` + -For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. + + +Subtree to hold vendor-specific parameters. + -Supported operation is Get. + + + -**LrgObj** -Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**URI/MaxDepth** -Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0). + + + -Supported operation is Get. + -This value is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth. + +### Ext/DeviceHardwareData -**URI/MaxTotLen** -Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Supported operation is Get. + +```Device +./DevDetail/Ext/DeviceHardwareData +``` + -This value is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length. + + +Added in Windows 10 version 1703. Returns a base64 encoded string of the hardware parameters of a device. + -**URI/MaxSegLen** -Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). + + +> [!NOTE] +> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information. + -Supported operation is Get. + +**Description framework properties**: -This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + - + + -**Ext/Microsoft/MobileID** -Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support. + -Supported operation is Get. + +### Ext/Microsoft -The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + ---> + +```Device +./DevDetail/Ext/Microsoft +``` + -**Ext/Microsoft/RadioSwV** -Required. Returns the radio stack software version number. + + +Subtree to hold vendor-specific parameters. + -Supported operation is Get. + + + -**Ext/Microsoft/Resolution** -Required. Returns the UI screen resolution of the device (example: "480x800"). + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**Ext/Microsoft/CommercializationOperator** -Required. Returns the name of the mobile operator if it exists. Otherwise, it returns 404. + + + -Supported operation is Get. + -**Ext/Microsoft/ProcessorArchitecture** -Required. Returns the processor architecture of the device as "arm" or "x86". + +#### Ext/Microsoft/CommercializationOperator -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Ext/Microsoft/ProcessorType** -Required. Returns the processor type of the device as documented in SYSTEM_INFO. + +```Device +./DevDetail/Ext/Microsoft/CommercializationOperator +``` + -Supported operation is Get. + + +Returns the name of the mobile operator if it exists; otherwise it returns 404. + -**Ext/Microsoft/OSPlatform** -Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName. + + + -Supported operation is Get. + +**Description framework properties**: -**Ext/Microsoft/LocalTime** -Required. Returns the client local time in ISO 8601 format. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Supported operation is Get. + + + -**Ext/Microsoft/DeviceName** -Required. Contains the user-specified device name. + -Replace operation isn't supported in Windows client or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name doesn't take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs. + +#### Ext/Microsoft/DeviceName -Value type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get and Replace. + +```Device +./DevDetail/Ext/Microsoft/DeviceName +``` + -**Ext/Microsoft/DNSComputerName** -Added in Windows 10, version 2004. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). + + +Contains the user-specified device name. Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs. + -The following are the available naming macros: + + + -| Macro | Description | Example | Generated Name | -| -------| -------| -------| -------| -| %RAND:<# of digits> | Generates the specified number of random digits. | `Test%RAND:6%` | Test123456| -| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| `Test-Device-%SERIAL%` | Test-Device-456| + +**Description framework properties**: -Value type is string. Supported operations are Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Reboot Behavior | Automatic | + + + + + + + + + +#### Ext/Microsoft/DNSComputerName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./DevDetail/Ext/Microsoft/DNSComputerName +``` + + + + +This node specifies the DNS name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:`<# of digits>`% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards. + + + + + This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). > [!NOTE] > We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment. On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**. + -**Ext/Microsoft/TotalRAM** -Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory). + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Reboot Behavior | ServerInitiated | + -**Ext/Microsoft/SMBIOSSerialNumber** -Added in Windows 10, version 1809. SMBIOS Serial Number of the device. + + + -Value type is string. Supported operation is Get. + -**Ext/WLANMACAddress** -The MAC address of the active WLAN connection, as a 12-digit hexadecimal number. + +#### Ext/Microsoft/FreeStorage -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```Device +./DevDetail/Ext/Microsoft/FreeStorage +``` + + + + +Total free storage in MB from first internal drive on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/LocalTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/LocalTime +``` + + + + +Returns the client local time in ISO 8601 format. Example: 2003-06-16. T18:37:44Z. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/MobileID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/MobileID +``` + + + + +Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support. The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/OSPlatform + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/OSPlatform +``` + + + + +Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/ProcessorArchitecture + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/ProcessorArchitecture +``` + + + + +Returns the processor architecture of the device as "arm" or "x86". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/ProcessorType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/ProcessorType +``` + + + + +Returns the processor type of the device as documented in SYSTEM_INFO. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/RadioSwV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/RadioSwV +``` + + + + +Returns the radio stack software version number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/Resolution + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/Resolution +``` + + + + +Resolution of the device in the format of WidthxLength (e.g., "400x800"). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/SMBIOSSerialNumber + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./DevDetail/Ext/Microsoft/SMBIOSSerialNumber +``` + + + + +SMBIOS Serial Number of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/SMBIOSVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./DevDetail/Ext/Microsoft/SMBIOSVersion +``` + + + + +SMBIOS version of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/SystemSKU + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/SystemSKU +``` + + + + +Returns the System SKU, as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/TotalRAM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/TotalRAM +``` + + + + +Total available memory in MB on the device (may be less than total physical memory). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Ext/Microsoft/TotalStorage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/Microsoft/TotalStorage +``` + + + + +Total available storage in MB from first internal drive on the device (may be less than total physical storage). Available for Windows Mobile only. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Ext/VoLTEServiceSetting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/VoLTEServiceSetting +``` + + + + +The VoLTE service setting on or off. Only exposed to Mobile Operator-based OMA-DM servers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Ext/WlanDnsSuffix + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/WlanDnsSuffix +``` + + + + +The DNS suffix of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Ext/WlanIPv4Address + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/WlanIPv4Address +``` + + + + +The IPv4 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Ext/WlanIPv6Address + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/WlanIPv6Address +``` + + + + +The IPv6 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Ext/WLANMACAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/Ext/WLANMACAddress +``` + + + + +The MAC address of the active WiFi connection. + + + + > [!NOTE] -> This isn't supported in Windows 10 for desktop editions. +> This isn't supported in Windows 10 for desktop editions. + -**Ext/VoLTEServiceSetting** -Returns the VoLTE service to on or off. This setting is only exposed to mobile operator OMA-DM servers. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**Ext/WlanIPv4Address** -Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers. + + + -Supported operation is Get. + -**Ext/WlanIPv6Address** -Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers. + +### Ext/WlanSubnetMask -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Ext/WlanDnsSuffix** -Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers. + +```Device +./DevDetail/Ext/WlanSubnetMask +``` + -Supported operation is Get. + + +The subnet mask for the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + -**Ext/WlanSubnetMask** -Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers. + + + -Supported operation is Get. + +**Description framework properties**: -**Ext/DeviceHardwareData** -Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -> [!NOTE] -> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information. + + + -Supported operation is Get. + + + +## FwV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/FwV +``` + + + + +Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## HwV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/HwV +``` + + + + +Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## LrgObj + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/LrgObj +``` + + + + +Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +## OEM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/OEM +``` + + + + +Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## SwV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/SwV +``` + + + + +Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## URI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/URI +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### URI/MaxDepth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/URI/MaxDepth +``` + + + + +Returns the maximum depth of the management tree that the device supports. The default is zero (0). This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### URI/MaxSegLen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/URI/MaxSegLen +``` + + + + +Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### URI/MaxTotLen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevDetail/URI/MaxTotLen +``` + + + + +Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + + + + + ## Related articles -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 701008751e..143225fc55 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -1,31 +1,29 @@ --- title: DevDetail DDF file -description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/03/2020 +ms.topic: reference --- + + # DevDetail DDF file -This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the DevDetail configuration service provider. ```xml -]> +]> 1.2 + + DevDetail . @@ -33,6 +31,7 @@ The XML below is the current version for this CSP. + The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. @@ -43,8 +42,13 @@ The XML below is the current version for this CSP. - urn:oma:mo:oma-dm-devdetail:1.2 + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + URI @@ -62,7 +66,7 @@ The XML below is the current version for this CSP. - + @@ -71,6 +75,7 @@ The XML below is the current version for this CSP. + Returns the maximum depth of the management tree that the device supports. The default is zero (0). This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth. @@ -81,7 +86,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -91,6 +96,7 @@ The XML below is the current version for this CSP. + Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length. @@ -101,7 +107,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -111,6 +117,7 @@ The XML below is the current version for this CSP. + Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length. @@ -121,7 +128,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -132,7 +139,7 @@ The XML below is the current version for this CSP. - Device model name, as specified and tracked by the manufacturer + Returns the device model name /SystemProductName as a string. @@ -143,7 +150,7 @@ The XML below is the current version for this CSP. - text/plain +     @@ -153,7 +160,7 @@ The XML below is the current version for this CSP. - Name of OEM + Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2. @@ -164,7 +171,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -174,7 +181,7 @@ The XML below is the current version for this CSP. - Provide the version of OEM ROM region. + Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. @@ -185,7 +192,28 @@ The XML below is the current version for this CSP. - text/plain + + + + + + SwV + + + + + Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. + + + + + + + + + + + @@ -195,7 +223,7 @@ The XML below is the current version for this CSP. - Returns the hardware version. + Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion. @@ -206,7 +234,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -216,9 +244,7 @@ The XML below is the current version for this CSP. - - Large object isn't supported. The data for this node is "false". - + Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2. @@ -229,7 +255,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -250,7 +276,7 @@ The XML below is the current version for this CSP. - + @@ -270,7 +296,7 @@ The XML below is the current version for this CSP. - + @@ -279,7 +305,7 @@ The XML below is the current version for this CSP. - Indicates the subscriber ID registered with the cellular network. For GSM and UMTS networks, the value returned is the IMSI value; for other networks, SyncML Status code 404 is returned. + Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support. The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element. @@ -290,7 +316,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -300,7 +326,7 @@ The XML below is the current version for this CSP. - Version of the software radio stack + Returns the radio stack software version number. @@ -311,7 +337,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -332,7 +358,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -342,7 +368,7 @@ The XML below is the current version for this CSP. - Name of operator with whom the device was commercialized. + Returns the name of the mobile operator if it exists; otherwise it returns 404. @@ -353,7 +379,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -363,7 +389,7 @@ The XML below is the current version for this CSP. - Processor architecture of the device, as returned by the GetSystemInfo API. + Returns the processor architecture of the device as "arm" or "x86". @@ -374,7 +400,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -384,7 +410,7 @@ The XML below is the current version for this CSP. - Processor type of the device, as returned by the GetSystemInfo API. + Returns the processor type of the device as documented in SYSTEM_INFO. @@ -395,7 +421,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -405,7 +431,7 @@ The XML below is the current version for this CSP. - Name of the operating system platform. + Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName. @@ -416,7 +442,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -426,7 +452,7 @@ The XML below is the current version for this CSP. - Returns the UTC time formatted per ISO8601. Example: 2003-06-16T18:37:44Z. + Returns the client local time in ISO 8601 format. Example: 2003-06-16T18:37:44Z. @@ -437,7 +463,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -448,7 +474,7 @@ The XML below is the current version for this CSP. - User-specified device name + Contains the user-specified device name. Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs. @@ -459,8 +485,11 @@ The XML below is the current version for this CSP. - text/plain + + + + Automatic @@ -470,7 +499,7 @@ The XML below is the current version for this CSP. - This node specifies the DNS name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards. + % and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards.]]> @@ -481,8 +510,15 @@ The XML below is the current version for this CSP. - text/plain + + + 10.0.19041 + 1.2 + + + + ServerInitiated @@ -502,7 +538,28 @@ The XML below is the current version for this CSP. - text/plain + + + + + + FreeStorage + + + + + Total free storage in MB from first internal drive on the device. + + + + + + + + + + + @@ -523,7 +580,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -544,7 +601,57 @@ The XML below is the current version for this CSP. - text/plain + + + + 10.0.17763 + 1.2 + + + + + SMBIOSVersion + + + + + SMBIOS version of the device. + + + + + + + + + + + + + + 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387 + 1.2 + + + + + SystemSKU + + + + + Returns the System SKU, as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU. + + + + + + + + + + + @@ -566,7 +673,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -587,7 +694,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -608,7 +715,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -629,7 +736,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -650,7 +757,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -671,7 +778,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -692,12 +799,19 @@ The XML below is the current version for this CSP. - text/plain + + + 10.0.15063 + 1.1 + - ``` + +## Related articles + +[DevDetail configuration service provider reference](devdetail-csp.md) diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index ba8c8543ab..8ce716e6e3 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -1,81 +1,320 @@ --- title: DeviceManageability CSP -description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. -ms.reviewer: +description: Learn more about the DeviceManageability CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/01/2017 +ms.topic: reference --- + + + # DeviceManageability CSP -The table below shows the applicability of Windows: + + +The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value `csp_version` is used to determine each of the CSP versions. The `csp_version` is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for `CFGMGR_PROPERTY_SEMANTICTYPE` has to be updated to read from the registry as well, so that both the paths return the same information. + -The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. + +The following list shows the DeviceManageability configuration service provider nodes: -For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information. +- ./Device/Vendor/MSFT/DeviceManageability + - [Capabilities](#capabilities) + - [CSPVersions](#capabilitiescspversions) + - [Provider](#provider) + - [{ProviderID}](#providerproviderid) + - [ConfigInfo](#providerprovideridconfiginfo) + - [EnrollmentInfo](#providerprovideridenrollmentinfo) + - [PayloadTransfer](#providerprovideridpayloadtransfer) + -The following example shows the DeviceManageability configuration service provider in a tree format. + +## Capabilities + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DeviceManageability/Capabilities ``` -./Device/Vendor/MSFT -DeviceManageability -----Capabilities ---------CSPVersions -----Provider (Added in Windows 10, version 1709) ---------ProviderID (Added in Windows 10, version 1709) -------------ConfigInfo (Added in Windows 10, version 1709) -------------EnrollmentInfo (Added in Windows 10, version 1709) + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Capabilities/CSPVersions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DeviceManageability/Capabilities/CSPVersions ``` + -**./Device/Vendor/MSFT/DeviceManageability** -Root node to group information about runtime MDM configuration capability on the target device. + + +Returns the versions of all configuration service providers (CSP) for MDM. + -**Capabilities** -Interior node. + + + -**Capabilities/CSPVersions** -Returns the versions of all configuration service providers supported on the device for the MDM service. + +**Description framework properties**: -**Provider** -Added in Windows 10, version 1709. Interior node. +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Get | + -**Provider/_ProviderID_** -Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources. + + + -**Provider/_ProviderID_/ConfigInfo** -Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to use during sync session. + -ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources. + +## Provider -Data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -Supported operations are Add, Get, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/DeviceManageability/Provider +``` + -**Provider/_ProviderID_/EnrollmentInfo** -Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session. + + + -Data type is string. + + + -Supported operations are Add, Get, Delete, and Replace.  + +**Description framework properties**: -## Related topics +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -[Configuration service provider reference](index.yml) + + + + + +### Provider/{ProviderID} + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID} +``` + + + +Provider ID String of the Configuration Source. + + + + +Provider ID should be unique among the different config sources. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Provider ID String of the Configuration Source | + + + + + + + + + +#### Provider/{ProviderID}/ConfigInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID}/ConfigInfo +``` + + + + +Configuration Info string value set by the config source. Recommended to be used during sync session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Provider/{ProviderID}/EnrollmentInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID}/EnrollmentInfo +``` + + + + +Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Provider/{ProviderID}/PayloadTransfer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DeviceManageability/Provider/{ProviderID}/PayloadTransfer +``` + + + + +Payload Transfer string value set by the config source. Recommended to be used during sync session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index 8854d21cfc..3436c3b0bb 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -1,41 +1,85 @@ --- -title: DeviceManageability DDF -description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. -ms.reviewer: +title: DeviceManageability DDF file +description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- -# DeviceManageability DDF + +# DeviceManageability DDF file -This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1709. +The following XML file contains the device description framework (DDF) for the DeviceManageability configuration service provider. ```xml -]> +]> 1.2 + + + + DeviceManageability + ./Device/Vendor/MSFT + + + + + + + Root node to group information about runtime MDM configuration capability on the target device. + + + + + + + + + + + + + + 10.0.14393 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Capabilities + + + + + + + + + + + + + + + + + - DeviceManageability - ./Device/Vendor/MSFT + CSPVersions + Returns the versions of all configuration service providers (CSP) for MDM. - + @@ -44,60 +88,74 @@ The XML below is for Windows 10, version 1709. - com.microsoft/1.1/MDM/DeviceManageability + + + + + Provider + + + + + + + + + + + + + + Provider + + + + + 10.0.17134 + 1.1 + + + + + + + + + + + + Provider ID String of the Configuration Source + + + + + + + + + + ProviderID + + + + + Provider ID String of the Configuration Source + + - Capabilities + ConfigInfo - - - - - - - - - - - - - - - - - CSPVersions - - - - - Returns the versions of all configuration service providers (CSP) for MDM. - - - - - - - - - - - text/plain - - - - - - Provider - - - + + + Configuration Info string value set by the config source. Recommended to be used during sync session. - + @@ -105,96 +163,78 @@ The XML below is for Windows 10, version 1709. - Provider + ConfigInfo - + + + + + + + PayloadTransfer + + + + + + + + Payload Transfer string value set by the config source. Recommended to be used during sync session. + + + + + + + + + + PayloadTransfer + + + + + 10.0.22621, 10.0.22000.918, 10.0.19044.2193, 10.0.19043.2193, 10.0.19042.2193 + 1.1 + + + + + + + EnrollmentInfo + + + + + + + + Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment. + + + + + + + + + + EnrollmentInfo + + + + + - - - - - - - - - Provider ID String of the Configuration Source - - - - - - - - - - ProviderID - - - - - - ConfigInfo - - - - - - - - Configuration Info string value set by the config source. Recommended to be used during sync session. - - - - - - - - - - ConfigInfo - - text/plain - - - - - EnrollmentInfo - - - - - - - - Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment. - - - - - - - - - - EnrollmentInfo - - text/plain - - - - + + ``` -  - -  - - - - - +## Related articles +[DeviceManageability configuration service provider reference](devicemanageability-csp.md) diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md new file mode 100644 index 0000000000..35028e068e --- /dev/null +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -0,0 +1,342 @@ +--- +title: DevicePreparation CSP +description: Learn more about the DevicePreparation CSP. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/28/2023 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# DevicePreparation CSP + +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + + + + + + +The following list shows the DevicePreparation configuration service provider nodes: + +- ./Device/Vendor/MSFT/DevicePreparation + - [BootstrapperAgent](#bootstrapperagent) + - [ClassID](#bootstrapperagentclassid) + - [ExecutionContext](#bootstrapperagentexecutioncontext) + - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri) + - [PageEnabled](#pageenabled) + - [PageSettings](#pagesettings) + - [PageStatus](#pagestatus) + + + +## BootstrapperAgent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent +``` + + + + +The subnodes configure settings for the Bootstrapper Agent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### BootstrapperAgent/ClassID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ClassID +``` + + + + +This node stores the class ID for the Bootstrapper Agent WinRT object. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### BootstrapperAgent/ExecutionContext + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ExecutionContext +``` + + + + +This node holds opaque data that will be passed to the Bootstrapper Agent as a parameter when it is invoked to execute. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### BootstrapperAgent/InstallationStatusUri + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/InstallationStatusUri +``` + + + + +This node holds a URI that can be queried for the status of the Bootstrapper Agent installation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +## PageEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/PageEnabled +``` + + + + +This node determines whether to enable or show the Device Preparation page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | The page is not enabled. | +| true | The page is enabled. | + + + + + + + + + +## PageSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/PageSettings +``` + + + + +This node configures specific settings for the Device Preparation page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +## PageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/PageStatus +``` + + + + +This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 | Enabled. | +| 2 | InProgress. | +| 3 | Succeeded. | +| 4 | Failed. | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md new file mode 100644 index 0000000000..e10e6a1a49 --- /dev/null +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -0,0 +1,252 @@ +--- +title: DevicePreparation DDF file +description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/17/2023 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + +# DevicePreparation DDF file + +The following XML file contains the device description framework (DDF) for the DevicePreparation configuration service provider. + +```xml + +]> + + 1.2 + + + + DevicePreparation + ./Device/Vendor/MSFT + + + + + Parent node for the CSP. + + + + + + + + + + + + + + 99.9.99999 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + PageEnabled + + + + + + false + This node determines whether to enable or show the Device Preparation page. + + + + + + + + + + + + + + + false + The page is not enabled + + + true + The page is enabled + + + + + + PageStatus + + + + + This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed. + + + + + + + + + + + + + + + 0 + Disabled + + + 1 + Enabled + + + 2 + InProgress + + + 3 + Succeeded + + + 4 + Failed + + + + + + PageSettings + + + + + + This node configures specific settings for the Device Preparation page. + + + + + + + + + + + + + + + + + + BootstrapperAgent + + + + + The subnodes configure settings for the Bootstrapper Agent. + + + + + + + + + + + + + + + ClassID + + + + + + This node stores the class ID for the Bootstrapper Agent WinRT object. + + + + + + + + + + + + + + + + + + ExecutionContext + + + + + + This node holds opaque data that will be passed to the Bootstrapper Agent as a parameter when it is invoked to execute. + + + + + + + + + + + + + + + + + + InstallationStatusUri + + + + + + This node holds a URI that can be queried for the status of the Bootstrapper Agent installation. + + + + + + + + + + + + + + + + + + + +``` + +## Related articles + +[DevicePreparation configuration service provider reference](devicepreparation-csp.md) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 0f4c3a631c..dc7f201767 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -1,375 +1,2057 @@ --- title: DeviceStatus CSP -description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise. -ms.reviewer: +description: Learn more about the DeviceStatus CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/25/2021 +ms.topic: reference --- + + + # DeviceStatus CSP -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +The following list shows the DeviceStatus configuration service provider nodes: -The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. +- ./Vendor/MSFT/DeviceStatus + - [Antispyware](#antispyware) + - [SignatureStatus](#antispywaresignaturestatus) + - [Status](#antispywarestatus) + - [Antivirus](#antivirus) + - [SignatureStatus](#antivirussignaturestatus) + - [Status](#antivirusstatus) + - [Battery](#battery) + - [EstimatedChargeRemaining](#batteryestimatedchargeremaining) + - [EstimatedRuntime](#batteryestimatedruntime) + - [Status](#batterystatus) + - [CellularIdentities](#cellularidentities) + - [{IMEI}](#cellularidentitiesimei) + - [CommercializationOperator](#cellularidentitiesimeicommercializationoperator) + - [ICCID](#cellularidentitiesimeiiccid) + - [IMSI](#cellularidentitiesimeiimsi) + - [PhoneNumber](#cellularidentitiesimeiphonenumber) + - [RoamingCompliance](#cellularidentitiesimeiroamingcompliance) + - [RoamingStatus](#cellularidentitiesimeiroamingstatus) + - [CertAttestation](#certattestation) + - [MDMClientCertAttestation](#certattestationmdmclientcertattestation) + - [Compliance](#compliance) + - [EncryptionCompliance](#complianceencryptioncompliance) + - [DeviceGuard](#deviceguard) + - [HypervisorEnforcedCodeIntegrityStatus](#deviceguardhypervisorenforcedcodeintegritystatus) + - [LsaCfgCredGuardStatus](#deviceguardlsacfgcredguardstatus) + - [SystemGuardStatus](#deviceguardsystemguardstatus) + - [VirtualizationBasedSecurityHwReq](#deviceguardvirtualizationbasedsecurityhwreq) + - [VirtualizationBasedSecurityStatus](#deviceguardvirtualizationbasedsecuritystatus) + - [DMA](#dma) + - [BootDMAProtectionStatus](#dmabootdmaprotectionstatus) + - [DomainName](#domainname) + - [Firewall](#firewall) + - [Status](#firewallstatus) + - [NetworkIdentifiers](#networkidentifiers) + - [{MacAddress}](#networkidentifiersmacaddress) + - [IPAddressV4](#networkidentifiersmacaddressipaddressv4) + - [IPAddressV6](#networkidentifiersmacaddressipaddressv6) + - [IsConnected](#networkidentifiersmacaddressisconnected) + - [Type](#networkidentifiersmacaddresstype) + - [OS](#os) + - [Edition](#osedition) + - [Mode](#osmode) + - [SecureBootState](#securebootstate) + - [TPM](#tpm) + - [ManufacturerId](#tpmmanufacturerid) + - [ManufacturerIdTxt](#tpmmanufactureridtxt) + - [ManufacturerVersion](#tpmmanufacturerversion) + - [SpecificationVersion](#tpmspecificationversion) + - [UAC](#uac) + - [Status](#uacstatus) + -The following example shows the DeviceStatus configuration service provider in tree format. + +## Antispyware + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Antispyware ``` -./Vendor/MSFT -DeviceStatus -----SecureBootState -----CellularIdentities ---------IMEI -------------IMSI -------------ICCID -------------PhoneNumber -------------CommercializationOperator -------------RoamingStatus -------------RoamingCompliance -----NetworkIdentifiers ---------MacAddress -------------IPAddressV4 -------------IPAddressV6 -------------IsConnected -------------Type -----Compliance ---------EncryptionCompliance -----TPM ---------SpecificationVersion -----OS ---------Edition ---------Mode -----Antivirus ---------SignatureStatus ---------Status -----Antispyware ---------SignatureStatus ---------Status -----Firewall ---------Status -----UAC ---------Status -----Battery ---------Status ---------EstimatedChargeRemaining ---------EstimatedRuntime -----DomainName -----DeviceGuard ---------VirtualizationBasedSecurityHwReq ---------VirtualizationBasedSecurityStatus ---------LsaCfgCredGuardStatus -----CertAttestation ---------MDMClientCertAttestation + + + + +Node for the antispyware query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Antispyware/SignatureStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Antispyware/SignatureStatus ``` + -**DeviceStatus** -The root node for the DeviceStatus configuration service provider. - -**DeviceStatus/SecureBootState** -Indicates whether secure boot is enabled. The value is one of the following values: - -- 0 - Not supported -- 1 - Enabled -- 2 - Disabled - -Supported operation is Get. - -**DeviceStatus/CellularIdentities** -Required. Node for queries on the SIM cards. - ->[!NOTE] ->Multiple SIMs are supported. - -**DeviceStatus/CellularIdentities/***IMEI* -The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. - -**DeviceStatus/CellularIdentities/*IMEI*/IMSI** -The International Mobile Subscriber Identity (IMSI) associated with the IMEI number. - -Supported operation is Get. - -**DeviceStatus/CellularIdentities/*IMEI*/ICCID** -The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number. - -Supported operation is Get. - -**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** -Phone number associated with the specific IMEI number. - -Supported operation is Get. - -**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** -The mobile service provider or mobile operator associated with the specific IMEI number. - -Supported operation is Get. - -**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** -Indicates whether the SIM card associated with the specific IMEI number is roaming. - -Supported operation is Get. - -**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** -Boolean value that indicates compliance with the enforced enterprise roaming policy. - -Supported operation is Get. - -**DeviceStatus/NetworkIdentifiers** -Node for queries on network and device properties. - -**DeviceStatus/NetworkIdentifiers/***MacAddress* -MAC address of the wireless network card. A MAC address is present for each network card on the device. - -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** -IPv4 address of the network card associated with the MAC address. - -Supported operation is Get. - -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** -IPv6 address of the network card associated with the MAC address. - -Supported operation is Get. - -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** -Boolean value that indicates whether the network card associated with the MAC address has an active network connection. - -Supported operation is Get. - -**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** -Type of network connection. The value is one of the following values: - -- 2 - WLAN (or other Wireless interface) -- 1 - LAN (or other Wired interface) -- 0 - Unknown - -Supported operation is Get. - -**DeviceStatus/Compliance** -Node for the compliance query. - -**DeviceStatus/Compliance/EncryptionCompliance** -Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values: - -- 0 - Not encrypted -- 1 - Encrypted - -Supported operation is Get. - -**DeviceStatus/TPM** -Added in Windows, version 1607. Node for the TPM query. - -Supported operation is Get. - -**DeviceStatus/TPM/SpecificationVersion** -Added in Windows, version 1607. String that specifies the specification version. - -Supported operation is Get. - -**DeviceStatus/OS** -Added in Windows, version 1607. Node for the OS query. - -Supported operation is Get. - -**DeviceStatus/OS/Edition** -Added in Windows, version 1607. String that specifies the OS edition. - -Supported operation is Get. - -**DeviceStatus/OS/Mode** -Added in Windows, version 1803. Read only node that specifies the device mode. - -Valid values: - -- 0 - The device is in standard configuration. -- 1 - The device is in S mode configuration. - -Supported operation is Get. - -**DeviceStatus/Antivirus** -Added in Windows, version 1607. Node for the antivirus query. - -Supported operation is Get. - -**DeviceStatus/Antivirus/SignatureStatus** -Added in Windows, version 1607. Integer that specifies the status of the antivirus signature. - -Valid values: - -- 0 - The security software reports that it isn't the most recent version. -- 1 (default) - The security software reports that it's the most recent version. -- 2 – Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) - -Supported operation is Get. - -If more than one antivirus provider is active, this node returns: - -- 1 – If every active antivirus provider has a valid signature status. -- 0 – If any of the active antivirus providers has an invalid signature status. - -This node also returns 0 when no antivirus provider is active. - -**DeviceStatus/Antivirus/Status** -Added in Windows, version 1607. Integer that specifies the status of the antivirus. - -Valid values: - -- 0 – Antivirus is on and monitoring. -- 1 – Antivirus is disabled. -- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off. -- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC. -- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) - -Supported operation is Get. - -**DeviceStatus/Antispyware** -Added in Windows, version 1607. Node for the anti-spyware query. - -Supported operation is Get. - -**DeviceStatus/Antispyware/SignatureStatus** -Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature. - -Valid values: - -- 0 - The security software reports that it isn't the most recent version. -- 1 - The security software reports that it's the most recent version. -- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) - -Supported operation is Get. - -If more than one anti-spyware provider is active, this node returns: - -- 1 – If every active anti-spyware provider has a valid signature status. -- 0 – If any of the active anti-spyware providers has an invalid signature status. + + +Integer that specifies the status of the antispyware signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) If more than one antispyware provider is active, this node returns: 1 - If every active antispyware provider has a valid signature status. 0 - If any of the active antispyware providers has an invalid signature status. + + + This node also returns 0 when no anti-spyware provider is active. + -**DeviceStatus/Antispyware/Status** -Added in Windows, version 1607. Integer that specifies the status of the anti-spyware. + +**Description framework properties**: -Valid values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 1 | + -- 0 - The status of the security provider category is good and doesn't need user attention. -- 1 - The status of the security provider category isn't monitored by Windows Security. -- 2 - The status of the security provider category is poor and the computer may be at risk. -- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service isn't actively protecting the computer. + + + -Supported operation is Get. + -**DeviceStatus/Firewall** -Added in Windows, version 1607. Node for the firewall query. + +### Antispyware/Status -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -**DeviceStatus/Firewall/Status** -Added in Windows, version 1607. Integer that specifies the status of the firewall. + +```Device +./Vendor/MSFT/DeviceStatus/Antispyware/Status +``` + -Valid values: + + +Integer that specifies the status of the antispyware. Valid values: 0 - The status of the security provider category is good and does not need user attention. 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). 2 - The status of the security provider category is poor and the computer may be at risk. 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. + -- 0 – Firewall is on and monitoring. -- 1 – Firewall has been disabled. -- 2 – Firewall isn't monitoring all networks or some rules have been turned off. -- 3 (default) – Firewall is temporarily not monitoring all networks. -- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) + + + -Supported operation is Get. + +**Description framework properties**: -**DeviceStatus/UAC** -Added in Windows, version 1607. Node for the UAC query. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 3 | + -Supported operation is Get. + + + -**DeviceStatus/UAC/Status** -Added in Windows, version 1607. Integer that specifies the status of the UAC. + -Supported operation is Get. + +## Antivirus -**DeviceStatus/Battery** -Added in Windows, version 1607. Node for the battery query. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Supported operation is Get. + +```Device +./Vendor/MSFT/DeviceStatus/Antivirus +``` + -**DeviceStatus/Battery/Status** -Added in Windows, version 1607. Integer that specifies the status of the battery + + +Node for the antivirus query. + -Supported operation is Get. + + + -**DeviceStatus/Battery/EstimatedChargeRemaining** -Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). + +**Description framework properties**: -The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operation is Get. + + + -**DeviceStatus/Battery/EstimatedRuntime** -Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). + -The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. + +### Antivirus/SignatureStatus -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -**DeviceStatus/DomainName** -Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string. + +```Device +./Vendor/MSFT/DeviceStatus/Antivirus/SignatureStatus +``` + -Supported operation is Get. + + +Integer that specifies the status of the antivirus signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 (default) - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) If more than one antivirus provider is active, this node returns: 1 - If every active antivirus provider has a valid signature status. 0 - If any of the active antivirus providers has an invalid signature status. + -**DeviceStatus/DeviceGuard** -Added in Windows, version 1709. Node for Device Guard query. + + +This node also returns 0 when no antivirus provider is active. + -Supported operation is Get. + +**Description framework properties**: -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** -Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 1 | + -- 0x0: System meets hardware configuration requirements -- 0x1: SecureBoot required -- 0x2: DMA Protection required -- 0x4: HyperV not supported for Guest VM -- 0x8: HyperV feature isn't available + + + -Supported operation is Get. + -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** -Added in Windows, version 1709. Virtualization-based security status. Value is one of the following: + +### Antivirus/Status -- 0 - Running -- 1 - Reboot required -- 2 - 64-bit architecture required -- 3 - Not licensed -- 4 - Not configured -- 5 - System doesn't meet hardware requirements -- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Supported operation is Get. + +```Device +./Vendor/MSFT/DeviceStatus/Antivirus/Status +``` + -**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** -Added in Windows, version 1709. Local System Authority (LSA) credential guard status. + + +Integer that specifies the status of the antivirus. Valid values: 0 - Antivirus is on and monitoring, 1 - Antivirus is disabled, 2 - Antivirus is not monitoring the device/PC or some options have been turned off, 3 (default) - Antivirus is temporarily not completely monitoring the device/PC, 4 - Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) + -- 0 - Running -- 1 - Reboot required -- 2 - Not licensed for Credential Guard -- 3 - Not configured -- 4 - VBS not running + + + -Supported operation is Get. + +**Description framework properties**: -**DeviceStatus/CertAttestation/MDMClientCertAttestation** -Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 3 | + -Supported operation is Get. + + + -## Related topics + -[Configuration service provider reference](index.yml) + +## Battery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Battery +``` + + + + +Node for the battery query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Battery/EstimatedChargeRemaining + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Battery/EstimatedChargeRemaining +``` + + + + +Integer that specifies the estimated battery charge remaining. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + + + + +### Battery/EstimatedRuntime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Battery/EstimatedRuntime +``` + + + + +Integer that specifies the estimated runtime of the battery. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + + + + +### Battery/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Battery/Status +``` + + + + +Integer that specifies the status of the battery. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + + + + +## CellularIdentities + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities +``` + + + + +Node for queries on the SIM cards. + + + + +> [!NOTE] +> Multiple SIMs are supported. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### CellularIdentities/{IMEI} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI} +``` + + + + +The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### CellularIdentities/{IMEI}/CommercializationOperator + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/CommercializationOperator +``` + + + + +The mobile service provider or mobile operator associated with the specific IMEI number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CellularIdentities/{IMEI}/ICCID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/ICCID +``` + + + + +The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CellularIdentities/{IMEI}/IMSI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/IMSI +``` + + + + +The International Mobile Subscriber Identity (IMSI) associated with the IMEI number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CellularIdentities/{IMEI}/PhoneNumber + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/PhoneNumber +``` + + + + +Phone number associated with the specific IMEI number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### CellularIdentities/{IMEI}/RoamingCompliance + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/RoamingCompliance +``` + + + + +Boolean value that indicates compliance with the enforced enterprise roaming policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +#### CellularIdentities/{IMEI}/RoamingStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/RoamingStatus +``` + + + + +Indicates whether the SIM card associated with the specific IMEI number is roaming. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +## CertAttestation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CertAttestation +``` + + + + +Node for Certificate Attestation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### CertAttestation/MDMClientCertAttestation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/CertAttestation/MDMClientCertAttestation +``` + + + + +MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Compliance + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Compliance +``` + + + + +Node for the compliance query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Compliance/EncryptionCompliance + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Compliance/EncryptionCompliance +``` + + + + +Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: 0 - not encrypted, 1 - encrypted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +## DeviceGuard + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DeviceGuard +``` + + + + +Node for Device Guard query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### DeviceGuard/HypervisorEnforcedCodeIntegrityStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DeviceGuard/HypervisorEnforcedCodeIntegrityStatus +``` + + + + +Hypervisor Enforced Code Integrity (HVCI) status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - VBS not running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### DeviceGuard/LsaCfgCredGuardStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus +``` + + + + +Local System Authority (LSA) credential guard status. 0 - Running, 1 - Reboot required, 2 - Not licensed for Credential Guard, 3 - Not configured, 4 - VBS not running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### DeviceGuard/SystemGuardStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DeviceGuard/SystemGuardStatus +``` + + + + +System Guard status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - System doesn't meet hardware requirements. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### DeviceGuard/VirtualizationBasedSecurityHwReq + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq +``` + + + + +Virtualization-based security hardware requirement status. The value is a 256 value bitmask. 0x0: System meets hardware configuration requirements, 0x1: SecureBoot required, 0x2: DMA Protection required, 0x4: HyperV not supported for Guest VM, 0x8: HyperV feature is not available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### DeviceGuard/VirtualizationBasedSecurityStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus +``` + + + + +Virtualization-based security status. Value is one of the following: 0 - Running, 1 - Reboot required, 2 - 64 bit architecture required, 3 - not licensed, 4 - not configured, 5 - System doesn't meet hardware requirements, 42 - Other. Event logs in Microsoft-Windows-DeviceGuard have more details. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## DMA + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DMA +``` + + + + +Node for DMA query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### DMA/BootDMAProtectionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DMA/BootDMAProtectionStatus +``` + + + + +Boot DMA Protection status. 1 - Enabled, 2 - Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## DomainName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/DomainName +``` + + + + +Returns the fully qualified domain name of the device(if any). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Firewall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Firewall +``` + + + + +Node for the firewall query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Firewall/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/Firewall/Status +``` + + + + +Integer that specifies the status of the firewall. Valid values: 0 - Firewall is on and monitoring, 1 - Firewall has been disabled, 2 - Firewall is not monitoring all networks or some rules have been turned off, 3 (default) - Firewall is temporarily not monitoring all networks, 4 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 3 | + + + + + + + + + +## NetworkIdentifiers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/NetworkIdentifiers +``` + + + + +Node for queries on network and device properties. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### NetworkIdentifiers/{MacAddress} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress} +``` + + + + +MAC address of the wireless network card. A MAC address is present for each network card on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### NetworkIdentifiers/{MacAddress}/IPAddressV4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IPAddressV4 +``` + + + + +IPv4 address of the network card associated with the MAC address. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### NetworkIdentifiers/{MacAddress}/IPAddressV6 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IPAddressV6 +``` + + + + +IPv6 address of the network card associated with the MAC address. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### NetworkIdentifiers/{MacAddress}/IsConnected + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IsConnected +``` + + + + +Boolean value that indicates whether the network card associated with the MAC address has an active network connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +#### NetworkIdentifiers/{MacAddress}/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/Type +``` + + + + +Type of network connection. The value is one of the following: 2 - WLAN (or other Wireless interface), 1 - LAN (or other Wired interface), 0 - Unknown. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## OS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/OS +``` + + + + +Node for the OS query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### OS/Edition + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/OS/Edition +``` + + + + +String that specifies the OS edition. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | +| Default Value | Not available | + + + + + + + + + +### OS/Mode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/OS/Mode +``` + + + + +Read only node that specifies the device mode. Valid values: 0 - the device is in standard configuration, 1 - the device is in S mode configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | Not available | + + + + + + + + + +## SecureBootState + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/SecureBootState +``` + + + + +Indicates whether secure boot is enabled. The value is one of the following: 0 - Not supported, 1 - Enabled, 2 - Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## TPM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/TPM +``` + + + + +Node for the TPM query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### TPM/ManufacturerId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/TPM/ManufacturerId +``` + + + + +String that specifies the TPM manufacturer ID as a number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | +| Default Value | Not available | + + + + + + + + + +### TPM/ManufacturerIdTxt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/TPM/ManufacturerIdTxt +``` + + + + +String that specifies the TPM manufacturer ID as text. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | +| Default Value | Not available | + + + + + + + + + +### TPM/ManufacturerVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/TPM/ManufacturerVersion +``` + + + + +String that specifies the manufacturer version. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | +| Default Value | Not available | + + + + + + + + + +### TPM/SpecificationVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/TPM/SpecificationVersion +``` + + + + +String that specifies the specification version. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | +| Default Value | Not available | + + + + + + + + + +## UAC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/UAC +``` + + + + +Node for the UAC query. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### UAC/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/DeviceStatus/UAC/Status +``` + + + + +Integer that specifies the status of the UAC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 758d3d324d..63dbac6ba7 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,928 +1,1201 @@ --- -title: DeviceStatus DDF -description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +title: DeviceStatus DDF file +description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/12/2018 +ms.topic: reference --- -# DeviceStatus DDF + -This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML. +# DeviceStatus DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1803. +The following XML file contains the device description framework (DDF) for the DeviceStatus configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + DeviceStatus + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - DeviceStatus - ./Vendor/MSFT + SecureBootState + + + + + Indicates whether secure boot is enabled. The value is one of the following: 0 - Not supported, 1 - Enabled, 2 - Disabled + + + + + + + + + + + + + + + + CellularIdentities + + + + + Node for queries on the SIM cards. + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - com.microsoft/1.4/MDM/DeviceStatus - + + + + The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. + + + + + + + + + + IMEI + + + + + + - SecureBootState - - - - - - - - - - - - - - - text/plain - - + IMSI + + + + + The International Mobile Subscriber Identity (IMSI) associated with the IMEI number. + + + + + + + + + + + + + - CellularIdentities - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMEI - - - - - - IMSI - - - - - - - - - - - - - - - text/plain - - - - - ICCID - - - - - - - - - - - - - - - text/plain - - - - - PhoneNumber - - - - - - - - - - - - - - - text/plain - - - - - CommercializationOperator - - - - - - - - - - - - - - - text/plain - - - - - RoamingStatus - - - - - - - - - - - - - - - text/plain - - - - - RoamingCompliance - - - - - - - - - - - - - - - text/plain - - - - + ICCID + + + + + The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number. + + + + + + + + + + + + + - NetworkIdentifiers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - MacAddress - - - - - - IPAddressV4 - - - - - - - - - - - - - - - text/plain - - - - - IPAddressV6 - - - - - - - - - - - - - - - text/plain - - - - - IsConnected - - - - - - - - - - - - - - - text/plain - - - - - Type - - - - - - - - - - - - - - - text/plain - - - - + PhoneNumber + + + + + Phone number associated with the specific IMEI number. + + + + + + + + + + + + + - Compliance - - - - - - - - - - - - - - - - - - - EncryptionCompliance - - - - - - - - - - - - - - - text/plain - - - + CommercializationOperator + + + + + The mobile service provider or mobile operator associated with the specific IMEI number. + + + + + + + + + + + + + - TPM - - - - - - - - - - - - - - - - - - - SpecificationVersion - - - - - Not available - - - - - - - - - - - text/plain - - - + RoamingStatus + + + + + Indicates whether the SIM card associated with the specific IMEI number is roaming. + + + + + + + + + + + + + - OS - - - - - - - - - - - - - - - - - - - Edition - - - - - Not available - - - - - - - - - - - text/plain - - - - - Mode - - - - - Not available - - - - - - - - - - - text/plain - - - - - - Antivirus - - - - - - - - - - - - - - - - - - - SignatureStatus - - - - - 1 - - - - - - - - - - - text/plain - - - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - - - - Antispyware - - - - - - - - - - - - - - - - - - - SignatureStatus - - - - - 1 - - - - - - - - - - - text/plain - - - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - - - - Firewall - - - - - - - - - - - - - - - - - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - - - - UAC - - - - - - - - - - - - - - - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - - Battery - - - - - - - - - - - - - - - - - - - Status - - - - - 0 - - - - - - - - - - - text/plain - - - - - EstimatedChargeRemaining - - - - - 0 - - - - - - - - - - - text/plain - - - - - EstimatedRuntime - - - - - 0 - - - - - - - - - - - text/plain - - - - - - DomainName - - - - - Returns the fully qualified domain name of the device(if any). - - - - - - - - - - DomainName - - text/plain - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - VirtualizationBasedSecurityHwReq - - - - - - - - - - - - - - - text/plain - - - - - VirtualizationBasedSecurityStatus - - - - - - - - - - - - - - - text/plain - - - - - LsaCfgCredGuardStatus - - - - - - - - - - - - - - - text/plain - - - - - - CertAttestation - - - - - Node for Certificate Attestation - - - - - - - - - - - - - - - MDMClientCertAttestation - - - - - MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields. - - - - - - - - - - - - - - + RoamingCompliance + + + + + Boolean value that indicates compliance with the enforced enterprise roaming policy. + + + + + + + + + + + + + + + + NetworkIdentifiers + + + + + Node for queries on network and device properties. + + + + + + + + + + + + + + + + + + + + + MAC address of the wireless network card. A MAC address is present for each network card on the device. + + + + + + + + + + MacAddress + + + + + + + + + IPAddressV4 + + + + + IPv4 address of the network card associated with the MAC address. + + + + + + + + + + + + + + + + IPAddressV6 + + + + + IPv6 address of the network card associated with the MAC address. + + + + + + + + + + + + + + + + IsConnected + + + + + Boolean value that indicates whether the network card associated with the MAC address has an active network connection. + + + + + + + + + + + + + + + + Type + + + + + Type of network connection. The value is one of the following: 2 - WLAN (or other Wireless interface), 1 - LAN (or other Wired interface), 0 - Unknown + + + + + + + + + + + + + + + + + + Compliance + + + + + Node for the compliance query. + + + + + + + + + + + + + + + EncryptionCompliance + + + + + Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: 0 - not encrypted, 1 - encrypted + + + + + + + + + + + + + + + + + TPM + + + + + Node for the TPM query. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + SpecificationVersion + + + + + Not available + String that specifies the specification version. + + + + + + + + + + + + + + + + ManufacturerId + + + + + Not available + String that specifies the TPM manufacturer ID as a number. + + + + + + + + + + + + + + 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387 + 1.5 + + + + + ManufacturerIdTxt + + + + + Not available + String that specifies the TPM manufacturer ID as text. + + + + + + + + + + + + + + 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387 + 1.5 + + + + + ManufacturerVersion + + + + + Not available + String that specifies the manufacturer version. + + + + + + + + + + + + + + 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387 + 1.5 + + + + + + OS + + + + + Node for the OS query. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + Edition + + + + + Not available + String that specifies the OS edition. + + + + + + + + + + + + + + + + Mode + + + + + Not available + Read only node that specifies the device mode. Valid values: 0 - the device is in standard configuration, 1 - the device is in S mode configuration + + + + + + + + + + + + + + 10.0.17134 + 1.4 + + + + + + Antivirus + + + + + Node for the antivirus query. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + SignatureStatus + + + + + 1 + Integer that specifies the status of the antivirus signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 (default) - The security software reports that it is the most recent version. 2 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) If more than one antivirus provider is active, this node returns: 1 – If every active antivirus provider has a valid signature status. 0 – If any of the active antivirus providers has an invalid signature status. + + + + + + + + + + + + + + + + Status + + + + + 3 + Integer that specifies the status of the antivirus. Valid values: 0 – Antivirus is on and monitoring, 1 – Antivirus is disabled, 2 – Antivirus is not monitoring the device/PC or some options have been turned off, 3 (default) – Antivirus is temporarily not completely monitoring the device/PC, 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + + + + + + + + + + + + + + + + + Antispyware + + + + + Node for the antispyware query. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + SignatureStatus + + + + + 1 + Integer that specifies the status of the antispyware signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) If more than one antispyware provider is active, this node returns: 1 – If every active antispyware provider has a valid signature status. 0 – If any of the active antispyware providers has an invalid signature status. + + + + + + + + + + + + + + + + Status + + + + + 3 + Integer that specifies the status of the antispyware. Valid values: 0 - The status of the security provider category is good and does not need user attention. 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). 2 - The status of the security provider category is poor and the computer may be at risk. 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. + + + + + + + + + + + + + + + + + Firewall + + + + + Node for the firewall query. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + Status + + + + + 3 + Integer that specifies the status of the firewall. Valid values: 0 – Firewall is on and monitoring, 1 – Firewall has been disabled, 2 – Firewall is not monitoring all networks or some rules have been turned off, 3 (default) – Firewall is temporarily not monitoring all networks, 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + + + + + + + + + + + + + + + + + UAC + + + + + Node for the UAC query. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + Status + + + + + Integer that specifies the status of the UAC. + + + + + + + + + + + + + + + + + Battery + + + + + Node for the battery query. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + Status + + + + + 0 + Integer that specifies the status of the battery + + + + + + + + + + + + + + + + EstimatedChargeRemaining + + + + + 0 + Integer that specifies the estimated battery charge remaining. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. + + + + + + + + + + + + + + + + EstimatedRuntime + + + + + 0 + Integer that specifies the estimated runtime of the battery. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. + + + + + + + + + + + + + + + + + DomainName + + + + + Returns the fully qualified domain name of the device(if any). + + + + + + + + + + DomainName + + + + + 10.0.17134 + 1.3 + + + + + DeviceGuard + + + + + Node for Device Guard query. + + + + + + + + + + + + + + 10.0.17134 + 1.3 + + + + VirtualizationBasedSecurityHwReq + + + + + Virtualization-based security hardware requirement status. The value is a 256 value bitmask. 0x0: System meets hardware configuration requirements, 0x1: SecureBoot required, 0x2: DMA Protection required, 0x4: HyperV not supported for Guest VM, 0x8: HyperV feature is not available + + + + + + + + + + + + + + + + VirtualizationBasedSecurityStatus + + + + + Virtualization-based security status. Value is one of the following: 0 - Running, 1 - Reboot required, 2 - 64 bit architecture required, 3 - not licensed, 4 - not configured, 5 - System doesn't meet hardware requirements, 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details + + + + + + + + + + + + + + + + LsaCfgCredGuardStatus + + + + + Local System Authority (LSA) credential guard status. 0 - Running, 1 - Reboot required, 2 - Not licensed for Credential Guard, 3 - Not configured, 4 - VBS not running + + + + + + + + + + + + + + + + HypervisorEnforcedCodeIntegrityStatus + + + + + Hypervisor Enforced Code Integrity (HVCI) status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - VBS not running + + + + + + + + + + + + + + 10.0.22000 + 1.5 + + + + + SystemGuardStatus + + + + + System Guard status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - System doesn't meet hardware requirements + + + + + + + + + + + + + + 10.0.22000 + 1.5 + + + + + + DMA + + + + + Node for DMA query. + + + + + + + + + + + + + + 10.0.22000 + 1.5 + + + + BootDMAProtectionStatus + + + + + Boot DMA Protection status. 1 - Enabled, 2 - Disabled + + + + + + + + + + + + + + + + + CertAttestation + + + + + Node for Certificate Attestation + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.1165 + 1.5 + + + + MDMClientCertAttestation + + + + + MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields. + + + + + + + + + + + + + + + + ``` + +## Related articles + +[DeviceStatus configuration service provider reference](devicestatus-csp.md) diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index eeef8c18ab..8f4dd5b955 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -1,84 +1,329 @@ --- title: DevInfo CSP -description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. -ms.reviewer: +description: Learn more about the DevInfo CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.topic: reference --- + + + # DevInfo CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The DevInfo configuration service provider handles the managed object, which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -For the DevInfo CSP, you can't use the Replace command unless the node already exists. +For the DevInfo CSP, you can't use the Replace command unless the node already exists. The OMA Client provisioning protocol isn't supported by this configuration service provider. + -The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider. + +The following list shows the DevInfo configuration service provider nodes: +- ./DevInfo + - [DevId](#devid) + - [DmV](#dmv) + - [Ext](#ext) + - [ICCID](#exticcid) + - [Lang](#lang) + - [Man](#man) + - [Mod](#mod) + + + +## DevId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevInfo/DevId ``` -. -DevInfo -----DevId -----Man -----Mod -----DmV -----Lang -``` + -**DevId** -Required. Returns an application-specific global unique device identifier by default. + + +An unique device identifier. An application-specific global unique device identifier is provided in this node. + -Supported operation is Get. - -The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows: + + +**UseHWDevID** node of the [DMAcc configuration service provider](dmacc-csp.md) can be used to modify the return value to instead return a hardware device ID as follows: - For GSM phones, the IMEI is returned. - For CDMA phones, the MEID is returned. - For dual SIM phones, this value is retrieved from the UICC of the primary data line. -- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID. +- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), an application specific global unique identifier (GUID) is returned irrespective of the value of UseHWDevID. + -**Man** -Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer. + +**Description framework properties**: -If no name is found, this returns to "Unknown". +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Supported operation is Get. + + + -**Mod** -Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName. + -If no name is found, this returns to "Unknown". + +## DmV -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**DmV** -Required. Returns the current management client revision of the device. + +```Device +./DevInfo/DmV +``` + -Supported operation is Get. + + +The current management client revision of the device. + -**Lang** -Required. Returns the current user interface (UI) language setting of the device as defined by RFC1766. + + + -Supported operation is Get. + +**Description framework properties**: -## Related topics +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -[Configuration service provider reference](index.yml) + + + + + + + +## Ext + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevInfo/Ext +``` + + + + +Parent node for nodes extended by Microsoft. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Ext/ICCID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevInfo/Ext/ICCID +``` + + + + +Retrieves the ICCID of the first adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Lang + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevInfo/Lang +``` + + + + +Returns the current user interface (UI) language setting of the device as defined by RFC1766. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Man + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevInfo/Man +``` + + + + +Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer. If no name is found, this returns "Unknown". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Mod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./DevInfo/Mod +``` + + + + +Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName. If no name is found, this returns "Unknown". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index dca49363e3..633bc085bd 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -1,177 +1,207 @@ --- title: DevInfo DDF file -description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # DevInfo DDF file -This topic shows the OMA DM device description framework (DDF) for the **DevInfo** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the DevInfo configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + DevInfo + . + + + + + The interior node holding all devinfo objects + + + + + + + + + + The interior node holding all devinfo objects + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - DevInfo - . - - - - - - - - - - - - - - The interior node holding all devinfo objects - - urn:oma:mo:oma-dm-devinfo:1.0 - - 1 - - - DevId - - - - - An unique device identifier. An application-specific global unique device identifier is provided in this node. - - - - - - - - - - - text/plain - - 1 - - - - Man - - - - - - - - - - - - - - - text/plain - - 1 - - - - Mod - - - - - Device model name, as specified and tracked by the mobile operator - - - - - - - - - - - text/plain - - 1 - - - - DmV - - - - - The current management client revision of the device. - - - - - - - - - - - text/plain - - 1 - - - - Lang - - - - - The current language at the device user interface. - - - - - - - - - - - text/plain - - 1 - - + DevId + + + + + An unique device identifier. An application-specific global unique device identifier is provided in this node. + + + + + + + + + + + + + + + Man + + + + + Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer. If no name is found, this returns "Unknown". + + + + + + + + + + + + + + + + Mod + + + + + Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName. If no name is found, this returns "Unknown". + + + + + + + + + + + + + + + + DmV + + + + + The current management client revision of the device. + + + + + + + + + + + + + + + + Lang + + + + + Returns the current user interface (UI) language setting of the device as defined by RFC1766. + + + + + + + + + + + + + + + + Ext + + + + + Parent node for nodes extended by Microsoft. + + + + + + + + + + + + + + + ICCID + + + + + Retrieves the ICCID of the first adapter. + + + + + + + + + + + + + + + + ``` -## Related topics - - -[DevInfo configuration service provider](devinfo-csp.md) - -  - -  - - - - - +## Related articles +[DevInfo configuration service provider reference](devinfo-csp.md) diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 7f88c701b6..34dbe6281b 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -1,110 +1,239 @@ --- title: DiagnosticLog CSP -description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area. -ms.reviewer: +description: Learn more about the DiagnosticLog CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2019 +ms.topic: reference --- + + + # DiagnosticLog CSP -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +The following list shows the DiagnosticLog configuration service provider nodes: -The DiagnosticLog configuration service provider (CSP) provides the following feature areas: -- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting. -- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size. -- [EtwLog area](#etwlog-area). Control ETW trace sessions. -- [DeviceStateData area](#devicestatedata-area). Provide more device information. -- [FileDownload area](#filedownload-area). Pull trace and state data directly from the device. +- ./Vendor/MSFT/DiagnosticLog + - [DeviceStateData](#devicestatedata) + - [MdmConfiguration](#devicestatedatamdmconfiguration) + - [DiagnosticArchive](#diagnosticarchive) + - [ArchiveDefinition](#diagnosticarchivearchivedefinition) + - [ArchiveResults](#diagnosticarchivearchiveresults) + - [EtwLog](#etwlog) + - [Channels](#etwlogchannels) + - [{ChannelName}](#etwlogchannelschannelname) + - [Export](#etwlogchannelschannelnameexport) + - [Filter](#etwlogchannelschannelnamefilter) + - [State](#etwlogchannelschannelnamestate) + - [Collectors](#etwlogcollectors) + - [{CollectorName}](#etwlogcollectorscollectorname) + - [LogFileSizeLimitMB](#etwlogcollectorscollectornamelogfilesizelimitmb) + - [Providers](#etwlogcollectorscollectornameproviders) + - [{ProviderGuid}](#etwlogcollectorscollectornameprovidersproviderguid) + - [Keywords](#etwlogcollectorscollectornameprovidersproviderguidkeywords) + - [State](#etwlogcollectorscollectornameprovidersproviderguidstate) + - [TraceLevel](#etwlogcollectorscollectornameprovidersproviderguidtracelevel) + - [TraceControl](#etwlogcollectorscollectornametracecontrol) + - [TraceLogFileMode](#etwlogcollectorscollectornametracelogfilemode) + - [TraceStatus](#etwlogcollectorscollectornametracestatus) + - [FileDownload](#filedownload) + - [DMChannel](#filedownloaddmchannel) + - [{FileContext}](#filedownloaddmchannelfilecontext) + - [BlockCount](#filedownloaddmchannelfilecontextblockcount) + - [BlockData](#filedownloaddmchannelfilecontextblockdata) + - [BlockIndexToRead](#filedownloaddmchannelfilecontextblockindextoread) + - [BlockSizeKB](#filedownloaddmchannelfilecontextblocksizekb) + - [DataBlocks](#filedownloaddmchannelfilecontextdatablocks) + - [{BlockNumber}](#filedownloaddmchannelfilecontextdatablocksblocknumber) + - [Policy](#policy) + - [Channels](#policychannels) + - [{ChannelName}](#policychannelschannelname) + - [ActionWhenFull](#policychannelschannelnameactionwhenfull) + - [Enabled](#policychannelschannelnameenabled) + - [MaximumFileSize](#policychannelschannelnamemaximumfilesize) + - [SDDL](#policychannelschannelnamesddl) + -The links to different versions of the DiagnosticLog CSP DDF files are: -- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4) -- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3) -- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2) + +## DeviceStateData + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -The following example shows the DiagnosticLog CSP in tree format. - + +```Device +./Vendor/MSFT/DiagnosticLog/DeviceStateData ``` -./Vendor/MSFT/DiagnosticLog -----EtwLog ---------Collectors -------------CollectorName -----------------TraceStatus -----------------TraceLogFileMode -----------------TraceControl -----------------LogFileSizeLimitMB -----------------Providers ---------------------ProviderGuid -------------------------Keywords -------------------------TraceLevel -------------------------State ---------Channels -------------ChannelName -----------------Export -----------------State -----------------Filter -----DeviceStateData ---------MdmConfiguration -----FileDownload ---------DMChannel -------------FileContext -----------------BlockSizeKB -----------------BlockCount -----------------BlockIndexToRead -----------------BlockData -----------------DataBlocks ---------------------BlockNumber + + + + +Root node of all types of device state data that CSP exposes. + + + + +The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### DeviceStateData/MdmConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration ``` + -**./Vendor/MSFT/DiagnosticLog** -The root node for the DiagnosticLog CSP. + + +This node is to trigger snapping of the Device Management state data with "SNAP". + -Rest of the nodes in the DiagnosticLog CSP are described within their respective feature area sections. + + + -## DiagnosticArchive area + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + + + + +**Example**: + +```xml + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration + + + chr + + SNAP + + + + + +``` + + + + + +## DiagnosticArchive + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/DiagnosticArchive +``` + + + + +Root note for archive definition and collection. + + + + The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files. > [!NOTE] > DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope. + -The following section describes the nodes for the DiagnosticArchive functionality. + +**Description framework properties**: -**DiagnosticArchive** -Added in version 1.4 of the CSP in Windows 10, version 1903. Root node for the DiagnosticArchive functionality. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -The supported operation is Get. + + + -**DiagnosticArchive/ArchiveDefinition** -Added in version 1.4 of the CSP in Windows 10, version 1903. + -The supported operations are Add and Execute. + +### DiagnosticArchive/ArchiveDefinition -The data type is string. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -Expected value: -Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip". + +```Device +./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveDefinition +``` + -With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML. + + + -The following example shows a `Collection` XML: + + +Execute action for this node accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified **SasUrl**. The zipped filename format is `DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip`. + +With Windows 10 KB5011543 and Windows 11 KB5011563, there is additional support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML. The following example shows a `Collection` XML: ``` xml @@ -125,31 +254,24 @@ The following example shows a `Collection` XML: The XML should include the following elements within the `Collection` element: -**ID**: -The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server. +- **ID**: The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server. +- **SasUrl**: The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could: + - Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container + - Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container + - Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value. -**SasUrl** -The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could: +Additionally, the XML may include **One or more data gathering directives, which may include any of the following:** -- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container -- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container -- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value. - -**One or more data gathering directives, which may include any of the following:** - -- **RegistryKey** - - Exports all of the key names and values under a given path (recursive). +- **RegistryKey**: Exports all of the key names and values under a given path (recursive). - Expected input value: Registry path such as "HKLM\Software\Policies". - Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command. - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those paths that're under HKLM and HKCR. -- **Events** - - Exports all events from the named Windows event log. +- **Events**: Exports all events from the named Windows event log. - Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational". - Output format: Creates an .evtx file. -- **Commands** - - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files. +- **Commands**: This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files. - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`. - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands that may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter. - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed: @@ -172,8 +294,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain - %windir%\\system32\\MdmDiagnosticsTool.exe - %windir%\\system32\\pnputil.exe -- **FoldersFiles** - - Captures log files from a given path (without recursion). +- **FoldersFiles**: Captures log files from a given path (without recursion). - Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log". - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed: - %PROGRAMFILES% @@ -193,20 +314,65 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain - .evtx - .etl -- **OutputFileFormat** - - Flattens folder structure, instead of having individual folders for each directive in the XML. - - The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure. +- **OutputFileFormat**: Flattens folder structure, instead of having individual folders for each directive in the XML. + - The value "Flattened" is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure. + -**DiagnosticArchive/ArchiveResults** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run. + +**Description framework properties**: -The supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get, Replace | + -The data type is string. + + + -A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above: + -``` xml + +### DiagnosticArchive/ArchiveResults + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults +``` + + + + +Pull up the results of the last archive run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + +**Example**: + +A Get to the above URI will return the results of the data gathering for the last diagnostics request. For example: + +```xml @@ -250,11 +416,2373 @@ A Get to the above URI will return the results of the data gathering for the las ``` -Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, the mdmdiagnosticstool.exe command failed. +To learn how to read the resulting data, see [How to review ArchiveResults](#how-to-review-archiveresults). + -### Making use of the uploaded data + -The zip archive that is created and uploaded by the CSP contains a folder structure like the following example: + +## EtwLog + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog +``` + + + + +Root node of all types of event logging nodes that CSP manages. + + + + +The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing: + +- [Collector-based tracing](#etwlogcollectors) +- [Channel-based tracing](#etwlogchannels) + +The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](/windows/win32/etw/about-event-tracing). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### EtwLog/Channels + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Channels +``` + + + + +Root node of registered "Channel" nodes. + + + + +The type of event tracing exports event data from a specific channel. Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin. + +The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node. + +For each channel node, the user can: + +- Export channel event data into a log file (.evtx). +- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel. +- Specify an XPath query to filter events while exporting the channel event data. + +For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](../diagnose-mdm-failures-in-windows-10.md). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### EtwLog/Channels/{ChannelName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName} +``` + + + + +Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin" | + + + + +**Examples**: + +- Add a channel + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin + + + node + + + + + + + ``` + +- Delete a channel + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin + + + + + + + ``` + + + + + +##### EtwLog/Channels/{ChannelName}/Export + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName}/Export +``` + + + + +This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec, Get | + + + + +**Example**: + +```xml + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export + + + + + + +``` + + + + + +##### EtwLog/Channels/{ChannelName}/Filter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName}/Filter +``` + + + + +This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | "" | + + + + +**Example**: + +```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter + + + + + + +``` + + + + + +##### EtwLog/Channels/{ChannelName}/State + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/{ChannelName}/State +``` + + + + +This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | Channel is enabled. | +| false | Channel is disabled. | + + + + +**Examples**: + +- Get channel State: + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State + + + + + + + ``` + +- Set channel State: + + ```xml + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State + + + bool + + false + + + + + + ``` + + + + + +### EtwLog/Collectors + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors +``` + + + + +Root node of registered "Collector" nodes. + + + + +This type of event tracing collects event data from a collection of registered ETW providers. An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector. + +The `{CollectorName}` must be unique within the CSP and must not be a valid event channel name or a provider GUID. + +The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node. + +For each collector node, the user can: + +- Start or stop the session with all registered and enabled providers. +- Query session status. +- Change trace log file mode. +- Change trace log file size limit. + +The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector. + +For each registered provider in this collector, the user can: + +- Specify keywords to filter events from this provider. +- Change trace level to filter events from this provider. +- Enable or disable the provider in the trace session. + +The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress. + +> [!NOTE] +> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + +**Example**: + +To gather diagnostics using this CSP: + +1. Specify a *CollectorName* for the container of the target ETW providers. +2. (Optional) Set logging and log file parameters using the following options: + - [TraceLogFileMode](#etwlogcollectorscollectornametracelogfilemode) + - [LogFileSizeLimitMB](#etwlogcollectorscollectornamelogfilesizelimitmb) +3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*. +4. (Optional) Set logging and log file parameters using the following options: + - [TraceLevel](#etwlogcollectorscollectornameprovidersproviderguidtracelevel) + - [Keywords](#etwlogcollectorscollectornameprovidersproviderguidkeywords) +5. Start logging using **TraceControl** EXECUTE command "START". +6. Perform actions on the target device that will generate activity in the log files. +7. Stop logging using **TraceControl** EXECUTE command "STOP". +8. Collect the log file located in the `%temp%` folder using the **Reading a log file** method described in [FileDownload](#filedownload). + + + + + +#### EtwLog/Collectors/{CollectorName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName} +``` + + + + +Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + +**Examples**: + +- Add a collector + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement + + + node + + + + + + + ``` + +- Delete a collector + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement + + + + + + + ``` + + + + + +##### EtwLog/Collectors/{CollectorName}/LogFileSizeLimitMB + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/LogFileSizeLimitMB +``` + + + + +This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[1-2048]` | +| Default Value | 4 | + + + + + + + + + +##### EtwLog/Collectors/{CollectorName}/Providers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers +``` + + + + +Root node of all providers registered in this collector node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid} +``` + + + + +Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: The node name must be a valid provider GUID. | + + + + +**Examples**: + +- Add a provider: + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b + + + node + + + + + + + ``` + +- Delete a provider: + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b + + + + + + + ``` + + + + + +###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/Keywords + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/Keywords +``` + + + + +This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | "0" | + + + + +**Examples**: + +- Get provider Keywords: + + ```xml + + + + 1 + + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords + + + + + + + + ``` + +- Set provider Keywords: + + ```xml + + + + 4 + + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords + + + + chr + text/plain + + 12345678FFFFFFFF + + + + + + ``` + + + + + +###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/State + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/State +``` + + + + +This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true (Default) | Provider is enabled in the trace session. This is the default. | +| false | Provider is disabled in the trace session. | + + + + +**Example**: + +Set provider State: + +```xml + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State + + + bool + + false + + + + + +``` + + + + + +###### EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/TraceLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/Providers/{ProviderGuid}/TraceLevel +``` + + + + +This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 5 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | TRACE_LEVEL_CRITICAL - Abnormal exit or termination events. | +| 2 | TRACE_LEVEL_ERROR - Severe error events. | +| 3 | TRACE_LEVEL_WARNING - Warning events such as allocation failures. | +| 4 | TRACE_LEVEL_INFORMATION - Non-error events, such as entry or exit events. | +| 5 (Default) | TRACE_LEVEL_VERBOSE - Detailed information. | + + + + +**Example**: + +Set provider TraceLevel: + +```xml + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel + + + int + + 1 + + + + + +``` + + + + + +##### EtwLog/Collectors/{CollectorName}/TraceControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/TraceControl +``` + + + + +This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| START | Start log tracing. | +| STOP | Stop log tracing. | + + + + +**Examples**: + +After you've added a logging task, you can start/stop a trace by running an Execute command on this node. + +- Start collector trace logging: + + ```xml + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl + + + chr + + START + + + + + + ``` + +- Stop collector trace logging: + + ```xml + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl + + + chr + + STOP + + + + + + ``` + + + + + +##### EtwLog/Collectors/{CollectorName}/TraceLogFileMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/TraceLogFileMode +``` + + + + +This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | EVENT_TRACE_FILE_MODE_SEQUENTIAL-Writes events to a log file sequentially. It stops when the file reaches its maximum size. | +| 2 | EVENT_TRACE_FILE_MODE_CIRCULAR-Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. | + + + + + + + + + +##### EtwLog/Collectors/{CollectorName}/TraceStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/{CollectorName}/TraceStatus +``` + + + + +This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## FileDownload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload +``` + + + + +Root node of all csp nodes that are related to log file download in csp. + + + + +The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device. + +**Reading a log file**: + +1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**. +2. Select a log file in the Enumeration result. +3. Set **BlockSizeKB** per DM server payload limitation. +4. Get **BlockCount** to determine total read request. +5. Set **BlockIndexToRead** to initialize read start point. +6. Get **BlockData** for upload log block. +7. Increase **BlockIndexToRead**. +8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### FileDownload/DMChannel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel +``` + + + + +Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### FileDownload/DMChannel/{FileContext} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext} +``` + + + + +Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | UniqueName: The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. | + + + + + + + + + +##### FileDownload/DMChannel/{FileContext}/BlockCount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockCount +``` + + + + +This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + +**Example**: + +```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount + + + + + + +``` + + + + + +##### FileDownload/DMChannel/{FileContext}/BlockData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockData +``` + + + + +This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get | + + + + +**Example**: + +```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData + + + + + + +``` + + + + + +##### FileDownload/DMChannel/{FileContext}/BlockIndexToRead + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockIndexToRead +``` + + + + +This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1). + + + + +**Example**: + +- Set BlockIndexToRead at 0: + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead + + + int + + 0 + + + + + + ``` + +- Set BlockIndexToRead at 1: + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead + + + int + + 1 + + + + + + ``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + + + + + + + +##### FileDownload/DMChannel/{FileContext}/BlockSizeKB + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/BlockSizeKB +``` + + + + +This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[1-16]` | +| Default Value | 4 | + + + + +**Examples**: + +- Set BlockSizeKB: + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB + + + int + + 1 + + + + + + ``` + +- Get BlockSizeKB: + + ```xml + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB + + + + + + + ``` + + + + + +##### FileDownload/DMChannel/{FileContext}/DataBlocks + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/DataBlocks +``` + + + + +Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### FileDownload/DMChannel/{FileContext}/DataBlocks/{BlockNumber} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/{FileContext}/DataBlocks/{BlockNumber} +``` + + + + +Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +## Policy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/Policy +``` + + + + +Contains policy for diagnostic settings. + + + + +This can be used to configure Windows event log policies, such as maximum log size. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Policy/Channels + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/Policy/Channels +``` + + + + +Contains policy for Event Log channel settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Policy/Channels/{ChannelName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName} +``` + + + + +Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: The node name must be a valid Windows event log channel name, such as Microsoft-Client-Licensing-Platform%2FAdmin. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. | + + + + +**Examples**: + +- Add Channel + + ```xml + + ​ + ​ + 2​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ + ​ + ​ + ​ + node​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Delete Channel + + ```xml + + ​ + ​ + 3​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Get Channel + + ```xml + + ​ + ​ + 4​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + + + + + +##### Policy/Channels/{ChannelName}/ActionWhenFull + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/ActionWhenFull +``` + + + + +Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive". + + + + +If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Truncate | When the log file reaches its maximum file size, new events are not written to the log and are lost. | +| Overwrite | When the log file reaches its maximum file size, new events overwrite old events. | +| Archive | When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file. | + + + + +**Examples**: + +- Add **ActionWhenFull** + + ```xml + + ​ + ​ + 14​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + Archive​ + ​ + ​ + ​ + ​ + + ``` + +- Delete **ActionWhenFull** + + ```xml + + ​ + ​ + 15​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Get **ActionWhenFull** + + ```xml + + ​ + ​ + 13​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Replace **ActionWhenFull** + + ```xml + + ​ + ​ + 16​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + Truncate​ + ​ + ​ + ​ + ​ + + ``` + + + + + +##### Policy/Channels/{ChannelName}/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/Enabled +``` + + + + +This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable. + + + + +If you disable or don't configure this policy setting, the locally configured value is used as default. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | Enables the channel. | +| false | Disables the channel. | + + + + +**Examples**: + +- Add **Enabled** + + ```xml + + ​ + ​ + 18​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + bool​ + text/plain​ + ​ + TRUE​ + ​ + ​ + ​ + ​ + + ``` + +- Delete **Enabled** + + ```xml + + ​ + ​ + 19​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Get **Enabled** + + ```xml + + ​ + ​ + 17​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Replace **Enabled** + + ```xml + + ​ + ​ + 20​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + bool​ + text/plain​ + ​ + FALSE​ + ​ + ​ + ​ + ​ + + ``` + + + + + +##### Policy/Channels/{ChannelName}/MaximumFileSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/MaximumFileSize +``` + + + + +Maximum size of the channel log file in MB. + + + + +- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments. +- If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-2000000]` | +| Default Value | 1 | + + + + +**Examples**: + +- Add **MaximumFileSize** + + ```xml + + ​ + ​ + 6​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + int​ + text/plain​ + ​ + 3​ + ​ + ​ + ​ + ​ + + ``` + +- Delete **MaximumFileSize** + + ```xml + + ​ + ​ + 7​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Get **MaximumFileSize** + + ```xml + + ​ + ​ + 5​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Replace **MaximumFileSize** + + ```xml + + ​ + ​ + 8​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + int​ + text/plain​ + ​ + 5​ + ​ + ​ + ​ + ​ + + ``` + + + + + +##### Policy/Channels/{ChannelName}/SDDL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Vendor/MSFT/DiagnosticLog/Policy/Channels/{ChannelName}/SDDL +``` + + + + +SDDL String controlling access to the channel. For more information, see [ChannelType Complex Type](/windows/win32/wes/eventmanifestschema-channeltype-complextype). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Case Sensitive | True | + + + + +**Examples**: + +- Add **SDDL** + + ```xml + + ​ + ​ + 10​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + YourSDDL​ + ​ + ​ + ​ + ​ + + ``` + +- Delete **SDDL** + + ```xml + + ​ + ​ + 11​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Get **SDDL** + + ```xml + + ​ + ​ + 9​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + ​ + ​ + ​ + + ``` + +- Replace **SDDL** + + ```xml + + ​ + ​ + 12​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + YourNewSDDL​ + ​ + ​ + ​ + ​ + + ``` + + + + + + +## Comparing FileDownload and DiagnosticArchive + +Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows. + +- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage. +- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT. + +## How to review ArchiveResults + +The zip archive that is created and uploaded by [ArchiveResults](#diagnosticarchivearchiveresults) contains a folder structure like the following example: ```powershell PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z @@ -268,8 +2796,7 @@ la--- 1/4/2021 2:45 PM 2 la--- 12/2/2020 6:27 PM 2701 results.xml ``` -Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. -For example, the first directive was: +Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, the first directive was: ```xml @@ -294,8 +2821,10 @@ Administrators can apply automation to 'results.xml' to create their own preferr ```powershell Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++} ``` + This example produces output similar to the following output: -``` + +```text DirectiveNumber DirectiveHRESULT DirectiveInput --------------- ---------------- -------------- 1 0 HKLM\Software\Policies @@ -351,7 +2880,8 @@ foreach( $element in $resultElements ) #endregion Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse ``` -That example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to `results.xml` repeatedly: + +This example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to `results.xml` repeatedly: ```powershell PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name @@ -369,1312 +2899,10 @@ PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_format 1591 (09) (_windir__system32_ping_exe_-n_50_localhost) (0x00000000) output.log 5192 (10) (_windir__system32_Dsregcmd_exe__status) (0x00000000) output.log ``` + -## Policy area + -The Policy functionality within the DiagnosticLog CSP configures Windows event log policies, such as maximum log size. +## Related articles -The following section describes the nodes for the Policy functionality. - -**Policy** -Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log. - -The supported operation is Get. - -**Policy/Channels** -Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings. - -The supported operation is Get. - -**Policy/Channels/_ChannelName_** -Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When the name is being specified in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. - -Supported operations are Add, Delete, and Get. - -Add **Channel** - -``` xml - - ​ - ​ - 2​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ - ​ - ​ - ​ - node​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Delete **Channel** - -``` xml - - ​ - ​ - 3​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Get **Channel** - -``` xml - - ​ - ​ - 4​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -**Policy/Channels/_ChannelName_/MaximumFileSize** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments. - -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is integer. - -Add **MaximumFileSize** - -``` xml - - ​ - ​ - 6​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - int​ - text/plain​ - ​ - 3​ - ​ - ​ - ​ - ​ - -``` - -Delete **MaximumFileSize** - -``` xml - - ​ - ​ - 7​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Get **MaximumFileSize** - -``` xml - - ​ - ​ - 5​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **MaximumFileSize** - -``` xml - - ​ - ​ - 8​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - int​ - text/plain​ - ​ - 5​ - ​ - ​ - ​ - ​ - -``` - -**Policy/Channels/_ChannelName_/SDDL** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is string. - -Default string is as follows: - -`https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype` - -Add **SDDL** - -``` xml - - ​ - ​ - 10​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - YourSDDL​ - ​ - ​ - ​ - ​ - -``` - -Delete **SDDL** - -``` xml - - - ​ - ​ - 11​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Get **SDDL** - -``` xml - - ​ - ​ - 9​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **SDDL** - -``` xml - - ​ - ​ - 12​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - YourNewSDDL​ - ​ - ​ - ​ - ​ - -``` - -**Policy/Channels/_ChannelName_/ActionWhenFull** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is string. - -The following are the possible values: -- Truncate—When the log file reaches its maximum file size, new events aren't written to the log and are lost. -- Overwrite—When the log file reaches its maximum file size, new events overwrite old events. -- Archive—When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value isn't set, the new file is saved in the same directory as current log file. - -If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration. - -If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration. - -Add **ActionWhenFull** - -``` xml - - ​ - ​ - 14​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - Archive​ - ​ - ​ - ​ - ​ - -``` - -Delete **ActionWhenFull** - -``` xml - - ​ - ​ - 15​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Get **ActionWhenFull** - -``` xml - - ​ - ​ - 13​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **ActionWhenFull** - -``` xml - - ​ - ​ - 16​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - Truncate​ - ​ - ​ - ​ - ​ - -``` - -**Policy/Channels/_ChannelName_/Enabled** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is boolean. - -The following are the possible values: - -- TRUE—Enables the channel. -- FALSE—Disables the channel. - -If you disable or don't configure this policy setting, the locally configured value is used as default. - -Get **Enabled** - -``` xml - - ​ - ​ - 17​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Add **Enabled** - -``` xml - - ​ - ​ - 18​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - bool​ - text/plain​ - ​ - TRUE​ - ​ - ​ - ​ - ​ - -``` - -Delete **Enabled** - -``` xml - - ​ - ​ - 19​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **Enabled** - -``` xml - - ​ - ​ - 20​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - bool​ - text/plain​ - ​ - FALSE​ - ​ - ​ - ​ - ​ - -``` - -## EtwLog area - -The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing: - -- [Collector-based tracing](#collector-based-tracing) -- [Channel-based tracing](#channel-based-tracing) - -The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](/windows/win32/etw/about-event-tracing). - -### Collector-based tracing - -This type of event tracing collects event data from a collection of registered ETW providers. - -An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector. - -The *CollectorName* must be unique within the CSP and must not be a valid event channel name or a provider GUID. - -The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node. - -For each collector node, the user can: - -- Start or stop the session with all registered and enabled providers. -- Query session status. -- Change trace log file mode. -- Change trace log file size limit. - -The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector. - -For each registered provider in this collector, the user can: - -- Specify keywords to filter events from this provider. -- Change trace level to filter events from this provider. -- Enable or disable the provider in the trace session. - -The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress. - -> [!NOTE] -> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. - -### Channel-based tracing - -The type of event tracing exports event data from a specific channel. This method is only supported on the desktop. - -Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin. - -The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node. - -For each channel node, the user can: - -- Export channel event data into a log file (.evtx). -- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel. -- Specify an XPath query to filter events while exporting the channel event data. - -For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10]((../diagnose-mdm-failures-in-windows-10.md). - -To gather diagnostics using this CSP: - -1. Specify a *CollectorName* for the container of the target ETW providers. -2. (Optional) Set logging and log file parameters using the following options: - - - [TraceLogFileMode](#etwlog-collectors-collectorname-tracelogfilemode) - - [LogFileSizeLimitMB](#etwlog-collectors-collectorname-logfilesizelimitmb) - -3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*. -4. (Optional) Set logging and log file parameters using the following options: - - [TraceLevel](#etwlog-collectors-collectorname-providers-providerguid-tracelevel) - - [Keywords](#etwlog-collectors-collectorname-providers-providerguid-keywords) -5. Start logging using **TraceControl** EXECUTE command “START”. -6. Perform actions on the target device that will generate activity in the log files. -7. Stop logging using **TraceControl** EXECUTE command “STOP”. -8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file). - -The following section describes the nodes for EtwLog functionality. - -**EtwLog** -Node to contain the Error Tracing for Windows log. - -The supported operation is Get. - -**EtwLog/Collectors** -Interior node to contain dynamic child interior nodes for active providers. - -The supported operation is Get. - -**EtwLog/Collectors/_CollectorName_** -Dynamic nodes to represent active collector configuration. - -Supported operations are Add, Delete, and Get. - -Add a collector - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement - - - node - - - - - - -``` - -Delete a collector - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement - - - - - - -``` - -**EtwLog/Collectors/*CollectorName*/TraceStatus** -Specifies whether the current logging status is running. - -The data type is an integer. - -The supported operation is Get. - -The following table represents the possible values: - -| Value | Description | -| ----- | ----------- | -| 0 | Stopped | -| 1 | Started | - -**EtwLog/Collectors/*CollectorName*/TraceLogFileMode** -Specifies the log file logging mode. - -The data type is an integer. - -Supported operations are Get and Replace. - -The following table lists the possible values: - -| Value | Description | -| ----- | ------------------ | -| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. | -| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. | - -**EtwLog/Collectors/*CollectorName*/TraceControl** -Specifies the logging and report action state. - -The data type is a string. - -The following table lists the possible values: - -| Value | Description | -| ----- | ------------------ | -| START | Start log tracing. | -| STOP | Stop log tracing. | - -The supported operation is Execute. - -After you've added a logging task, you can start a trace by running an Execute command on this node with the value START. - -To stop the trace, running an execute command on this node with the value STOP. - -Start collector trace logging - -```xml - - - - - 2 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl - - - chr - - START - - - - - -``` - -Stop collector trace logging - -```xml - - - - - 2 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl - - - chr - - STOP - - - - - -``` - -**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB** -Sets the log file size limit, in MB. - -The data type is an integer. - -Valid values are 1-2048. The default value is 4. - -Supported operations are Get and Replace. - -**EtwLog/Collectors/*CollectorName*/Providers** -Interior node to contain dynamic child interior nodes for active providers. - -The supported operation is Get. - -**EtwLog/Collectors/*CollectorName*/Providers/_ProviderGUID_** -Dynamic nodes to represent active provider configuration per provider GUID. - -> [!NOTE] -> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. - -Supported operations are Add, Delete, and Get. - -Add a provider - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b - - - node - - - - - - -``` - -Delete a provider - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b - - - - - - -``` - -**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel** -Specifies the level of detail included in the trace log. - -The data type is an integer. - -Supported operations are Get and Replace. - -The following table lists the possible values: - -| Value | Description | -| ----- | ------------------ | -| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events | -| 2 – TRACE_LEVEL_ERROR | Severe error events | -| 3 – TRACE_LEVEL_WARNING | Warning events such as allocation failures | -| 4 – TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events | -| 5 – TRACE_LEVEL_VERBOSE | Detailed information | - -Set provider **TraceLevel** - -```xml - - - - - 2 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel - - - int - - 1 - - - - - -``` - -**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords** -Specifies the provider keywords to be used as MatchAnyKeyword for this provider. - -The data type is a string. - -Supported operations are Get and Replace. - -Default value is 0 meaning no keyword. - -Get provider **Keywords** - -```xml - - - - 1 - - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords - - - - - - - -``` - -Set provider **Keywords** - -```xml - - - - 4 - - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords - - - - chr - text/plain - - 12345678FFFFFFFF - - - - - -``` - -**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State** -Specifies if this provider is enabled in the trace session. - -The data type is a boolean. - -Supported operations are Get and Replace. This change will be effective during active trace session. - -The following table lists the possible values: - -| Value | Description | -| ----- | ------------------ | -| TRUE | Provider is enabled in the trace session. This value is the default value. | -| FALSE | Provider is disabled in the trace session. | - -Set provider **State** - -```xml - - - - - 2 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State - - - bool - - false - - - - - -``` - -**EtwLog/Channels** -Interior node to contain dynamic child interior nodes for registered channels. - -The supported operation is Get. - -**EtwLog/Channels/_ChannelName_** -Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin" - -Supported operations are Add, Delete, and Get. - -Add a channel - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin - - - node - - - - - - -``` - -Delete a channel - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin - - - - - - -``` - -**EtwLog/Channels/*ChannelName*/Export** -Node to trigger the command to export channel event data into the log file. - -The supported operation is Execute. - -Export channel event data - -```xml - - - - - 2 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export - - - - - - -``` - -**EtwLog/Channels/*ChannelName*/Filter** -Specifies the XPath query string to filter the events while exporting. - -The data type is a string. - -Supported operations are Get and Replace. - -Default value is empty string. - -Get channel **Filter** - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter - - - - - - -``` - -**EtwLog/Channels/*ChannelName*/State** -Specifies if the Channel is enabled or disabled. - -The data type is a boolean. - -Supported operations are Get and Replace. - -The following table lists the possible values: - -| Value | Description | -| ----- | -------------------- | -| TRUE | Channel is enabled. | -| FALSE | Channel is disabled. | - -Get channel **State** - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State - - - - - - -``` - -Set channel **State** - -```xml - - - - - 2 - - - ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State - - - bool - - false - - - - - -``` - -## DeviceStateData area - -The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information. - -The following section describes the nodes for the DeviceStateData functionality. - -**DeviceStateData** -Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed. - -**DeviceStateData/MdmConfiguration** -Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP. - -The supported value is Execute. - -```xml - - - - - 2 - - - ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration - - - chr - - SNAP - - - - - -``` - -## FileDownload area - -The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device. - -### Comparing FileDownload and DiagnosticArchive - -Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows. - -- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage. -- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT. - -The following section describes the nodes for the FileDownload functionality. - -**FileDownload** -Node to contain child nodes for log file transportation protocols and corresponding actions. - -**FileDownload/DMChannel** -Node to contain child nodes using DM channel for transport protocol. - -**FileDownload/DMChannel/_FileContext_** -Dynamic interior nodes that represent per log file context. - -**FileDownload/DMChannel/*FileContext*/BlockSizeKB** -Sets the log read buffer, in KB. - -The data type is an integer. - -Valid values are 1-16. The default value is 4. - -Supported operations are Get and Replace. - -Set **BlockSizeKB** - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB - - - int - - 1 - - - - - -``` - -Get **BlockSizeKB** - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB - - - - - - -``` - -**FileDownload/DMChannel/*FileContext*/BlockCount** -Represents the total read block count for the log file. - -The data type is an integer. - -The only supported operation is Get. - -Get **BlockCount** - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount - - - - - - -``` - -**FileDownload/DMChannel/*FileContext*/BlockIndexToRead** -Represents the read block start location. - -The data type is an integer. - -Supported operations are Get and Replace. - -Set **BlockIndexToRead** at 0 - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead - - - int - - 0 - - - - - -``` - -Set **BlockIndexToRead** at 1 - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead - - - int - - 1 - - - - - -``` - -**FileDownload/DMChannel/*FileContext*/BlockData** -The data type is Base64. - -The only supported operation is Get. - -Get **BlockData** - -```xml - - - - - 1 - - - ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData - - - - - - -``` - -**FileDownload/DMChannel/*FileContext*/DataBlocks** -Node to transfer the selected log file block to the DM server. - -**FileDownload/DMChannel/*FileContext*/DataBlocks/_BlockNumber_** -The data type is Base64. - -The supported operation is Get. - -### Reading a log file - -To read a log file: - -1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**. -2. Select a log file in the Enumeration result. -3. Set **BlockSizeKB** per DM server payload limitation. -4. Get **BlockCount** to determine total read request. -5. Set **BlockIndexToRead** to initialize read start point. -6. Get **BlockData** for upload log block. -7. Increase **BlockIndexToRead**. -8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**. - -## Related topics - -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index a268523ce4..e87402d67d 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -1,1304 +1,81 @@ --- -title: DiagnosticLog DDF -description: Learn about the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP). -ms.reviewer: +title: DiagnosticLog DDF file +description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/21/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- -# DiagnosticLog DDF + -This topic shows the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The content below are the latest versions of the DDF files: - -- [DiagnosticLog CSP version 1.2](#version-1-2) -- [DiagnosticLog CSP version 1.3](#version-1-3) -- [DiagnosticLog CSP version 1.4](#version-1-4) - -## DiagnosticLog CSP version 1.2 +# DiagnosticLog DDF file +The following XML file contains the device description framework (DDF) for the DiagnosticLog configuration service provider. ```xml -]> - - 1.2 - - DiagnosticLog - ./Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/1.2/MDM/DiagnosticLog - - - - EtwLog - - - - - Root node of all types of event logging nodes that CSP manages. - - - - - - - - - - - - - - - Collectors - - - - - Root node of registered "Collector" nodes. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name. - - - - - - - - - - CollectorName - - - - - - TraceStatus - - - - - This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped". - - - - - - - - - - - text/plain - - - - - TraceLogFileMode - - - - - - 1 - This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1. - - - - - - - - - - - text/plain - - - - - TraceControl - - - - - - This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node. - - - - - - - - - - - text/plain - - - - - LogFileSizeLimitMB - - - - - - 4 - This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4. - - - - - - - - - - - text/plain - - - - - Providers - - - - - Root node of all providers registered in this collector node. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID. - - - - - - - - - - ProviderGuid - - - - - - Keywords - - - - - - "0" - This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started. - - - - - - - - - - - text/plain - - - - - TraceLevel - - - - - - 5 - This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started. - - - - - - - - - - - text/plain - - - - - State - - - - - - true - This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true. - - - - - - - - - - - text/plain - - - - - - - - - Channels - - - - - Root node of registered "Channel" nodes. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. - - - - - - - - - - ChannelName - - - - - - Export - - - - - - This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node. - - - - - - - - - - - text/plain - - - - - State - - - - - - This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. - - - - - - - - - - - text/plain - - - - - Filter - - - - - - "" - This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string. - - - - - - - - - - - text/plain - - - - - - - - FileDownload - - - - - Root node of all csp nodes that are related to log file download in csp. - - - - - - - - - - - - - - - DMChannel - - - - - Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes. - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server. - - - - - - - - - - FileContext - - - - - - BlockSizeKB - - - - - - 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. - - - - - - - - - - - text/plain - - - - - BlockCount - - - - - This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2. - - - - - - - - - - - text/plain - - - - - BlockIndexToRead - - - - - - This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1). - - - - - - - - - - - text/plain - - - - - BlockData - - - - - This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to. - - - - - - - - - - - - - - - - DataBlocks - - - - - Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0. - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to. - - - - - - - - - - BlockNumber - - - - - - - - - - - -``` - -## DiagnosticLog CSP version 1.3 - - -```xml - -]> - - 1.2 - - DiagnosticLog - ./Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/1.3/MDM/DiagnosticLog - - - - EtwLog - - - - - Root node of all types of event logging nodes that CSP manages. - - - - - - - - - - - - - - - Collectors - - - - - Root node of registered "Collector" nodes. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name. - - - - - - - - - - CollectorName - - - - - - TraceStatus - - - - - This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped". - - - - - - - - - - - text/plain - - - - - TraceLogFileMode - - - - - - 1 - This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1. - - - - - - - - - - - text/plain - - - - - TraceControl - - - - - - This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node. - - - - - - - - - - - text/plain - - - - - LogFileSizeLimitMB - - - - - - 4 - This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4. - - - - - - - - - - - text/plain - - - - - Providers - - - - - Root node of all providers registered in this collector node. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID. - - - - - - - - - - ProviderGuid - - - - - - Keywords - - - - - - "0" - This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started. - - - - - - - - - - - text/plain - - - - - TraceLevel - - - - - - 5 - This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started. - - - - - - - - - - - text/plain - - - - - State - - - - - - true - This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true. - - - - - - - - - - - text/plain - - - - - - - - - Channels - - - - - Root node of registered "Channel" nodes. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. - - - - - - - - - - ChannelName - - - - - - Export - - - - - - This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node. - - - - - - - - - - - text/plain - - - - - State - - - - - - This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. - - - - - - - - - - - text/plain - - - - - Filter - - - - - - "" - This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string. - - - - - - - - - - - text/plain - - - - - - - - DeviceStateData - - - - - Root node of all types of device state data that CSP exposes. - - - - - - - - - - - - - - - MdmConfiguration - - - - - This node is to trigger snapping of the Device Management state data with "SNAP". - - - - - - - - - - - text/plain - - - - - - FileDownload - - - - - Root node of all csp nodes that are related to log file download in csp. - - - - - - - - - - - - - - - DMChannel - - - - - Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes. - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server. - - - - - - - - - - FileContext - - - - - - BlockSizeKB - - - - - - 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. - - - - - - - - - - - text/plain - - - - - BlockCount - - - - - This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2. - - - - - - - - - - - text/plain - - - - - BlockIndexToRead - - - - - - This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1). - - - - - - - - - - - text/plain - - - - - BlockData - - - - - This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to. - - - - - - - - - - - - - - - - DataBlocks - - - - - Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0. - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to. - - - - - - - - - - BlockNumber - - - - - - - - - - - -``` - -## DiagnosticLog CSP version 1.4 -```xml - - -]> +]> 1.2 + + + + DiagnosticLog + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.2 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + EtwLog + + + + + Root node of all types of event logging nodes that CSP manages. + + + + + + + + + + + + + - DiagnosticLog - ./Vendor/MSFT + Collectors + Root node of registered "Collector" nodes. @@ -1309,36 +86,155 @@ The content below are the latest versions of the DDF files: - com.microsoft/1.4/MDM/DiagnosticLog + - EtwLog + + + + - Root node of all types of event logging nodes that CSP manages. + Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name. - + - + + CollectorName - + + + + - Collectors + TraceStatus - Root node of registered "Collector" nodes. + This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped". + + + + + + + + + + + + + + + + TraceLogFileMode + + + + + + 1 + This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1. + + + + + + + + + + + + + + + 1 + EVENT_TRACE_FILE_MODE_SEQUENTIAL-Writes events to a log file sequentially. It stops when the file reaches its maximum size. + + + 2 + EVENT_TRACE_FILE_MODE_CIRCULAR-Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. + + + + + + TraceControl + + + + + + This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node. + + + + + + + + + + + + + + + START + Start log tracing. + + + STOP + Stop log tracing + + + + + + LogFileSizeLimitMB + + + + + + 4 + This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4. + + + + + + + + + + + + + + [1-2048] + + + + + Providers + + + + + Root node of all providers registered in this collector node. @@ -1346,21 +242,22 @@ The content below are the latest versions of the DDF files: - + - + - + + - Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name. + Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID. @@ -1370,63 +267,23 @@ The content below are the latest versions of the DDF files: - CollectorName + ProviderGuid - + + + The node name must be a valid provider GUID. + - TraceStatus - - - - - This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped". - - - - - - - - - - - text/plain - - - - - TraceLogFileMode + Keywords - 1 - This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1. - - - - - - - - - - - text/plain - - - - - TraceControl - - - - - - This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node. + "0" + This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started. @@ -1437,19 +294,21 @@ The content below are the latest versions of the DDF files: - text/plain + + + - LogFileSizeLimitMB + TraceLevel - 4 - This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4. + 5 + This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started. @@ -1460,189 +319,30 @@ The content below are the latest versions of the DDF files: - text/plain - - - - - Providers - - - - - Root node of all providers registered in this collector node. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID. - - - - - - - - - - ProviderGuid - - - - - - Keywords - - - - - - "0" - This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started. - - - - - - - - - - - text/plain - - - - - TraceLevel - - - - - - 5 - This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started. - - - - - - - - - - - text/plain - - - - - State - - - - - - true - This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true. - - - - - - - - - - - text/plain - - - - - - - - - Channels - - - - - Root node of registered "Channel" nodes. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. - - - - - - - - - - ChannelName - - - - - - Export - - - - - - This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node. - - - - - - - - - - - text/plain + + + + 1 + TRACE_LEVEL_CRITICAL - Abnormal exit or termination events + + + 2 + TRACE_LEVEL_ERROR - Severe error events + + + 3 + TRACE_LEVEL_WARNING - Warning events such as allocation failures + + + 4 + TRACE_LEVEL_INFORMATION - Non-error events, such as entry or exit events + + + 5 + TRACE_LEVEL_VERBOSE - Detailed information + + @@ -1652,7 +352,8 @@ The content below are the latest versions of the DDF files: - This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. + true + This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true. @@ -1663,63 +364,134 @@ The content below are the latest versions of the DDF files: - text/plain - - - - - Filter - - - - - - "" - This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string. - - - - - - - - - - - text/plain + + + + true + Provider is enabled in the trace session. This is the default. + + + false + Provider is disabled in the trace session. + + + + + Channels + + + + + Root node of registered "Channel" nodes. + + + + + + + + + + + + + - DeviceStateData + + + + - Root node of all types of device state data that CSP exposes. + Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. - + - + + ChannelName - + + + The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin" + - MdmConfiguration + Export + - This node is to trigger snapping of the Device Management state data with "SNAP". + This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node. + + + + + + + + + + + + + + + + State + + + + + + This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. + + + + + + + + + + + + + + + true + Channel is enabled. + + + false + Channel is disabled. + + + + + + Filter + + + + + + "" + This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string. @@ -1727,454 +499,558 @@ The content below are the latest versions of the DDF files: - + - text/plain - - - - - - FileDownload - - - - - Root node of all csp nodes that are related to log file download in csp. - - - - - - - - - - - - - - - DMChannel - - - - - Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes. - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server. - - - - - - - - - - FileContext - - - - - - BlockSizeKB - - - - - - 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. - - - - - - - - - - - text/plain - - - - - BlockCount - - - - - This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2. - - - - - - - - - - - text/plain - - - - - BlockIndexToRead - - - - - - This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1). - - - - - - - - - - - text/plain - - - - - BlockData - - - - - This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to. - - - - - - - - - - - - - - - - DataBlocks - - - - - Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0. - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to. - - - - - - - - - - BlockNumber - - - - - - - - - - - Policy - - - - - Contains policy for diagnostic settings. - - - - - - - - - - - - - - - - - - Channels - - - - - Contains policy for Event Log channel settings. - - - - - - - - - - - - - - - - - - - - - - Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. - - - - - - - - - - ChannelName - - - - - - MaximumFileSize - - - - - - - - Maximum size of the channel log file in MB. - - - - - - - - - - - text/plain - - - - - SDDL - - - - - - - - SDDL String controlling access to the channel. Default: https://learn.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype - - - - - - - - - - - - - - text/plain - - - - - ActionWhenFull - - - - - - - - Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive". - - - - - - - - - - - - - - text/plain - - - - - Enabled - - - - - - - - This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable. - - - - - - - - - - - text/plain - - - - - - - - DiagnosticArchive - - - - - Root note for archive definition and collection. - - - - - - - - - - - - - - - ArchiveDefinition - - - - - - - - - - - - - - - - text/plain - - - - - ArchiveResults - - - - - Pull up the results of the last archive run. - - - - - - - - - - - - - - text/plain + + + + + + DeviceStateData + + + + + Root node of all types of device state data that CSP exposes. + + + + + + + + + + + + + + + MdmConfiguration + + + + + + This node is to trigger snapping of the Device Management state data with "SNAP". + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + + + FileDownload + + + + + Root node of all csp nodes that are related to log file download in csp. + + + + + + + + + + + + + + + DMChannel + + + + + Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes. + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server. + + + + + + + + + + FileContext + + + + + The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. + + + + BlockSizeKB + + + + + + 4 + This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + + + + + + + + + + + + + + [1-16] + + + + + BlockCount + + + + + This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2. + + + + + + + + + + + + + + + + BlockIndexToRead + + + + + + This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1). + + + + + + + + + + + + + + + + + + BlockData + + + + + This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to. + + + + + + + + + + + + + + + + DataBlocks + + + + + Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0. + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to. + + + + + + + + + + BlockNumber + + + + + + + + + + + + + + Policy + + + + + Contains policy for diagnostic settings. + + + + + + + + + + + + + + + + + 10.0.18362 + 1.4 + + + + Channels + + + + + Contains policy for Event Log channel settings. + + + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. + + + + + + + + + + ChannelName + + + + + The node name must be a valid Windows event log channel name, such as Microsoft-Client-Licensing-Platform%2FAdmin. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. + + + + MaximumFileSize + + + + + + + + 1 + Maximum size of the channel log file in MB. + + + + + + + + + + + + + + [1-2000000] + + + + + SDDL + + + + + + + + SDDL String controlling access to the channel. Default: https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype + + + + + + + + + + + + + + + + + + + + + ActionWhenFull + + + + + + + + Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive". + + + + + + + + + + + + + + + + + + Truncate + When the log file reaches its maximum file size, new events are not written to the log and are lost. + + + Overwrite + When the log file reaches its maximum file size, new events overwrite old events. + + + Archive + When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file. + + + + + + Enabled + + + + + + + + This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable. + + + + + + + + + + + + + + + true + Enables the channel. + + + false + Disables the channel. + + + + + + + + + DiagnosticArchive + + + + + Root note for archive definition and collection. + + + + + + + + + + + + + + 10.0.18362 + 1.4 + + + + ArchiveDefinition + + + + + + + + + + + + + + + + + + + + + + + + ArchiveResults + + + + + Pull up the results of the last archive run. + + + + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles - -[DiagnosticLog configuration service provider](diagnosticlog-csp.md) - -  - -  +[DiagnosticLog configuration service provider reference](diagnosticlog-csp.md) diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index aa91c7caf5..488633b587 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -1,317 +1,1595 @@ --- title: DMAcc CSP -description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. -ms.reviewer: +description: Learn more about the DMAcc CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.topic: reference --- + + + # DMAcc CSP -The table below shows the applicability of Windows: + + +The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION](w7-application-csp.md) configuration service provider. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md) - -> [!Note] +> [!NOTE] >This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. For the DMAcc CSP, you can't use the Replace command unless the node already exists. + -The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider. + +The following list shows the DMAcc configuration service provider nodes: +- ./SyncML/DMAcc + - [{AccountUID}](#accountuid) + - [AAuthPref](#accountuidaauthpref) + - [AppAddr](#accountuidappaddr) + - [{ObjectName}](#accountuidappaddrobjectname) + - [Addr](#accountuidappaddrobjectnameaddr) + - [AddrType](#accountuidappaddrobjectnameaddrtype) + - [Port](#accountuidappaddrobjectnameport) + - [{ObjectName}](#accountuidappaddrobjectnameportobjectname) + - [PortNbr](#accountuidappaddrobjectnameportobjectnameportnbr) + - [AppAuth](#accountuidappauth) + - [{ObjectName}](#accountuidappauthobjectname) + - [AAuthData](#accountuidappauthobjectnameaauthdata) + - [AAuthLevel](#accountuidappauthobjectnameaauthlevel) + - [AAuthName](#accountuidappauthobjectnameaauthname) + - [AAuthSecret](#accountuidappauthobjectnameaauthsecret) + - [AAuthType](#accountuidappauthobjectnameaauthtype) + - [AppID](#accountuidappid) + - [Ext](#accountuidext) + - [Microsoft](#accountuidextmicrosoft) + - [BackCompatRetryDisabled](#accountuidextmicrosoftbackcompatretrydisabled) + - [ConnRetryFreq](#accountuidextmicrosoftconnretryfreq) + - [CRLCheck](#accountuidextmicrosoftcrlcheck) + - [DefaultEncoding](#accountuidextmicrosoftdefaultencoding) + - [DisableOnRoaming](#accountuidextmicrosoftdisableonroaming) + - [InitialBackOffTime](#accountuidextmicrosoftinitialbackofftime) + - [InitiateSession](#accountuidextmicrosoftinitiatesession) + - [MaxBackOffTime](#accountuidextmicrosoftmaxbackofftime) + - [ProtoVer](#accountuidextmicrosoftprotover) + - [Role](#accountuidextmicrosoftrole) + - [SSLCLIENTCERTSEARCHCRITERIA](#accountuidextmicrosoftsslclientcertsearchcriteria) + - [UseHwDevID](#accountuidextmicrosoftusehwdevid) + - [UseNonceResync](#accountuidextmicrosoftusenonceresync) + - [Name](#accountuidname) + - [PrefConRef](#accountuidprefconref) + - [ServerID](#accountuidserverid) + + + +## {AccountUID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID} ``` -./SyncML -DMAcc -----* ---------AppID ---------ServerID ---------Name ---------PrefConRef ---------AppAddr -------------* -----------------Addr -----------------AddrType -----------------Port ---------------------* -------------------------PortNbr ---------AAuthPref ---------AppAuth -------------* -----------------AAuthLevel -----------------AAuthType -----------------AAuthName -----------------AAuthSecret -----------------AAuthData ---------Ext -------------Microsoft -----------------Role -----------------ProtoVer -----------------DefaultEncoding -----------------UseHwDevID -----------------ConnRetryFreq -----------------InitialBackOffTime -----------------MaxBackOffTime -----------------BackCompatRetryDisabled -----------------UseNonceResync -----------------CRLCheck -----------------DisableOnRoaming -----------------SSLCLIENTCERTSEARCHCRITERIA + + + + +This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the [w7 APPLICATION](w7-application-csp.md), the name of this +node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +### {AccountUID}/AAuthPref + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AAuthPref ``` -**DMAcc** -Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol. + -***AccountUID*** -Optional. Defines the unique identifier for an OMA DM server account that uses the OMA DM version 1.2 protocol. + + +Specifies the application authentication preference. Supported values: BASIC, DIGEST. If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first. + -For a [w7 APPLICATION configuration service provider](w7-application-csp.md) bootstrapped account, this element is assigned a unique name by the OMA DM Client. The unique name is the hexadecimal representation of the 256-bit SHA-2 hash of the provider ID. The OMA DM server can change this node name in subsequent OMA DM sessions. + + + -***AccountUID*/AppID** -Required. Specifies the application identifier for the OMA DM account. + +**Description framework properties**: -This value must be set to "w7". +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + -Value type is string. Supported operations are Add, Get, and Replace. + +**Allowed values**: -***AccountUID*/ServerID** -Required. Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive. +| Value | Description | +|:--|:--| +| BASIC | The client attempts BASIC authentication. | +| DIGEST | The client attempts MD5 authentication. | + -Value type is string. Supported operations are Add, Get, and Replace. + + + -***AccountUID*/Name** -Optional. Specifies the display name of the application. + -Value type is string. Supported operations are Add, Get, and Replace. + +### {AccountUID}/AppAddr -***AccountUID*/PrefConRef** -Optional. Specifies the preferred connectivity for the OMA DM account. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -This element contains either a URI to a NAP management object or a connection GUID used by Connection Manager. If this element is missing, the device uses the default connection that is provided by Connection Manager. + +```Device +./SyncML/DMAcc/{AccountUID}/AppAddr +``` + -Value type is string. Supported operations are Add, Get, and Replace. - -***AccountUID*/AppAddr** + + Interior node for DM server address. + -Required. + + + -**AppAddr/***ObjectName* -Required. Defines the OMA DM server address. Only one server address can be configured. + +**Description framework properties**: -When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". This DM address is the first one encountered in the w7 APPLICATION configuration service provider; other DM accounts are ignored. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + -***ObjectName*/Addr** -Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element. + + + -Value type is string. Supported operations are Add, Get, and Replace. + -***ObjectName*/AddrType** -Required. Specifies the format and interpretation of the Addr node value. The default is "URI". + +#### {AccountUID}/AppAddr/{ObjectName} -The default value of "URI" specifies that the OMA DM account address in **Addr** is a URI address. A value of "IPv4" specifies that the OMA DM account address in **Addr** is an IP address. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Value type is string. Supported operations are Add, Get, and Replace. + +```Device +./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName} +``` + -***ObjectName*/Port** + + +Defines the OMA DM server address. Only one server address can be configured. When mapping the [w7 APPLICATION](w7-application-csp.md) configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the [w7 APPLICATION](w7-application-csp.md) configuration service provider, other DM accounts are ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +##### {AccountUID}/AppAddr/{ObjectName}/Addr + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Addr +``` + + + + +Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +##### {AccountUID}/AppAddr/{ObjectName}/AddrType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/AddrType +``` + + + + +Specifies the format and interpretation of the Addr node value. The default is "URI". The default value of "URI" specifies that the OMA DM account address in Addr is a URI address. A value of "IPv4" specifies that the OMA DM account address in Addr is an IP address. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | +| Default Value | URI | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| URI (Default) | The OMA DM account address in Addr is a URI address. | +| IPv4 | The OMA DM account address in Addr is an IP address. | + + + + + + + + + +##### {AccountUID}/AppAddr/{ObjectName}/Port + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Port +``` + + + + Interior node for port information. + -Optional. + + + -**Port/***ObjectName* -Required. Only one port number can be configured. + +**Description framework properties**: -When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + -***ObjectName*/PortNbr** -Required. Specifies the port number of the OMA MD account address. This number must be a decimal number that fits within the range of a 16-bit unsigned integer. + + + -Value type is string. Supported operations are Add, Get, and Replace. + -***AccountUID*/AAuthPref** -Optional. Specifies the application authentication preference. + +###### {AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName} -A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria aren't met, then the client tries BASIC authorization first. + +```Device +./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName} +``` + -Value type is string. Supported operations are Add, Get, and Replace. + + +Only one port number can be configured. When mapping the [w7 APPLICATION](w7-application-csp.md) configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1". + -***AccountUID*/AppAuth** -Optional. Defines authentication settings. + + + -**AppAuth/***ObjectName* -Required. Defines one set of authentication settings. + +**Description framework properties**: -When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED"). +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get, Replace | +| Dynamic Node Naming | ClientInventory | + -***ObjectName*/AAuthlevel** -Required. Specifies the application authentication level. + + + -A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. + -Value type is string. Supported operations are Add and Replace. + +###### {AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName}/PortNbr -***ObjectName*/AAuthType** -Required. Specifies the authentication type. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -If the AAuthlevel is "CLCRED", the supported values are "BASIC" and "DIGEST". If the AAuthlevel is "SRVCRED", the supported value is "DIGEST". + +```Device +./SyncML/DMAcc/{AccountUID}/AppAddr/{ObjectName}/Port/{ObjectName}/PortNbr +``` + -Value type is string. Supported operations are Add, Get, and Replace. + + +Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer. + -***ObjectName*/AAuthName** -Optional. Specifies the authentication name. + + + -Value type is string. Supported operations are Add, Get, and Replace. + +**Description framework properties**: -***ObjectName*/AAuthSecret** -Optional. Specifies the password or secret used for authentication. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + -Value type is string. Supported operations are Add and Replace. + + + -***ObjectName*/AAuthData** -Optional. Specifies the next nonce used for authentication. + -"Nonce" refers to a number used once. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in repeat attacks. + +### {AccountUID}/AppAuth -Value type is binary. Supported operations are Add and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -***AccountUID*/Ext** -Required. Defines a set of extended parameters. + +```Device +./SyncML/DMAcc/{AccountUID}/AppAuth +``` + -This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created. + + +Defines authentication settings. + -**Ext/Microsoft** -Required. Defines a set of Microsoft-specific extended parameters. + + + -This element is created automatically when the OMA DM account is created. + +**Description framework properties**: -**Microsoft/BackCompatRetryDisabled** -Optional. Specifies whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default is "FALSE". +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + -The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled. + + + -Value type is bool. Supported operations are Add, Get, and Replace. + -**Microsoft/ConnRetryFreq** -Optional. Specifies the number of retries the DM client performs when there are Connection Manager level or wininet level errors. + +#### {AccountUID}/AppAuth/{ObjectName} -The default value is 3. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Value type is integer. Supported operations are Add, Get, and Replace. + +```Device +./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName} +``` + -**Microsoft/DefaultEncoding** -Optional. Specifies whether the OMA DM client will use WBXML or XML for the DM package when communicating with the server. The default is "application/vnd.syncml.dm+xml". + + +Defines one set of authentication settings. When mapping the [w7 APPLICATION](w7-application-csp.md) configuration service provider to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED"). + -The default value of "application/vnd.syncml.dm+xml" specifies that XML is used. A value of "application/vnd.syncml.dm+wbxml" specifies that WBXML is used. + + + -Value type is string. Supported operations are Add, Get, and Replace. + +**Description framework properties**: -**Microsoft/InitialBackOffTime** -Optional. Specifies the initial wait time in milliseconds when the OMA DM client retries for the first time. The wait time grows exponentially. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | +| Dynamic Node Naming | ClientInventory | + -The default value is 16000. + + + -Value type is integer. Supported operations are Add, Get, and Replace. + -**Microsoft/MaxBackOffTime** -Optional. This node specifies the maximum number of milliseconds to wait before attempting a connection retry. + +##### {AccountUID}/AppAuth/{ObjectName}/AAuthData -The default value is 86400000. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Value type is integer. Supported operations are Add, Get, and Replace. + +```Device +./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthData +``` + -**Microsoft/ProtoVer** -Optional. Specifies the OMA DM Protocol version that the server supports. There's no default value. + + +Specifies the next nonce used for authentication. "Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks. + -Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2. + + + -Value type is string. Supported operations are Add, Get, and Replace. + +**Description framework properties**: -**Microsoft/Role** -Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server. +| Property name | Property value | +|:--|:--| +| Format | bin | +| Access Type | Add, Replace | + -If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values. + + + -- 4 = SECROLE\_OPERATO -- 8 = SECROLE\_MANAGE -- 16 = SECROLE\_USER\_AUT -- 128 = SECROLE\_OPERATOR\_TPS + + +##### {AccountUID}/AppAuth/{ObjectName}/AAuthLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel +``` + + + + +Specifies the application authentication level. A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| CLCRED | The credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. | +| SRVCRED | The credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. | + + + + + + + + + +##### {AccountUID}/AppAuth/{ObjectName}/AAuthName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthName +``` + + + + +Specifies the authentication name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +##### {AccountUID}/AppAuth/{ObjectName}/AAuthSecret + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthSecret +``` + + + + +Specifies the password or secret used for authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Replace | + + + + + + + + + +##### {AccountUID}/AppAuth/{ObjectName}/AAuthType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthType +``` + + + + +Specifies the authentication type. If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | +| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel`
    Dependency Allowed Value: `SRVCRED`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| BASIC | BASIC. | +| DIGEST | DIGEST. | + + + + + + + + + +### {AccountUID}/AppID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/AppID +``` + + + + +Specifies the application identifier for the OMA DM account.. The only supported value is w7. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | +| Default Value | w7 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| w7 (Default) | The only supported value. | + + + + + + + + + +### {AccountUID}/Ext + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext +``` + + + + +Defines a set of extended parameters. This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### {AccountUID}/Ext/Microsoft + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft +``` + + + + +Defines a set of Microsoft-specific extended parameters. This element is created automatically when the OMA DM account is created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/BackCompatRetryDisabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/BackCompatRetryDisabled +``` + + + + +This node specifies whether to disable the ability of the DM client to communicate with a down-level server. +Possible Values: +false (default) -- Compatibility with down-level servers is enabled +true -- Compatibility with down-level servers is disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Backward-compatible retries are enabled. | +| 1 | Backward-compatible retries are disabled. | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/ConnRetryFreq + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/ConnRetryFreq +``` + + + + +This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | +| Default Value | 3 | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/CRLCheck + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/CRLCheck +``` + + + + +Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/DefaultEncoding + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/DefaultEncoding +``` + + + + +This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and +"application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| application/vnd.syncml.dm+xml | XML is used. | +| application/vnd.syncml.dm+wbxml | WBXML is used. | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/DisableOnRoaming + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/DisableOnRoaming +``` + + + + +Determines whether the OMA DM client should be launched when roaming. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/InitialBackOffTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/InitialBackOffTime +``` + + + + +This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait +time grows exponentially. The default value is 16000 milliseconds. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | +| Default Value | 16000 | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/InitiateSession + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/InitiateSession +``` + + + + +When this node is added, a session is started with the MDM server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Add, Replace | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/MaxBackOffTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/MaxBackOffTime +``` + + + + +This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | +| Default Value | 86400000 | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/ProtoVer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/ProtoVer +``` + + + + +This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this +node is 1.1 or 1.2. + + + + +The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1.1 | 1.1. | +| 1.2 | 1.2. | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/Role + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/Role +``` + + + + +If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the +roles used in creating this server account. + + + + The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object. + -Value type is integer. Supported operations are Get and Replace. + +**Description framework properties**: -**Microsoft/UseHWDevID** -Optional. Specifies whether to use the hardware ID for the ./DevInfo/DevID element in the DM account to identify the device. The default is "FALSE". +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + -The default value of "FALSE" specifies that an application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID. + +**Allowed values**: -A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case: +| Flag | Description | +|:--|:--| +| 4 | SECROLE_OPERATOR. | +| 8 | SECROLE_MANAGER. | +| 16 | SECROLE_USER_AUTH. | +| 128 | SECROLE_OPERATOR_TPS. | + -- For GSM phones, the IMEI is returned. -- For CDMA phones, the MEID is returned. -- For dual SIM phones, this value is retrieved from the UICC of the primary data line. + + + -Value type is bool. Supported operations are Add, Get, and Replace. + -**Microsoft/UseNonceResync** -Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE". + +##### {AccountUID}/Ext/Microsoft/SSLCLIENTCERTSEARCHCRITERIA -If the authentication fails because the server nonce doesn't match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device didn't authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -The default value of "FALSE" specifies that the client doesn't try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed. + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/SSLCLIENTCERTSEARCHCRITERIA +``` + -Value type is bool. Supported operations are Add, Get, and Replace. - -**CRLCheck** -Optional. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation. - -Value type is bool. Supported operations are Add, Get, and Replace. - -**DisableOnRoaming** -Optional. Determines whether the OMA DM client should be launched when roaming. - -Value type is bool. Supported operations are Add, Get, and Replace. - -**SSLCLIENTCERTSEARCHCRITERIA** -Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored. - -The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC. - -The supported names are Subject and Stores; wildcard certificate search isn't supported. - -Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive. - -> [!Note] -> %EF%80%80 is the UTF8-encoded character U+F000. - -Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema: + + +The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored. The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC. The supported names are Subject and Stores; wildcard certificate search is not supported. Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive. Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute ("CN=Tester,O=Microsoft"), use the following: + + + ```xml + value="Subject=CN%3DTester,O%3DMicrosoft&Stores=My%5CUser" /> ``` + -Value type is string. Supported operations are Add, Get, and Replace. + +**Description framework properties**: -**InitiateSession** -Optional. When this node is added, a session is started with the MDM server. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + -Supported operations are Add, and Replace. + + + -## Related topics + -[Configuration service provider reference](index.yml) + +##### {AccountUID}/Ext/Microsoft/UseHwDevID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/UseHwDevID +``` + + + + +A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a +GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of +the UUID of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | An application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID. | +| 1 | The hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. | + + + + + + + + + +##### {AccountUID}/Ext/Microsoft/UseNonceResync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Ext/Microsoft/UseNonceResync +``` + + + + +This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce +resynchronization is disabled and authentication of the server notification fails, the notification is dropped. +Possible Values: +false (default) : Nonce resynchronization is disabled. +true : Nonce resynchronization is enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | The client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. | +| 1 | The client initiates a DM session if the backup server nonce is received after authentication failed. | + + + + + + + + + +### {AccountUID}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/Name +``` + + + + +Specifies the display name of the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +### {AccountUID}/PrefConRef + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/PrefConRef +``` + + + + +The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device +will use the default connection provided by connection manager. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +### {AccountUID}/ServerID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./SyncML/DMAcc/{AccountUID}/ServerID +``` + + + + +Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index f2d4b6a20f..57bfdbcc89 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -1,875 +1,1094 @@ --- title: DMAcc DDF file -description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/21/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # DMAcc DDF file -This topic shows the OMA DM device description framework (DDF) for the **DMAcc** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the DMAcc configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + DMAcc + ./SyncML + + + + + This interior node is a common parent to all OMA DM server account nodes that use OMA DM 1.2 protocol. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - DMAcc - ./SyncML + + + + + + + + + + This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the w7 APPLICATION, the name of this node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm. + + + + + + + + + + AccountUID + + + + + + + + + AppID - - - - This interior node is a common parent to all OMA DM server account nodes that use OMA DM 1.2 protocol. - - - - - - - - - - - urn:oma:mo:oma-dm-dmacc:1.1 - + + + + + + w7 + Specifies the application identifier for the OMA DM account.. The only supported value is w7. + + + + + + + + + + Application ID for DM Account MO + + + + + + w7 + The only supported value. + + + + + + ServerID + + + + + + + Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive. + + + + + + + + + + Server Identifier + + + + + + + + + Name + + + + + + + Specifies the display name of the application. + + + + + + + + + + Displayable name for the Management Server + + + + + + + + + PrefConRef + + + + + + + The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device will use the default connection provided by connection manager. + + + + + + + + + + Reference to preferred connectivity + + + + + + + + + AppAddr + + + + + + Interior node for DM server address. + + + + + + + + + + A collection of references to DM server address + + + - * + + + + + + + + Defines the OMA DM server address. Only one server address can be configured. When mapping the w7 APPLICATION configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored. + + + + + + + + + + ObjectName + + + + + + + + + Addr - - - - - - - This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the w7 APPLICATION, the name of this node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm. - - - - - - - - - - - - + + + + + + Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element. + + + + + + + + + + Management Server Address + + + + + + + + + AddrType + + + + + + + URI + Specifies the format and interpretation of the Addr node value. The default is "URI". The default value of "URI" specifies that the OMA DM account address in Addr is a URI address. A value of "IPv4" specifies that the OMA DM account address in Addr is an IP address. + + + + + + + + + + Management Server Address Type + + + + + + URI + The OMA DM account address in Addr is a URI address. + + + IPv4 + The OMA DM account address in Addr is an IP address. + + + + + + Port + + + + + + Interior node for port information. + + + + + + + + + + A collection of all Port objects + + + - AppID + + + + + + + + + Only one port number can be configured. When mapping the w7 APPLICATION configuration service provider to the DMAcc Configuration Service Provider, the name of this element is "1". + + + + + + + + + + ObjectName + + + + + + + + + PortNbr - - - - - - The only supported value is w7. - - - - - - - - - - Application ID for DM Account MO - - text/plain - + + + + + + Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer. + + + + + + + + + + Port + + + + + + - - ServerID - - - - - - - - - - - - - - - - Server Identifier - - text/plain - - - - - Name - - - - - - - - - - - - - - - - Displayable name for the Management Server - - text/plain - - - - - PrefConRef - - - - - - - The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device will use the default connection provided by connection manager. - - - - - - - - - - Reference to preferred connectivity - - text/plain - - - - - AppAddr - - - - - - Only the first address provisioned is used. - - - - - - - - - - A collection of references to DM server address - - - - - - * - - - - - - - - - - - - - - - The "name" node for AppAddr object - - - - - - Addr - - - - - - - - - - - - - - - - Management Server Address - - text/plain - - - - - AddrType - - - - - - - - - - - - - - - - Management Server Address Type - - text/plain - - - - - Port - - - - - - - - - - - - - - - A collection of all Port objects - - - - - - * - - - - - - - - - - - - - - - - The "name" node for a Port object - - - - - - PortNbr - - - - - - - - - - - - - - - - Port - - text/plain - - - - - - - - - AAuthPref - - - - - - - Supported values: BASIC, DIGEST - - - - - - - - - - Application Authentication Type preference - - text/plain - - - - - AppAuth - - - - - - - - - - - - - - - A collection of all references to multiple Application Authentication objects - - - - - - * - - - - - - - - - - - - - - - The "name" node for multiple Application Authentication objects - - - - - - AAuthLevel - - - - - - - - - - - - - - - - Application Authentication level - - text/plain - - - - - AAuthType - - - - - - - If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST. - - - - - - - - - - Application Authentication Type - - text/plain - - - - - AAuthName - - - - - - - - - - - - - - - - Application Authentication Name - - text/plain - - - - - AAuthSecret - - - - - - - - - - - - - - - Application Authentication Secret - - text/plain - - - - - AAuthData - - - - - - - - - - - - - - - Application Authentication Data - - text/plain - - - - - - - Ext - - - - - - - - - - - - - - Vendor specific information - - - - - - Microsoft - - - - - - - - - - - - - - The collection of Microsoft specific settings - - - - - - Role - - - - - - If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the roles used in creating this server account. - - - - - - - - - - The security role mask that the DM session should run with - - text/plain - - - - - ProtoVer - - - - - - - This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this node is 1.1 or 1.2. - - - - - - - - - - The OMA-DM protocol version that the client should use in communicating with the server - - text/plain - - - - - DefaultEncoding - - - - - - - This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and "application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml". - - - - - - - - - - - text/plain - - - - - UseHwDevID - - - - - - - A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of the UUID of the device. - - - - - - - - - - - text/plain - - - - - ConnRetryFreq - - - - - - - This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries. - - - - - - - - - - - text/plain - - - - - InitialBackOffTime - - - - - - - This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait time grows exponentially. The default value is 16000 milliseconds. - - - - - - - - - - - text/plain - - - - - MaxBackOffTime - - - - - - - This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000. - - - - - - - - - - - text/plain - - - - - BackCompatRetryDisabled - - - - - - - This node specifies whether to disable the ability of the DM client to communicate with a down-level server. + + + + + AAuthPref + + + + + + + Specifies the application authentication preference. Supported values: BASIC, DIGEST. If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first. + + + + + + + + + + Application Authentication Type preference + + + + + + BASIC + The client attempts BASIC authentication. + + + DIGEST + The client attempts MD5 authentication. + + + + + + AppAuth + + + + + + Defines authentication settings. + + + + + + + + + + A collection of all references to multiple Application Authentication objects + + + + + + + + + + + + + Defines one set of authentication settings. When mapping the w7 APPLICATION configuration service provider to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED"). + + + + + + + + + + ObjectName + + + + + + + + + + + AAuthLevel + + + + + + + Specifies the application authentication level. A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. + + + + + + + + + + Application Authentication level + + + + + + CLCRED + The credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. + + + SRVCRED + The credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. + + + + + + AAuthType + + + + + + + Specifies the authentication type. If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST. + + + + + + + + + + Application Authentication Type + + + + + + BASIC + BASIC + + + DIGEST + DIGEST + + + + + + + DIGEST + DIGEST + + + + Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel + + + SRVCRED + SRVCRED + + + + + + + + + AAuthName + + + + + + + Specifies the authentication name. + + + + + + + + + + Application Authentication Name + + + + + + + + + AAuthSecret + + + + + + Specifies the password or secret used for authentication. + + + + + + + + + + Application Authentication Secret + + + + + + + + + AAuthData + + + + + + Specifies the next nonce used for authentication. "Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks. + + + + + + + + + + Application Authentication Data + + + + + + + + + + + Ext + + + + + Defines a set of extended parameters. This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created. + + + + + + + + + + Vendor specific information + + + + + + Microsoft + + + + + Defines a set of Microsoft-specific extended parameters. This element is created automatically when the OMA DM account is created. + + + + + + + + + + The collection of Microsoft specific settings + + + + + + Role + + + + + + If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the roles used in creating this server account. + + + + + + + + + + The security role mask that the DM session should run with + + + + + + 4 + SECROLE_OPERATOR + + + 8 + SECROLE_MANAGER + + + 16 + SECROLE_USER_AUTH + + + 128 + SECROLE_OPERATOR_TPS + + + + + + ProtoVer + + + + + + + This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this node is 1.1 or 1.2. + + + + + + + + + + The OMA-DM protocol version that the client should use in communicating with the server + + + + + + 1.1 + 1.1 + + + 1.2 + 1.2 + + + + + + DefaultEncoding + + + + + + + This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and "application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml". + + + + + + + + + + + + + + + application/vnd.syncml.dm+xml + XML is used + + + application/vnd.syncml.dm+wbxml + WBXML is used + + + + + + UseHwDevID + + + + + + + 0 + A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of the UUID of the device. + + + + + + + + + + + + + + + 0 + An application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID. + + + 1 + The hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. + + + + + + ConnRetryFreq + + + + + + + 3 + This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries. + + + + + + + + + + + + + + + + + + InitialBackOffTime + + + + + + + 16000 + This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait time grows exponentially. The default value is 16000 milliseconds. + + + + + + + + + + + + + + + + + + MaxBackOffTime + + + + + + + 86400000 + This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000. + + + + + + + + + + + + + + + + + + BackCompatRetryDisabled + + + + + + + 0 + This node specifies whether to disable the ability of the DM client to communicate with a down-level server. Possible Values: false (default) -- Compatibility with down-level servers is enabled true -- Compatibility with down-level servers is disabled - - - - - - - - - - - text/plain - - - - - UseNonceResync - - - - - - - This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce resynchronization is disabled and authentication of the server notification fails, the notification is dropped. + + + + + + + + + + + + + + + 0 + Backward-compatible retries are enabled. + + + 1 + Backward-compatible retries are disabled. + + + + + + UseNonceResync + + + + + + + 0 + This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce resynchronization is disabled and authentication of the server notification fails, the notification is dropped. Possible Values: false (default) : Nonce resynchronization is disabled. true : Nonce resynchronization is enabled. - - - - - - - - - - - text/plain - - - - - CRLCheck - - - - - - - - - - - - - - - - CRLCheck - - text/plain - - - - - DisableOnRoaming - - - - - - - - - - - - - - - - DisableOnRoaming - - text/plain - - - - - SSLCLIENTCERTSEARCHCRITERIA - - - - - - - - - - - - - - - - SSLCLIENTCERTSEARCHCRITERIA - - text/plain - - - - - InitiateSession - - - - - - When this node is added, a session is started with the MDM server. - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + 0 + The client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. + + + 1 + The client initiates a DM session if the backup server nonce is received after authentication failed. + + + + + + CRLCheck + + + + + + + Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation. + + + + + + + + + + CRLCheck + + + + + + 0 + False + + + 1 + True + + + + + + DisableOnRoaming + + + + + + + Determines whether the OMA DM client should be launched when roaming. + + + + + + + + + + DisableOnRoaming + + + + + + 0 + False + + + 1 + True + + + + + + SSLCLIENTCERTSEARCHCRITERIA + + + + + + + + + + + + + + + + + SSLCLIENTCERTSEARCHCRITERIA + + + + + + + + + InitiateSession + + + + + + When this node is added, a session is started with the MDM server. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + + + + - ``` -## Related topics - - -[DMAcc configuration service provider](dmacc-csp.md) - -  - -  - - - - - +## Related articles +[DMAcc configuration service provider reference](dmacc-csp.md) diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index a1d4415f08..bdae4f4a67 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -1,245 +1,870 @@ --- title: DMClient CSP -description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings. -ms.reviewer: +description: Learn more about the DMClient CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/01/2017 +ms.topic: reference --- + + + # DMClient CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment. + -The following information shows the DMClient CSP in tree format. + +The following list shows the DMClient configuration service provider nodes: -```console -./Vendor/MSFT -DMClient -----Provider ---------ProviderID -------------EntDeviceName -------------ExchangeID -------------EntDMID -------------SignedEntDMID -------------CertRenewTimeStamp -------------PublisherDeviceID -------------ManagementServiceAddress -------------UPN -------------HelpPhoneNumber -------------HelpWebsite -------------HelpEmailAddress -------------RequireMessageSigning -------------SyncApplicationVersion -------------MaxSyncApplicationVersion -------------Unenroll -------------AADResourceID -------------AADDeviceID -------------AADSendDeviceToken -------------ForceAadToken -------------EnrollmentType -------------EnableOmaDmKeepAliveMessage -------------HWDevID -------------ManagementServerAddressList -------------CommercialID -------------ConfigLock -----------------Lock -----------------UnlockDuration -----------------SecureCore -------------Push -----------------PFN -----------------ChannelURI -----------------Status -------------Poll -----------------IntervalForFirstSetOfRetries -----------------NumberOfFirstRetries -----------------IntervalForSecondSetOfRetries -----------------NumberOfSecondRetries -----------------IntervalForRemainingScheduledRetries -----------------NumberOfRemainingScheduledRetries -----------------PollOnLogin -----------------AllUsersPollOnFirstLogin -------------LinkedEnrollment -----------------Priority -----------------Enroll -----------------Unenroll -----------------EnrollStatus -----------------LastError -------------Recovery -----------------AllowRecovery -----------------RecoveryStatus -----------------InitiateRecovery -------------MultipleSession -----------------NumAllowedConcurrentUserSessionForBackgroundSync -----------------NumAllowedConcurrentUserSessionAtUserLogonSync -----------------IntervalForScheduledRetriesForUserSession -----------------NumberOfScheduledRetriesForUserSession -----Unenroll -----UpdateManagementServiceAddress +- ./Device/Vendor/MSFT/DMClient + - [HWDevID](#devicehwdevid) + - [Provider](#deviceprovider) + - [{ProviderID}](#deviceproviderproviderid) + - [AADDeviceID](#deviceproviderprovideridaaddeviceid) + - [AADResourceID](#deviceproviderprovideridaadresourceid) + - [AADSendDeviceToken](#deviceproviderprovideridaadsenddevicetoken) + - [CertRenewTimeStamp](#deviceproviderprovideridcertrenewtimestamp) + - [CommercialID](#deviceproviderprovideridcommercialid) + - [ConfigLock](#deviceproviderprovideridconfiglock) + - [Lock](#deviceproviderprovideridconfiglocklock) + - [SecureCore](#deviceproviderprovideridconfiglocksecurecore) + - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration) + - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage) + - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext) + - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref) + - [HyperlinkText](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinktext) + - [Title](#deviceproviderprovideridcustomenrollmentcompletepagetitle) + - [EnableOmaDmKeepAliveMessage](#deviceproviderprovideridenableomadmkeepalivemessage) + - [EnhancedAppLayerSecurity](#deviceproviderprovideridenhancedapplayersecurity) + - [Cert0](#deviceproviderprovideridenhancedapplayersecuritycert0) + - [Cert1](#deviceproviderprovideridenhancedapplayersecuritycert1) + - [SecurityMode](#deviceproviderprovideridenhancedapplayersecuritysecuritymode) + - [UseCertIfRevocationCheckOffline](#deviceproviderprovideridenhancedapplayersecurityusecertifrevocationcheckoffline) + - [EnrollmentType](#deviceproviderprovideridenrollmenttype) + - [EntDeviceName](#deviceproviderprovideridentdevicename) + - [EntDMID](#deviceproviderprovideridentdmid) + - [ExchangeID](#deviceproviderprovideridexchangeid) + - [FirstSyncStatus](#deviceproviderprovideridfirstsyncstatus) + - [AllowCollectLogsButton](#deviceproviderprovideridfirstsyncstatusallowcollectlogsbutton) + - [BlockInStatusPage](#deviceproviderprovideridfirstsyncstatusblockinstatuspage) + - [CustomErrorText](#deviceproviderprovideridfirstsyncstatuscustomerrortext) + - [ExpectedModernAppPackages](#deviceproviderprovideridfirstsyncstatusexpectedmodernapppackages) + - [ExpectedMSIAppPackages](#deviceproviderprovideridfirstsyncstatusexpectedmsiapppackages) + - [ExpectedNetworkProfiles](#deviceproviderprovideridfirstsyncstatusexpectednetworkprofiles) + - [ExpectedPFXCerts](#deviceproviderprovideridfirstsyncstatusexpectedpfxcerts) + - [ExpectedPolicies](#deviceproviderprovideridfirstsyncstatusexpectedpolicies) + - [ExpectedSCEPCerts](#deviceproviderprovideridfirstsyncstatusexpectedscepcerts) + - [IsSyncDone](#deviceproviderprovideridfirstsyncstatusissyncdone) + - [ServerHasFinishedProvisioning](#deviceproviderprovideridfirstsyncstatusserverhasfinishedprovisioning) + - [SkipDeviceStatusPage](#deviceproviderprovideridfirstsyncstatusskipdevicestatuspage) + - [SkipUserStatusPage](#deviceproviderprovideridfirstsyncstatusskipuserstatuspage) + - [TimeOutUntilSyncFailure](#deviceproviderprovideridfirstsyncstatustimeoutuntilsyncfailure) + - [WasDeviceSuccessfullyProvisioned](#deviceproviderprovideridfirstsyncstatuswasdevicesuccessfullyprovisioned) + - [ForceAadToken](#deviceproviderprovideridforceaadtoken) + - [HelpEmailAddress](#deviceproviderprovideridhelpemailaddress) + - [HelpPhoneNumber](#deviceproviderprovideridhelpphonenumber) + - [HelpWebsite](#deviceproviderprovideridhelpwebsite) + - [HWDevID](#deviceproviderprovideridhwdevid) + - [LinkedEnrollment](#deviceproviderprovideridlinkedenrollment) + - [Enroll](#deviceproviderprovideridlinkedenrollmentenroll) + - [EnrollStatus](#deviceproviderprovideridlinkedenrollmentenrollstatus) + - [LastError](#deviceproviderprovideridlinkedenrollmentlasterror) + - [Priority](#deviceproviderprovideridlinkedenrollmentpriority) + - [Unenroll](#deviceproviderprovideridlinkedenrollmentunenroll) + - [ManagementServerAddressList](#deviceproviderprovideridmanagementserveraddresslist) + - [ManagementServerToUpgradeTo](#deviceproviderprovideridmanagementservertoupgradeto) + - [ManagementServiceAddress](#deviceproviderprovideridmanagementserviceaddress) + - [MaxSyncApplicationVersion](#deviceproviderprovideridmaxsyncapplicationversion) + - [MultipleSession](#deviceproviderprovideridmultiplesession) + - [IntervalForScheduledRetriesForUserSession](#deviceproviderprovideridmultiplesessionintervalforscheduledretriesforusersession) + - [NumAllowedConcurrentUserSessionAtUserLogonSync](#deviceproviderprovideridmultiplesessionnumallowedconcurrentusersessionatuserlogonsync) + - [NumAllowedConcurrentUserSessionForBackgroundSync](#deviceproviderprovideridmultiplesessionnumallowedconcurrentusersessionforbackgroundsync) + - [NumberOfScheduledRetriesForUserSession](#deviceproviderprovideridmultiplesessionnumberofscheduledretriesforusersession) + - [NumberOfDaysAfterLostContactToUnenroll](#deviceproviderprovideridnumberofdaysafterlostcontacttounenroll) + - [Poll](#deviceproviderprovideridpoll) + - [AllUsersPollOnFirstLogin](#deviceproviderprovideridpollalluserspollonfirstlogin) + - [IntervalForFirstSetOfRetries](#deviceproviderprovideridpollintervalforfirstsetofretries) + - [IntervalForRemainingScheduledRetries](#deviceproviderprovideridpollintervalforremainingscheduledretries) + - [IntervalForSecondSetOfRetries](#deviceproviderprovideridpollintervalforsecondsetofretries) + - [NumberOfFirstRetries](#deviceproviderprovideridpollnumberoffirstretries) + - [NumberOfRemainingScheduledRetries](#deviceproviderprovideridpollnumberofremainingscheduledretries) + - [NumberOfSecondRetries](#deviceproviderprovideridpollnumberofsecondretries) + - [PollOnLogin](#deviceproviderprovideridpollpollonlogin) + - [PublisherDeviceID](#deviceproviderprovideridpublisherdeviceid) + - [Push](#deviceproviderprovideridpush) + - [ChannelURI](#deviceproviderprovideridpushchanneluri) + - [PFN](#deviceproviderprovideridpushpfn) + - [Status](#deviceproviderprovideridpushstatus) + - [Recovery](#deviceproviderprovideridrecovery) + - [AllowRecovery](#deviceproviderprovideridrecoveryallowrecovery) + - [InitiateRecovery](#deviceproviderprovideridrecoveryinitiaterecovery) + - [RecoveryStatus](#deviceproviderprovideridrecoveryrecoverystatus) + - [RequireMessageSigning](#deviceproviderprovideridrequiremessagesigning) + - [SignedEntDMID](#deviceproviderprovideridsignedentdmid) + - [SyncApplicationVersion](#deviceproviderprovideridsyncapplicationversion) + - [Unenroll](#deviceproviderprovideridunenroll) + - [UPN](#deviceproviderprovideridupn) + - [Unenroll](#deviceunenroll) + - [UpdateManagementServiceAddress](#deviceupdatemanagementserviceaddress) +- ./User/Vendor/MSFT/DMClient + - [Provider](#userprovider) + - [{ProviderID}](#userproviderproviderid) + - [FirstSyncStatus](#userproviderprovideridfirstsyncstatus) + - [AllowCollectLogsButton](#userproviderprovideridfirstsyncstatusallowcollectlogsbutton) + - [CustomErrorText](#userproviderprovideridfirstsyncstatuscustomerrortext) + - [ExpectedModernAppPackages](#userproviderprovideridfirstsyncstatusexpectedmodernapppackages) + - [ExpectedMSIAppPackages](#userproviderprovideridfirstsyncstatusexpectedmsiapppackages) + - [ExpectedNetworkProfiles](#userproviderprovideridfirstsyncstatusexpectednetworkprofiles) + - [ExpectedPFXCerts](#userproviderprovideridfirstsyncstatusexpectedpfxcerts) + - [ExpectedPolicies](#userproviderprovideridfirstsyncstatusexpectedpolicies) + - [ExpectedSCEPCerts](#userproviderprovideridfirstsyncstatusexpectedscepcerts) + - [IsSyncDone](#userproviderprovideridfirstsyncstatusissyncdone) + - [ServerHasFinishedProvisioning](#userproviderprovideridfirstsyncstatusserverhasfinishedprovisioning) + - [WasDeviceSuccessfullyProvisioned](#userproviderprovideridfirstsyncstatuswasdevicesuccessfullyprovisioned) + + + +## Device/HWDevID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/HWDevID ``` + -**./Vendor/MSFT** -All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path. + + +Returns the hardware device ID. + -**DMClient** -Root node for the CSP. + + + -**UpdateManagementServiceAddress** -For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node. + +**Description framework properties**: -**HWDevID** -Added in Windows 10, version 1703. Returns the hardware device ID. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Supported operation is Get. Value type is string. + + + -**Provider** -Required. The root node for all settings that belong to a single management server. Scope is permanent. + -Supported operation is Get. + +## Device/Provider -**Provider/***ProviderID* -Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesn’t require XML/URI escaping. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Supported operations are Get and Add. - -**Provider/*ProviderID*/EntDeviceName** -Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session. - -Supported operations are Get and Add. - -**Provider/*ProviderID*/EntDMID** -Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session. - -Supported operations are Get and Add. - -> [!NOTE] -> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. -This node is required and must be set by the server before the client certificate renewal is triggered. - -**Provider/*ProviderID*/ExchangeID** -Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for: - -- A device that's managed by Exchange. -- A device that's natively managed by a dedicated management server. - -> [!NOTE] -> In some cases for the desktop, this node will return "not found" until the user sets up their email. - -Supported operation is Get. - -The following XML is a Get command example: - -```xml - - 12 - - - ./Vendor/MSFT/DMClient/Provider//ExchangeID - - - + +```Device +./Device/Vendor/MSFT/DMClient/Provider ``` + -**Provider/*ProviderID*/SignedEntDMID** -Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally. + + +The root node for all settings that belong to a single management server. + -Supported operation is Get. + + + -**Provider/*ProviderID*/CertRenewTimeStamp** -Optional. The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**Provider/*ProviderID*/ManagementServiceAddress** -Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server. + + + -> [!NOTE] -> When the **ManagementServerAddressList** value is set, the device ignores the value. + -The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md). + +### Device/Provider/{ProviderID} -Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there's only a single URL, then the <> aren't required. This feature is supported on Windows client devices. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID} +``` + -Supported operations are Add, Get, and Replace. + + +This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping. + -**Provider/*ProviderID*/UPN** -Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN. + + + -Supported operations are Get and Replace. + +**Description framework properties**: -**Provider/*ProviderID*/HelpPhoneNumber** -Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + -Supported operations are Get, Replace, and Delete. + + + -**Provider/*ProviderID*/HelpWebsite** -Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support. + -Supported operations are Get, Replace, and Delete + +#### Device/Provider/{ProviderID}/AADDeviceID -**Provider/*ProviderID*/HelpEmailAddress** -Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -Supported operations are Get, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADDeviceID +``` + -**Provider/*ProviderID*/RequireMessageSigning** -Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature. + + +Device ID used for AAD device registration. + -Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header. + + + -When enabled, the MDM provider should: + +**Description framework properties**: -- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE). -- Ensure the certificate and time are valid. -- Verify that the signature is trusted by the MDM provider. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Supported operations are Get, Replace, and Delete. + + + -**Provider/*ProviderID*/SyncApplicationVersion** -Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0. + -> [!NOTE] -> This node is only supported in Windows 10 and later. + +#### Device/Provider/{ProviderID}/AADResourceID -Once you set the value to 2.0, it won't go back to 1.0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Supported operations are Get, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADResourceID +``` + -**Provider/*ProviderID*/MaxSyncApplicationVersion** -Optional. Used by the client to indicate the latest DM session version that it supports. Default is 2.0. - -When you query this node, a Windows 10 client will return 2.0 and a Windows 8.1 client will return an error code (404 node not found). - -Supported operation is Get. - -**Provider/*ProviderID*/AADResourceID** -Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access. + + +This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access. + + + For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../azure-active-directory-integration-with-mdm.md). + -**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage** -Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. + +**Description framework properties**: -When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + -To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information. + + + + + + + +#### Device/Provider/{ProviderID}/AADSendDeviceToken + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADSendDeviceToken +``` + + + + +For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Do not send Device Token if User Token cannot be obtained. | +| true | Send Device Token if User Token cannot be obtained. | + + + + + + + + + +#### Device/Provider/{ProviderID}/CertRenewTimeStamp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CertRenewTimeStamp +``` + + + + +The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/CommercialID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CommercialID +``` + + + + +Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/ConfigLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock +``` + + + + + + + + +This node enables [Config Lock](../config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. + +> [!NOTE] +> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigLock/Lock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/Lock +``` + + + + +This node specifies how the client will perform the lock mode for SecureCore PC. 0: unlock; 1: lock. The default value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Unlock. | +| 1 | Lock. | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigLock/SecureCore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/SecureCore +``` + + + + +The node returns the boolean value whether the device is a SecureCore PC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigLock/UnlockDuration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/UnlockDuration +``` + + + + +This node, when it is set, tells the client to set how many minutes the device should be temporarily unlocked from SecureCore settings protection. The default value is 480. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 480 | + + + + + + + + + +#### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage +``` + + + + +These nodes provision custom text for the enrollment page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText +``` + + + + +Specifies the body text of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref +``` + + + + +Specifies the URL that is shown at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText +``` + + + + +Specifies the display text for the URL that is shown at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title +``` + + + + +Specifies the title of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage +``` + + + + +A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Enable message. | +| true | Disable message. | + + + + +**Example**: Here's an example of DM message sent by the device when it's in pending state: @@ -271,32 +896,1603 @@ Here's an example of DM message sent by the device when it's in pending state: ``` + -**Provider/*ProviderID*/AADDeviceID** -Added in Windows 10, version 1607. Returns the device ID for the Azure AD device registration. + -Supported operation is Get. + +#### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity -**Provider/*ProviderID*/EnrollmentType** -Added in Windows 10, version 1607. Returns the enrollment type (Device or Full). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity +``` + -**Provider/*ProviderID*/HWDevID** -Added in Windows 10, version 1607. Returns the hardware device ID. + + + -Supported operation is Get. + + + -**Provider/*ProviderID*/CommercialID** -Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**Provider/*ProviderID*/ManagementServerAddressList** -Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there's only one, the angle brackets (<>) aren't required. + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0 +``` + + + + +The node contains the primary certificate - the public key to use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1 +``` + + + + +The node contains the secondary certificate - the public key to use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode +``` + + + + +This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No op. | +| 1 | Sign only. | +| 2 | Encrypt only. | +| 3 | Sign and encrypt. | + + + + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline +``` + + + + +This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | False. | +| true | True. | + + + + + + + + + +#### Device/Provider/{ProviderID}/EnrollmentType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnrollmentType +``` + + + + +Type of MDM enrollment (Device or Full). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Provider/{ProviderID}/EntDeviceName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDeviceName +``` + + + + +Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/EntDMID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDMID +``` + + + + +Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + > [!NOTE] -> The < and > should be escaped. +> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP's **USEHWDEVID** node by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. This node is required and must be set by the server before the client certificate renewal is triggered. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/ExchangeID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ExchangeID +``` + + + + +Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server. + + + + +> [!NOTE] +> In some cases, this node will return "not found" until the user sets up their email. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +**Example**: + +```xml + + 12 + + + ./Vendor/MSFT/DMClient/Provider//ExchangeID + + + +``` + + + + + +#### Device/Provider/{ProviderID}/FirstSyncStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton +``` + + + + +This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not show the Collect Logs button on the progress page. | +| true | Show the Collect Logs button on the progress page. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage +``` + + + + +Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x0 | Allow the user to exit the page before provisioning completes. | +| 0x1 | Block the user on the page and show the Reset PC button on failure. | +| 0x2 | Block the user on the page and show the Try Again button on failure. | +| 0x4 | Block the user on the page and show the Continue Anyway button on failure. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText +``` + + + + +This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles +``` + + + + +This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts +``` + + + + +This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies +``` + + + + +This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts +``` + + + + +This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone +``` + + + + +This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | The device is not finished provisioning. | +| true | The device has finished provisoining. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning +``` + + + + +This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Server has not finished provisioning. | +| true | Server has finished provisioning. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage +``` + + + + +Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Do not skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | +| true (Default) | Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage +``` + + + + +Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Do not skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | +| true (Default) | Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure +``` + + + + +This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[1-1440]` | +| Default Value | 60 | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned +``` + + + + +Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device has failed to provision the device. | +| 1 | The device has successfully provisioned the device. | +| 2 | Provisioning is in progress. | + + + + + + + + + +#### Device/Provider/{ProviderID}/ForceAadToken + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1766] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1766] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1766] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.739] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ForceAadToken +``` + + + + +Force device to send device AAD token during check-in as a separate header. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | ForceAadTokenNotDefined: the value is not defined(default). | +| 1 | AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during check-in as a separate header section(not as Bearer token). | +| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during check-in as a separate header section(not as Bearer toekn). | +| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. | +| 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. | + + + + + + + + + +#### Device/Provider/{ProviderID}/HelpEmailAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpEmailAddress +``` + + + + +The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/HelpPhoneNumber + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpPhoneNumber +``` + + + + +The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/HelpWebsite + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpWebsite +``` + + + + +The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/HWDevID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HWDevID +``` + + + + +Returns the hardware device ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Provider/{ProviderID}/LinkedEnrollment + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment +``` + + + + +The interior node for linked enrollment. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/Enroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Enroll +``` + + + + +Trigger to enroll for the Linked Enrollment. + + + + +This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus +``` + + + + +Returns the current enrollment or un-enrollment status of the linked enrollment. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Undefined. | +| 1 | Enrollment Not started. | +| 2 | Enrollment In Progress. | +| 3 | Enrollment Failed. | +| 4 | Enrollment Succeeded. | +| 5 | Unenrollment Not started. | +| 6 | UnEnrollment In Progress. | +| 7 | UnEnrollment Failed. | +| 8 | UnEnrollment Succeeded. | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/LastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/LastError +``` + + + + +return the last error for enroll/unenroll. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/Priority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Priority +``` + + + + +Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The main enrollment has priority over linked enrollment. | +| 1 | The linked enrollment has priority over the main enrollment. | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/Unenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Unenroll +``` + + + + +Trigger Unenroll for the Linked Enrollment. + + + + +This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +#### Device/Provider/{ProviderID}/ManagementServerAddressList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerAddressList +``` + + + + +The list of management server URLs in the format `` `` ``, and so on. If there is only one, the angle brackets (<>) are not required. The < and > should be escaped. If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + +**Example**: ```xml @@ -311,525 +2507,1285 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo ``` + -If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. + -When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list. + +#### Device/Provider/{ProviderID}/ManagementServerToUpgradeTo -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Value type is string. - -**Provider/*ProviderID*/ManagementServerToUpgradeTo** -Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll** -Optional. Number of days after last successful sync to unenroll. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is integer. - -**Provider/*ProviderID*/AADSendDeviceToken** - -Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is bool. - -**Provider/*ProviderID*/ForceAadToken** -The value type is integer/enum. - -The value is "1" and it means client should always send Azure Active Directory device token during check-in/sync. - -**Provider/*ProviderID*/Poll** -Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. - -Supported operations are Get and Add. - -There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration. - -If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window. - -**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).** - -|Schedule name|Schedule set by the server|Actual value queried on device| -|--- |--- |--- | -|IntervalForFirstSetOfRetries|15|15| -|NumberOfFirstRetries|5|5| -|IntervalForSecondSetOfRetries|60|60| -|NumberOfSecondRetries|10|10| -|IntervalForRemainingScheduledRetries|1440|1440| -|NumberOfRemainingScheduledRetries|0|0| - -**Valid poll schedule: initial enrollment only [no infinite schedule]** - -|Schedule name|Schedule set by the server|Actual value queried on device| -|--- |--- |--- | -|IntervalForFirstSetOfRetries|15|15| -|NumberOfFirstRetries|5|5| -|IntervalForSecondSetOfRetries|60|60| -|NumberOfSecondRetries|10|10| -|IntervalForRemainingScheduledRetries|0|0| -|NumberOfRemainingScheduledRetries|0|0| - -**Invalid poll schedule: disable all poll schedules** - -> [!NOTE] -> Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero. - -|Schedule name|Schedule set by the server|Actual value queried on device| -|--- |--- |--- | -|IntervalForFirstSetOfRetries|0|0| -|NumberOfFirstRetries|0|0| -|IntervalForSecondSetOfRetries|0|0| -|NumberOfSecondRetries|0|0| -|IntervalForRemainingScheduledRetries|0|0| -|NumberOfRemainingScheduledRetries|0|0| - -**Invalid poll schedule: two infinite schedules** - -|Schedule name|Schedule set by server|Actual schedule set on device|Actual experience| -|--- |--- |--- |--- | -|IntervalForFirstSetOfRetries|15|15|Device polls| -|NumberOfFirstRetries|5|5|Device polls| -|IntervalForSecondSetOfRetries|1440|1440|Device polls the server once in 24 hours| -|NumberOfSecondRetries|0|0|Device polls the server once in 24 hours| -|IntervalForRemainingScheduledRetries|1440|0|Third schedule is disabled| -|NumberOfRemainingScheduledRetries|0|0|Third schedule is disabled| - -If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP - -When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure. - -**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries** -Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled. - -Supported operations are Get and Replace. - -The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP. - -**Provider/*ProviderID*/Poll/NumberOfFirstRetries** -Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10. - -Supported operations are Get and Replace. - -The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP. - -The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule. - -**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries** -Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `//Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled. - -Supported operations are Get and Replace. - -The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP. - -**Provider/*ProviderID*/Poll/NumberOfSecondRetries** -Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. - -Supported operations are Get and Replace. - -The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP. - -The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule. - -**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries** -Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled. - -Supported operations are Get and Replace. - -The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP. - -**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries** -Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. - -Supported operations are Get and Replace. - -The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP. - -The RemainingScheduledRetries is used for the long run device polling schedule. - -**Provider/*ProviderID*/Poll/PollOnLogin** -Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. - -Supported operations are Add, Get, and Replace. - -**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin** -Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. - -Supported operations are Add, Get, and Replace. - -**Provider/*ProviderID*/LinkedEnrollment/Priority** -This node is an integer, value is "0" or "1". - -Default is 1, meaning the MDM enrollment is the “winning” authority for conflicting policies/resources. Value 1 means MMP-C enrollment is the “winning” one. -Support operations are Get and Set. - -**Provider/*ProviderID*/LinkedEnrollment/Enroll** -This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed. - -Support operation is Exec. - -**Provider/*ProviderID*/LinkedEnrollment/Unenroll** -This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back(rollback details will be covered later). - -Support operation is Exec. - -**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus** - -This node can be used to check both enroll and unenroll statuses. -This will return the enroll action status and is defined as an enum class LinkedEnrollmentStatus. The values are as follows: - -- Undefined = 0 -- EnrollmentNotStarted = 1 -- InProgress = 2 -- Failed = 3 -- Succeeded = 4 -- UnEnrollmentQueued = 5 -- UnEnrollmentSucceeded = 8 - -Support operation is Get only. - -**Provider/*ProviderID*/LinkedEnrollment/LastError** - -This specifies the Hresult to report the enrollment/unenroll results. - -**Provider/*ProviderID*/Recovery/AllowRecovery** - -This node determines whether or not the client will automatically initiate an MDM Recovery operation when it detects issues with the MDM certificate. - -Supported operations are Get, Add, Replace and Delete. - -The supported values for this node are 1-true (allow) and 0-false(not allow). Default value is 0. - -**Provider/*ProviderID*/Recovery/RecoveryStatus** - -This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows: - -0 - No Recovery request has been processed. -1 - Recovery is in Process. -2 - Recovery has finished successfully. -3 - Recovery has failed to start because TPM is not available. -4 - Recovery has failed to start because Azure Active Directory keys are not protected by the TPM. -5 - Recovery has failed to start because the MDM keys are already protected by the TPM. -6 - Recovery has failed to start because the TPM is not ready for attestation. -7 - Recovery has failed because the client cannot authenticate to the server. -8 - Recovery has failed because the server has rejected the client's request. - -Supported operation is Get only. - -**Provider/*ProviderID*/Recovery/InitiateRecovery** - -This node initiates an MDM Recovery operation on the client. - -If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device. - -If initiated with argument 1, it triggers only if the MDM certificate’s private key isn’t already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation. - -Supported operation is Exec only. - -**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync** - -Optional. This node specifies maximum number of concurrent user sync sessions in background. - -The default value is dynamically decided by the client based on CPU usage. - -The values are as follows: -0 = none -1 = sequential -anything else = parallel - -Supported operations are Get, Add, Replace and Delete. - -Value type is integer. Only applicable for Windows Enterprise multi-session. - - -**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync** -Optional. This node specifies maximum number of concurrent user sync sessions at User Login. - -The default value is dynamically decided by the client based on CPU usage. - -The values are as follows: -0 = none -1 = sequential -anything else = parallel. - -Supported operations are Get, Add, Replace and Delete. - -Value type is integer. Only applicable for Windows Enterprise multi-session. - -**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession** -Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `//Poll/NumberOfScheduledRetriesForUserSession`. - -If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled. - -This configuration is only applicable for Windows Multi-session Editions. - -Supported operations are Get and Replace. - -**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession** -Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. - -If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times. - -The default value is 0. This configuration is only applicable for Windows Multi-session Editions. - -Supported operations are Get and Replace. - -**Provider/*ProviderID*/ConfigLock** - -Optional. This node enables [Config Lock](../config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. - -Default = Locked - -> [!Note] -> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure). - -**Provider/*ProviderID*/ConfigLock/Lock** - -The supported values for this node are 0-unlock, 1-lock. - -Supported operations are Add, Delete, Get. - -**Provider/*ProviderID*/ConfigLock/UnlockDuration** - -The supported values for this node are 1 to 480 (in min). - -Supported operations are Add, Delete, Get. - -**Provider/*ProviderID*/ConfigLock/SecureCore** - -The supported values for this node are false or true. - -Supported operation is Get only. - -**Provider/*ProviderID*/Push** -Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. - -Supported operations are Add and Delete. - -**Provider/*ProviderID*/Push/PFN** -Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing. - -Supported operations are Add, Get, and Replace. - -**Provider/*ProviderID*/Push/ChannelURI** -Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null. - -Supported operation is Get. - -**Provider/*ProviderID*/Push/Status** -Required. An integer that maps to a known error state or condition on the system. - -Supported operation is Get. - -The status error mapping is listed below. - -|Status|Description| -|--- |--- | -|0|Success| -|1|Failure: invalid PFN| -|2|Failure: invalid or expired device authentication with Microsoft account| -|3|Failure: WNS client registration failed due to an invalid or revoked PFN| -|4|Failure: no Channel URI assigned| -|5|Failure: Channel URI has expired| -|6|Failure: Channel URI failed to be revoked| -|7|Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.| -|8|Unknown error| - -**Provider/*ProviderID*/CustomEnrollmentCompletePage** -Optional. Added in Windows 10, version 1703. - -Supported operations are Add, Delete, and Get. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title** -Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText** -Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref** -Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText** -Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus** -Optional node. Added in Windows 10, version 1709. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000". - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, - -``` syntax -./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" -./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerToUpgradeTo ``` + -This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps. + + +Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device. + -Supported operations are Add, Delete, Get, and Replace. + + + -Value type is string. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Supported operations are Add, Delete, Get, and Replace. + + + -Value type is string. + -**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +#### Device/Provider/{ProviderID}/ManagementServiceAddress -Supported operations are Add, Delete, Get, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Value type is string. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServiceAddress +``` + -**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure** -Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + +The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server. The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION](w7-application-csp.md) configuration service provider. Starting in Windows 10, version 1511, this node supports multiple server addresses in the format `` `` ``. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices. During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session. + -Supported operations are Get and Replace. + + +> [!NOTE] +> When the **ManagementServerAddressList** value is set, the device ignores the value. + -Value type is integer. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning** -Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Dependency [ManageServerAddressListBlock] | Dependency Type: `Not`
    Dependency URI: `Device/Vendor/MSFT/DMClient/Provider/[ProviderID]/ManagementServerAddressList`
    Dependency Allowed Value Type: `None`
    | + -Supported operations are Get and Replace. + + + -Value type is boolean. + -**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone** -Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + +#### Device/Provider/{ProviderID}/MaxSyncApplicationVersion -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Value type is boolean. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MaxSyncApplicationVersion +``` + -**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned** -Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + +Used by the client to indicate the latest DM session version that it supports. + -Supported operations are Get and Replace. + + + -Value type is integer. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage** -Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Supported operations are Get and Replace. + + + -Value type is integer. + -**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton** -Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button. + +#### Device/Provider/{ProviderID}/MultipleSession -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Value type is bool. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession +``` + -**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText** -Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error. + + + -Supported operations are Add, Get, Delete, and Replace. + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + -Value type is string. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage** -Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operations are Get and Replace. + + + -Value type is bool. + -**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage** -Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login. + +##### Device/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Value type is bool. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession +``` + -**Provider/*ProviderID*/EnhancedAppLayerSecurity** -Required node. Added in Windows 10, version 1709. + + +The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfScheduledRetriesForUserSession. If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. Default value is 1440. If the value is 0, this schedule is disabled. + -Supported operation is Get. + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode** -Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -Value type is integer. + + + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline** -Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set. + -Supported operations are Add, Get, Replace, and Delete. + +##### Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync -Value type is boolean. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0** -Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync +``` + -Supported operations are Add, Get, Replace, and Delete. + + +Optional. Maximum number of concurrent user sync sessions at User Login. Default value is 25. 0 none, 1 sequential, anything else: parallel. + -Value type is string. + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1** -Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -Value type is string. + + + -**Provider/*ProviderID*/Unenroll** -Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent. + -Supported operations are Get and Exec. + +##### Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync -<LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync +``` + + + + +Optional. Maximum number of concurrent user sync sessions in background. Default value is 25. 0 none, 1 sequential, anything else: parallel. + + + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession +``` + + + + +The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is 0 and IntervalForScheduledRetriesForUserSession is not 0, then the schedule will be set to repeat for an infinite number of times. + + + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll +``` + + + + +Number of days after last successful sync to unenroll. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/Poll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll +``` + + + + +Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin +``` + + + + +Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Polling is disabled on first login. | +| true | Polling is enabled on first login. | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries +``` + + + + +The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /``/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries +``` + + + + +The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /``/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries +``` + + + + +The waiting time (in minutes) for the second set of retries as specified by the number of retries in /``/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/NumberOfFirstRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfFirstRetries +``` + + + + +The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10. The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries +``` + + + + +The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/NumberOfSecondRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfSecondRetries +``` + + + + +The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/PollOnLogin + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/PollOnLogin +``` + + + + +Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Polling is disabled on first login. | +| true | Polling is enabled on first login. | + + + + + + + + + +#### Device/Provider/{ProviderID}/PublisherDeviceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/PublisherDeviceID +``` + + + + +The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/``/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises' applications, each enterprise is identified differently. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/Push + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push +``` + + + + +Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Push/ChannelURI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/ChannelURI +``` + + + + +A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Push/PFN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/PFN +``` + + + + +A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Push/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/Status +``` + + + + +An integer that maps to a known error state or condition on the system. Valid values are: 0 - Success, 1 - Failure: invalid PFN, 2 - Failure: invalid or expired device authentication with MSA, 3 - Failure: WNS client registration failed due to an invalid or revoked PFN, 4 - Failure: no Channel URI assigned, 5 - Failure: Channel URI has expired, 6 - Failure: Channel URI failed to be revoked, 7 - Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations, 8 - Unknown error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/Provider/{ProviderID}/Recovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery +``` + + + + +Parent node for Recovery nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Recovery/AllowRecovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/AllowRecovery +``` + + + + +This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | MDM Recovery is allowed. | +| 0 (Default) | MDM Recovery is not allowed. | + + + + + + + + + +##### Device/Provider/{ProviderID}/Recovery/InitiateRecovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/InitiateRecovery +``` + + + + +This node initiates a recovery action. The server can specify prerequisites before the action is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Exec | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Initiate MDM Recovery. | +| 1 | Initiate Recovery if Keys are not already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. | + + + + + + + + + +##### Device/Provider/{ProviderID}/Recovery/RecoveryStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/RecoveryStatus +``` + + + + +This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM is not available. 4 - Recovery has failed to start because AAD keys are not protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM is not ready for attestation. 7 - Recovery has failed because the client cannot authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + + + + +#### Device/Provider/{ProviderID}/RequireMessageSigning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/RequireMessageSigning +``` + + + + +Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | The device management client does not include authentication information in the management session HTTP header. | +| true | The client authentication information is provided in the management session HTTP header. | + + + + + + + + + +#### Device/Provider/{ProviderID}/SignedEntDMID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SignedEntDMID +``` + + + + +Character string that contains the device ID. This node and the nodes CertRenewTimeStamp can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/SyncApplicationVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SyncApplicationVersion +``` + + + + +Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0. + + + + +> [!NOTE] +> Once you set the value to 2.0, it won't go back to 1.0. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^(\d\.)?(\d)$` | +| Default Value | 1.0 | + + + + + + + + + +#### Device/Provider/{ProviderID}/Unenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Unenroll +``` + + + + +The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. + + + + +> [!NOTE] +> `./Vendor/MSFT/DMClient/Unenroll` is supported for backward compatibility. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec, Get | + + + + +**Example**: The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device. @@ -848,7 +3804,724 @@ The following SyncML shows how to remotely unenroll the device. This command sho ``` + + + + + +#### Device/Provider/{ProviderID}/UPN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/UPN +``` + + + + +Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +## Device/Unenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Unenroll +``` + + + + +The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec, Get | + + + + + + + + + +## Device/UpdateManagementServiceAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/UpdateManagementServiceAddress +``` + + + + +For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + + + + + + +## User/Provider + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider +``` + + + + +The root node for all settings that belong to a single management server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/Provider/{ProviderID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID} +``` + + + + +This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### User/Provider/{ProviderID}/FirstSyncStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton +``` + + + + +This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not show the Collect Logs button on the progress page. | +| true | Show the Collect Logs button on the progress page. | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText +``` + + + + +This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles +``` + + + + +This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts +``` + + + + +This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies +``` + + + + +This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts +``` + + + + +This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone +``` + + + + +This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | The user is not finished provisioning. | +| true | The user has finished provisoining. | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning +``` + + + + +This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Server has not finished provisioning. | +| true | Server has finished provisioning. | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned +``` + + + + +Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device has failed to provision the user. | +| 1 | The device has successfully provisioned the user. | +| 2 | Provisioning is in progress. | + + + + + + + + + + + + + ## Related articles -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 4f66124b30..b5ef6feff0 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,1906 +1,916 @@ --- title: DMClient DDF file -description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/24/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # DMClient DDF file - -This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1803. +The following XML file contains the device description framework (DDF) for the DMClient configuration service provider. ```xml -]> +]> 1.2 + + + + DMClient + ./User/Vendor/MSFT + + + + + Root node for the CSP. + + + + + + + + + + + + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Provider + + + + + The root node for all settings that belong to a single management server. + + + + + + + + + + + + + - DMClient - ./User/Vendor/MSFT + + + + + This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping. - + - + + ProviderID - com.microsoft/1.5/MDM/DMClient + + + + + + - Provider + FirstSyncStatus + + - + - + - + + + 10.0.16299 + 1.4 + - + ExpectedPolicies + + This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - + - + - text/plain + + + + + + + + ExpectedNetworkProfiles + + + + + + + + This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user. + + + + + + + + + + + + + + + + + + + ExpectedMSIAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. + + + + + + + + + + + + + + + + + + + ExpectedModernAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. + + + + + + + + + + + + + + + + + + + ExpectedPFXCerts + + + + + + + + This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + + + + + + + + + + + + + ExpectedSCEPCerts + + + + + + + + This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + + + + + + + + + + + + + ServerHasFinishedProvisioning + + + + + + This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + + + + + + + + + false + Server has not finished provisioning + + + true + Server has finished provisioning + + + + + + IsSyncDone + + + + + + This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + false + The user is not finished provisioning + + + true + The user has finished provisoining. + + + + + + WasDeviceSuccessfullyProvisioned + + + + + + Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + 0 + The device has failed to provision the user + + + 1 + The device has successfully provisioned the user. + + + 2 + Provisoining is in progress. + + + + + + AllowCollectLogsButton + + + + + + false + This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not show the Collect Logs button on the progress page. + + + true + Show the Collect Logs button on the progress page. + + + + + + CustomErrorText + + + + + + This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + - - FirstSyncStatus - - - - - - - - - - - - - - - - - - - - - ExpectedPolicies - - - - - - - - This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedNetworkProfiles - - - - - - - - This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedMSIAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedModernAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedPFXCerts - - - - - - - - This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedSCEPCerts - - - - - - - - This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - - - - - - - - - - - text/plain - - - - - ServerHasFinishedProvisioning - - - - - - This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. - - - - - - - - - - - text/plain - - - - - IsSyncDone - - - - - - This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - WasDeviceSuccessfullyProvisioned - - - - - - Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - AllowCollectLogsButton - - - - - - false - This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - - - - text/plain - - - - - CustomErrorText - - - - - - - - This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - - - - text/plain - - - - + + + + DMClient + ./Device/Vendor/MSFT + + + + + Root node for the CSP. + + + + + + + + + + + + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Provider + + + + + The root node for all settings that belong to a single management server. + + + + + + + + + + + + + - DMClient - ./Device/Vendor/MSFT + + + + + This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping. - + - + + ProviderID - com.microsoft/1.4/MDM/DMClient + + + + + + - Provider + EntDeviceName + + + + + + + + Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + + + + + + + + + + + + + + + ExchangeID + + + + + + + + Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server. + + + + + + + + + + + + + + + + + + EntDMID + + + + + + + + Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + + + + + + + + + + + + + + + SignedEntDMID + + + + + + + + Character string that contains the device ID. This node and the nodes CertRenewTimeStamp can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally. + + + + + + + + + + + + + + + + + + CertRenewTimeStamp + + + + + + + + The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created. + + + + + + + + + + + + + + + + + + PublisherDeviceID + + + + + + + + /EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises’ applications, each enterprise is identified differently.]]> + + + + + + + + + + + + + + + + + + ManagementServiceAddress + + + + + + . If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices. During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.]]> + + + + + + + + + + + + + + + + + + Device/Vendor/MSFT/DMClient/Provider/[ProviderID]/ManagementServerAddressList + + + + + + + + + UPN + + + + + + + Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN. + + + + + + + + + + + + + + + + + + HelpPhoneNumber + + + + + + + + The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support. + + + + + + + + + + + + + + + + + + HelpWebsite + + + + + + + + The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support. + + + + + + + + + + + + + + + + + + HelpEmailAddress + + + + + + + + The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support. + + + + + + + + + + + + + + + + + + RequireMessageSigning + + + + + + + + false + Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server. + + + + + + + + + + + + + + + false + The device management client does not include authentication information in the management session HTTP header. + + + true + The client authentication information is provided in the management session HTTP header. + + + + + + SyncApplicationVersion + + + + + + + + 1.0 + Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0. + + + + + + + + + + + + + + ^(\d\.)?(\d)$ + + + + + MaxSyncApplicationVersion + Used by the client to indicate the latest DM session version that it supports. - + - + - + - + - - - - - - - - - - - - - - - - - - - text/plain - - - - EntDeviceName - - - - - - - - - - - - - - - - - - text/plain - - - - - ExchangeID - - - - - - - - - - - - - - - - - - text/plain - - - - - EntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - SignedEntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - CertRenewTimeStamp - - - - - - - - - - - - - - - - - - text/plain - - - - - - PublisherDeviceID - - - - - - - - - - - - - - - - - - text/plain - - - - - - ManagementServiceAddress - - - - - - - - - - - - - - - - text/plain - - - - - UPN - - - - - - - - - - - - - - - - - text/plain - - - - - HelpPhoneNumber - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpWebsite - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpEmailAddress - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireMessageSigning - - - - - - - - - - - - - - - - - - text/plain - - - - - SyncApplicationVersion - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxSyncApplicationVersion - - - - - - - - - - - - - - - text/plain - - - - - Unenroll - - - - - - - - - - - - - - - - text/plain - - - - - AADResourceID - - - - - - - - - - - - - - - - - text/plain - - - - - AADDeviceID - - - - - Device ID used for AAD device registration - - - - - - - - - - - text/plain - - - - - EnrollmentType - - - - - Type of MDM enrollment - - - - - - - - - - - text/plain - - - - - EnableOmaDmKeepAliveMessage - - - - - - - - - - - - - - - - text/plain - - - - - HWDevID - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerAddressList - - - - - - - - - - - - - - - - text/plain - - - - - CommercialID - - - - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerToUpgradeTo - - - - - - - - Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device - - - - - - - - - - - text/plain - - - - - NumberOfDaysAfterLostContactToUnenroll - - - - - - - - Number of days after last successful sync to unenroll - - - - - - - - - - - text/plain - - - - - AADSendDeviceToken - - - - - - - - Send the device Azure Active Directory token, if the user one can't be returned - - - - - - - - - - - text/plain - - - - - Push - - - - - - - - - - - - - - - - - - - - - PFN - - - - - - - - - - - - - - - - - text/plain - - - - - ChannelURI - - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - - Poll - - - - - - - - - - - - - - - - - - - - - IntervalForFirstSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfFirstRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForSecondSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfSecondRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - PollOnLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - AllUsersPollOnFirstLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - - CustomEnrollmentCompletePage - - - - - - - - - - - - - - - - - - - - - Title - - - - - - - - - - - - - - - - - - text/plain - - - - - BodyText - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkHref - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkText - - - - - - - - - - - - - - - - - - text/plain - - - - - - FirstSyncStatus - - - - - - - - - - - - - - - - - - - - - ExpectedPolicies - - - - - - - - This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - - - - - - - - - - - text/plain - - - - - ExpectedNetworkProfiles - - - - - - - - This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". - - - - - - - - - - - text/plain - - - - - ExpectedMSIAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. - - - - - - - - - - - text/plain - - - - - ExpectedModernAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. - - - - - - - - - - - text/plain - - - - - ExpectedPFXCerts - - - - - - - - This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - - - - - - - - - - - text/plain - - - - - ExpectedSCEPCerts - - - - - - - - This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - - - - - - - - - - - text/plain - - - - - TimeOutUntilSyncFailure - - - - - - This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). - - - - - - - - - - - text/plain - - - - - ServerHasFinishedProvisioning - - - - - - This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. - - - - - - - - - - - text/plain - - - - - IsSyncDone - - - - - - This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - WasDeviceSuccessfullyProvisioned - - - - - - Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - BlockInStatusPage - - - - - - 0 - Device Only. This node determines whether or not the MDM progress page is blocking in the Azure Active Directory-joined or DJ++ case, as well as which remediation options are available. - - - - - - - - - - - - - - text/plain - - - - - AllowCollectLogsButton - - - - - - false - This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page. - - - - - - - - - - - - - - text/plain - - - - - CustomErrorText - - - - - - - - This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - - - - text/plain - - - - - SkipDeviceStatusPage - - - - - - true - Device only. This node decides whether or not the MDM device progress page skips after Azure Active Directory-joined or Hybrid Azure AD-joined in OOBE. - - - - - - - - - - - - - - text/plain - - - - - SkipUserStatusPage - - - - - - false - Device only. This node decides wheter or not the MDM user progress page skips after Azure Active Directory-joined or DJ++ after user login. - - - - - - - - - - - - - - text/plain - - - - - - EnhancedAppLayerSecurity - - - - - - - - - - - - - - - - - - - SecurityMode - - - - - - - - This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. - - - - - - - - - - - text/plain - - - - - UseCertIfRevocationCheckOffline - - - - - - - - This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. - - - - - - - - - - - text/plain - - - - - Cert0 - - - - - - - - The node contains the primary certificate - the public key to use. - - - - - - - - - - - text/plain - - - - - Cert1 - - - - - - - - The node contains the secondary certificate - the public key to use. - - - - - - - - - - - text/plain - - - - - Unenroll @@ -1909,6 +919,7 @@ The XML below is for Windows 10, version 1803. + tag under the element.]]> @@ -1919,17 +930,19 @@ The XML below is for Windows 10, version 1803. - text/plain + - UpdateManagementServiceAddress + AADResourceID + + This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access. @@ -1940,8 +953,97 @@ The XML below is for Windows 10, version 1803. - text/plain + + + + + + + AADDeviceID + + + + + Device ID used for AAD device registration + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + EnrollmentType + + + + + Type of MDM enrollment (Device or Full). + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + EnableOmaDmKeepAliveMessage + + + + + + false + A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. + + + + + + + + + + + + + + 10.0.10586 + 1.1 + + + + false + Enable message + + + true + Disable message + + @@ -1950,6 +1052,7 @@ The XML below is for Windows 10, version 1803. + Returns the hardware device ID. @@ -1960,10 +1063,1968 @@ The XML below is for Windows 10, version 1803. - text/plain + + + 10.0.14393 + 1.2 + + + ManagementServerAddressList + + + + + + , and so on. If there is only one, the angle brackets (<>) are not required. The < and > should be escaped. If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.]]> + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + CommercialID + + + + + + + + Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + ManagementServerToUpgradeTo + + + + + + + + Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device + + + + + + + + + + + + + + 10.0.15063 + 1.3 + + + + + + + NumberOfDaysAfterLostContactToUnenroll + + + + + + + + Number of days after last sucessful sync to unenroll + + + + + + + + + + + + + + 10.0.16299 + 1.4 + + + + + + + AADSendDeviceToken + + + + + + + + For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained. + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not send Device Token if User Token cannot be obtained. + + + true + Send Device Token if User Token cannot be obtained. + + + + + + ForceAadToken + + + + + + + + Force device to send device AAD token during checkin as a separate header. + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.739, 10.0.19044.1766, 10.0.19043.1766, 10.0.19042.1766 + 1.6 + + + + 0 + ForceAadTokenNotDefined: the value is not defined(default) + + + 1 + AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during checkin as a separate header section(not as Bearer token). + + + 2 + Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer toekn). + + + 4 + SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. + + + 8 + Reserved for future. ForceAadTokenMaxAllowed: max value allowed. + + + + + + Push + + + + + + + Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. + + + + + + + + + + + + + + + PFN + + + + + + + + A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing. + + + + + + + + + + + + + + + + + + ChannelURI + + + + + A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null. + + + + + + + + + + + + + + + + Status + + + + + An integer that maps to a known error state or condition on the system. Valid values are: 0 - Success, 1 - Failure: invalid PFN, 2 - Failure: invalid or expired device authentication with MSA, 3 - Failure: WNS client registration failed due to an invalid or revoked PFN, 4 - Failure: no Channel URI assigned, 5 - Failure: Channel URI has expired, 6 - Failure: Channel URI failed to be revoked, 7 - Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations, 8 - Unknown error + + + + + + + + + + + + + + + + + Poll + + + + + + + Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window. + + + + + + + + + + + + + + + IntervalForFirstSetOfRetries + + + + + + + + /Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.]]> + + + + + + + + + + + + + + + + + + NumberOfFirstRetries + + + + + + + + The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10. The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + + + + + + + + + + + + IntervalForSecondSetOfRetries + + + + + + + + /Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.]]> + + + + + + + + + + + + + + + + + + NumberOfSecondRetries + + + + + + + + The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + + + + + + + + + + + + IntervalForRemainingScheduledRetries + + + + + + + + /Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.]]> + + + + + + + + + + + + + + + + + + NumberOfRemainingScheduledRetries + + + + + + + + The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push. + + + + + + + + + + + + + + + + + + PollOnLogin + + + + + + + + false + Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + + + + + + + + + false + Polling is disabled on first login + + + true + Polling is enabled on first login. + + + + + + AllUsersPollOnFirstLogin + + + + + + + + false + Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + + + + + + + + + false + Polling is disabled on first login + + + true + Polling is enabled on first login. + + + + + + + CustomEnrollmentCompletePage + + + + + + + These nodes provision custom text for the enrollment page. + + + + + + + + + + + + + + 10.0.15063 + 1.3 + + + + Title + + + + + + + + Specifies the title of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + BodyText + + + + + + + + Specifies the body text of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + HyperlinkHref + + + + + + + + Specifies the URL that is shown at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + HyperlinkText + + + + + + + + Specifies the display text for the URL that is shown at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + + FirstSyncStatus + + + + + + + + + + + + + + + + + + + + 10.0.16299 + 1.4 + + + + ExpectedPolicies + + + + + + + + This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + + + + + + + + + ExpectedNetworkProfiles + + + + + + + + This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". + + + + + + + + + + + + + + + + + + + ExpectedMSIAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. + + + + + + + + + + + + + + + + + + + ExpectedModernAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. + + + + + + + + + + + + + + + + + + + ExpectedPFXCerts + + + + + + + + This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + + + + + + + + + ExpectedSCEPCerts + + + + + + + + This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + + + + + + + + + TimeOutUntilSyncFailure + + + + + + 60 + This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + + + + + + + + + + + + + [1-1440] + + + + + ServerHasFinishedProvisioning + + + + + + This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + + + + + + + + + false + Server has not finished provisioning + + + true + Server has finished provisioning + + + + + + IsSyncDone + + + + + + This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + false + The device is not finished provisioning + + + true + The device has finished provisoining. + + + + + + WasDeviceSuccessfullyProvisioned + + + + + + Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + 0 + The device has failed to provision the device + + + 1 + The device has successfully provisioned the device. + + + 2 + Provisoining is in progress. + + + + + + BlockInStatusPage + + + + + + 0 + Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + 0x0 + Allow the user to exit the page before provisioning completes. + + + 0x1 + Block the user on the page and show the Reset PC button on failure. + + + 0x2 + Block the user on the page and show the Try Again button on failure. + + + 0x4 + Block the user on the page and show the Continue Anyway button on failure. + + + + + + AllowCollectLogsButton + + + + + + false + This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not show the Collect Logs button on the progress page. + + + true + Show the Collect Logs button on the progress page. + + + + + + CustomErrorText + + + + + + + + This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + + + + SkipDeviceStatusPage + + + + + + true + Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE + + + true + Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE + + + + + + SkipUserStatusPage + + + + + + true + Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. + + + true + Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE + + + + + + + EnhancedAppLayerSecurity + + + + + + + + + + + + + + + + + + 10.0.16299 + 1.4 + + + + SecurityMode + + + + + + + + 0 + This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + + + + + + + + + + + + + + + 0 + no op + + + 1 + sign only + + + 2 + encrypt only + + + 3 + sign and encrypt + + + + + + UseCertIfRevocationCheckOffline + + + + + + + + false + This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + + + + + + + + + + + + + + + false + False + + + true + True + + + + + + Cert0 + + + + + + + + The node contains the primary certificate - the public key to use. + + + + + + + + + + + + + + + + + + Cert1 + + + + + + + + The node contains the secondary certificate - the public key to use. + + + + + + + + + + + + + + + + + + + ConfigLock + + + + + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + Lock + + + + + + + + 0 + This node specifies how the client will perform the lock mode for SecureCore PC. 0: unlock; 1: lock. The default value is 0. + + + + + + + + + + + + + + + 0 + Unlock + + + 1 + Lock + + + + + + UnlockDuration + + + + + + + + 480 + This node, when it is set, tells the client to set how many minutes the device should be temporarily unlocked from SecureCore settings protection. The default value is 480. + + + + + + + + + + + + + + + + + + SecureCore + + + + + The node returns the boolean value whether the device is a SecureCore PC. + + + + + + + + + + + + + + + + + LinkedEnrollment + + + + + The interior node for linked enrollment + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.918, 10.0.19044.2193, 10.0.19043.2193, 10.0.19042.2193 + 1.6 + + + + Priority + + + + + + + + Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority. + + + + + + + + + + + + + + + 0 + The main enrollment has priority over linked enrollment. + + + 1 + The linked enrollment has priority over the main enrollment. + + + + + + LastError + + + + + return the last error for enroll/unenroll. + + + + + + + + + + + + + + + + EnrollStatus + + + + + Returns the current enrollment or un-enrollment status of the linked enrollment. + + + + + + + + + + + + + + + 0 + Undefined + + + 1 + Enrollment Not started. + + + 2 + Enrollment In Progress. + + + 3 + Enrollment Failed. + + + 4 + Enrollment Succeeded. + + + 5 + Unenrollment Not started. + + + 6 + UnEnrollment In Progress. + + + 7 + UnEnrollment Failed. + + + 8 + UnEnrollment Succeeded. + + + + + + Enroll + + + + + Trigger to enroll for the Linked Enrollment + + + + + + + + + + + + + + + + Unenroll + + + + + Trigger Unenroll for the Linked Enrollment + + + + + + + + + + + + + + + + + MultipleSession + + + + + + + + + + + + + + + + + + 10.0.22000 + 1.6 + 0xAF + + + + NumAllowedConcurrentUserSessionForBackgroundSync + + + + + + + + Optional. Maximum number of concurrent user sync sessions in background. Default value is 25. 0 none, 1 sequential, anything else: parallel. + + + + + + + + + + + + + + + + + + NumAllowedConcurrentUserSessionAtUserLogonSync + + + + + + + + Optional. Maximum number of concurrent user sync sessions at User Login. Default value is 25. 0 none, 1 sequential, anything else: parallel. + + + + + + + + + + + + + + + + + + IntervalForScheduledRetriesForUserSession + + + + + + + + + + + + + + + + + + + + + + + + + + NumberOfScheduledRetriesForUserSession + + + + + + + + The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is 0 and IntervalForScheduledRetriesForUserSession is not 0, then the schedule will be set to repeat for an infinite number of times. + + + + + + + + + + + + + + + + + + + Recovery + + + + + Parent node for Recovery nodes + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.1165 + 1.6 + + + + AllowRecovery + + + + + + 0 + This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate + + + + + + + + + + + + + + + 1 + MDM Recovery is allowed. + + + 0 + MDM Recovery is not allowed. + + + LastWrite + + + + InitiateRecovery + + + + + 0 + This node initiates a recovery action. The server can specify prerequisites before the action is taken. + + + + + + + + + + + + + + + 0 + Initiate MDM Recovery + + + 1 + Initiate Recovery if Keys are not already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. + + + + + + RecoveryStatus + + + + + 0 + This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM is not available. 4 - Recovery has failed to start because AAD keys are not protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM is not ready for attestation. 7 - Recovery has failed because the client cannot authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request. + + + + + + + + + + + + + + + + + + Unenroll + + + + + + > tag under the element. Scope is permanent.]]> + + + + + + + + + + + + + + + + UpdateManagementServiceAddress + + + + + + For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. + + + + + + + + + + + + + + + + + + + HWDevID + + + + + Returns the hardware device ID. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + ``` + +## Related articles + +[DMClient configuration service provider reference](dmclient-csp.md) diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 241e6803a9..9bb47acd36 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -7,9 +7,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # DynamicManagement CSP diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 35f29d23a7..7f96c29f4f 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -1,7 +1,7 @@ --- title: EAP configuration description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -19,45 +19,45 @@ This article provides a step-by-step guide for creating an Extensible Authentica To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box: -1. Run rasphone.exe. +1. Run rasphone.exe. ![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png) -1. If you don't currently have a VPN connection and you see the following message, select **OK**. +1. If you don't currently have a VPN connection and you see the following message, select **OK**. ![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png) -1. In the wizard, select **Workplace network**. +1. In the wizard, select **Workplace network**. ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png) -1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters. +1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters. ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png) -1. Create a fake VPN connection. In the UI shown here, select **Properties**. +1. Create a fake VPN connection. In the UI shown here, select **Properties**. ![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png) -1. In the **Test Properties** dialog, select the **Security** tab. +1. In the **Test Properties** dialog, select the **Security** tab. ![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png) -1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**. +1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**. ![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png) -1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed. +1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed. ![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png) -1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. +1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. ```powershell Get-VpnConnection -Name Test ``` - Here's an example output. + Here's an example output. ``` syntax Name : Test @@ -88,26 +88,46 @@ To get the EAP configuration from your desktop using the rasphone tool that is s Here's an example output. ```xml - 1300013truefalsefalsetrue - true + + + 13 + 0 + 0 + 0 + + + + 13 + + + + true + + + + false + + + false + true + true + + + + + + + + + + ``` > [!NOTE] > You should check with Mobile Device Management (MDM) vendor, if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations: - > - C:\\Windows\\schemas\\EAPHost - > - C:\\Windows\\schemas\\EAPMethods - + > + > - C:\\Windows\\schemas\\EAPHost + > - C:\\Windows\\schemas\\EAPMethods ## EAP certificate filtering @@ -115,15 +135,15 @@ In your deployment, if you have multiple certificates provisioned on the device Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: -- The user might be prompted to select the certificate. -- The wrong certificate might be auto-selected and cause an authentication failure. +- The user might be prompted to select the certificate. +- The wrong certificate might be auto-selected and cause an authentication failure. A production ready deployment must have appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and appropriate certificate can be used for the authentication. EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: -- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. -- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field. +- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. +- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field. For information about EAP settings, see . @@ -135,23 +155,22 @@ For information about adding EKU to a certificate, see [!NOTE] > For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements. -  ```xml @@ -254,36 +273,32 @@ The following XML sample explains the properties for the EAP TLS XML, including > [!NOTE] > The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd. -  Alternatively, you can use the following procedure to create an EAP configuration XML: -1. Follow steps 1 through 7 in the EAP configuration article. -1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS). +1. Follow steps 1 through 7 in the EAP configuration article. +1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this value selects EAP TLS). ![vpn self host properties window.](images/certfiltering1.png) > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. -   - -1. Select the **Properties** button underneath the drop-down menu. -1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. +1. Select the **Properties** button underneath the drop-down menu. +1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. ![smart card or other certificate properties window.](images/certfiltering2.png) -1. On the **Configure Certificate Selection** menu, adjust the filters as needed. +1. On the **Configure Certificate Selection** menu, adjust the filters as needed. ![configure certificate window.](images/certfiltering3.png) -1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box. -1. Close the rasphone dialog box. -1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering. +1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box. +1. Close the rasphone dialog box. +1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering. > [!NOTE] > You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article. - ## Related topics [Configuration service provider reference](index.yml) diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 31d99fa377..877d121472 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -1,336 +1,1479 @@ --- title: EMAIL2 CSP -description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. -ms.reviewer: +description: Learn more about the EMAIL2 CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.topic: reference --- + + + # EMAIL2 CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. -> [!Note] +> [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application. -On Windows client, only per user configuration is supported.  - -The following information shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. - -```console -./Vendor/MSFT -EMAIL2 -----Account GUID ---------ACCOUNTICON ---------ACCOUNTTYPE ---------AUTHNAME ---------AUTHREQUIRED ---------AUTHSECRET ---------DOMAIN ---------DWNDAY ---------INSERVER ---------LINGER ---------KEEPMAX ---------NAME ---------OUTSERVER ---------REPLYADDR ---------SERVICENAME ---------SERVICETYPE ---------RETRIEVE ---------SERVERDELETEACTION ---------CELLULARONLY ---------SYNCINGCONTENTTYPES ---------CONTACTSSERVER ---------CALENDARSERVER ---------CONTACTSSERVERREQUIRESSL ---------CALENDARSERVERREQUIRESSL ---------CONTACTSSYNCSCHEDULE ---------CALENDARSYNCSCHEDULE ---------SMTPALTAUTHNAME ---------SMTPALTDOMAIN ---------SMTPALTENABLED ---------SMTPALTPASSWORD ---------TAGPROPS -------------8128000B -------------812C000B -``` - -After provisioning, the **Start** screen has a tile for the proprietary mail provider and there's also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status. - -Configuration data isn't encrypted when sent over the air (OTA). This is a potential security risk when sending sensitive configuration data, such as passwords. - > [!IMPORTANT] > All Add and Replace commands need to be wrapped in an Atomic section. + -**EMAIL2** -The configuration service provider root node. + +The following list shows the EMAIL2 configuration service provider nodes: -Supported operation is Get. +- ./User/Vendor/MSFT/EMAIL2 + - [{Account GUID}](#account-guid) + - [ACCOUNTICON](#account-guidaccounticon) + - [ACCOUNTTYPE](#account-guidaccounttype) + - [AUTHNAME](#account-guidauthname) + - [AUTHREQUIRED](#account-guidauthrequired) + - [AUTHSECRET](#account-guidauthsecret) + - [CALENDARSERVER](#account-guidcalendarserver) + - [CALENDARSERVERREQUIRESSL](#account-guidcalendarserverrequiressl) + - [CALENDARSYNCSCHEDULE](#account-guidcalendarsyncschedule) + - [CELLULARONLY](#account-guidcellularonly) + - [CONTACTSSERVER](#account-guidcontactsserver) + - [CONTACTSSERVERREQUIRESSL](#account-guidcontactsserverrequiressl) + - [CONTACTSSYNCSCHEDULE](#account-guidcontactssyncschedule) + - [DOMAIN](#account-guiddomain) + - [DWNDAY](#account-guiddwnday) + - [INSERVER](#account-guidinserver) + - [KEEPMAX](#account-guidkeepmax) + - [LINGER](#account-guidlinger) + - [NAME](#account-guidname) + - [OUTSERVER](#account-guidoutserver) + - [REPLYADDR](#account-guidreplyaddr) + - [RETRIEVE](#account-guidretrieve) + - [SERVERDELETEACTION](#account-guidserverdeleteaction) + - [SERVICENAME](#account-guidservicename) + - [SERVICETYPE](#account-guidservicetype) + - [SMTPALTAUTHNAME](#account-guidsmtpaltauthname) + - [SMTPALTDOMAIN](#account-guidsmtpaltdomain) + - [SMTPALTENABLED](#account-guidsmtpaltenabled) + - [SMTPALTPASSWORD](#account-guidsmtpaltpassword) + - [SYNCINGCONTENTTYPES](#account-guidsyncingcontenttypes) + - [TAGPROPS](#account-guidtagprops) + - [8128000B](#account-guidtagprops8128000b) + - [812C000B](#account-guidtagprops812c000b) + -***GUID*** -Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case. + +## {Account GUID} -Supported operations are Get, Add, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID} +``` + + + + +This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6. + + + + +A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case. The braces {} around the GUID are required in the EMAIL2 configuration service provider. - For OMA Client Provisioning, the braces can be sent literally. For example, `` - For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D` + -**ACCOUNTICON** -Optional. Returns the location of the icon associated with the account. + +**Description framework properties**: -Supported operations are Get, Add, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + -The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added. + + + -**ACCOUNTTYPE** -Required. Specifies the type of account. + -Supported operations are Get, Add, Replace, and Delete. + +### {Account GUID}/ACCOUNTICON -Valid values are: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -- Email: Normal email -- VVM: Visual voice mail + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/ACCOUNTICON +``` + -**AUTHNAME** -Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name). + + +The location of the icon associated with the account. The account icon can be used as a tile in the Start list or an icon in the applications list under Settings, email & accounts. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{ScreenResolution}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{ScreenResolution}!%s.office.outlook.png. Custom icons can be added if desired. + -Supported operations are Get, Add, Replace, and Delete. + + + -**AUTHREQUIRED** -Optional. Character string that specifies whether the outgoing server requires authentication. + +**Description framework properties**: -Supported operations are Get, Add, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Value options are: + + + -- 0 - Server authentication isn't required. -- 1 - Server authentication is required. + + + +### {Account GUID}/ACCOUNTTYPE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/ACCOUNTTYPE +``` + + + + +Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Email | Normal email. | +| VVM | Visual voice mail. | + + + + + + + + + +### {Account GUID}/AUTHNAME + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/AUTHNAME +``` + + + + +Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/AUTHREQUIRED + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/AUTHREQUIRED +``` + + + + +Character string that specifies whether the outgoing server requires authentication. +1 for TRUE +0 for FALSE(default). > [!NOTE] -> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED. +> If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP. + -**AUTHSECRET** -Optional. Character string that specifies the user's password. The same password is used for SMTP authentication. + + + -Supported operations are Get, Add, Replace, and Delete. + +**Description framework properties**: -**DOMAIN** -Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Supported operations are Get, Add, Replace, and Delete. + +**Allowed values**: -**DWNDAY** -Optional. Character string that specifies how many days' worth of email should be downloaded from the server. +| Value | Description | +|:--|:--| +| 0 | Server authentication is not required. | +| 1 | Server authentication is required. | + -Supported operations are Get, Add, Replace, and Delete. + + + -Value options: + -- -1: Specifies that all email currently on the server should be downloaded. -- 7: Specifies that seven days’ worth of email should be downloaded. -- 14: Specifies that 14 days’ worth of email should be downloaded. -- 30: Specifies that 30 days’ worth of email should be downloaded. + +### {Account GUID}/AUTHSECRET -**INSERVER** -Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -- server name:port number + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/AUTHSECRET +``` + -Supported operations are Get, Add, and Replace. + + +Character string that specifies the user's password. The same password is used for SMTP authentication. + -**LINGER** -Optional. Character string that specifies the length of time between email send/receive updates in minutes. + + + -Supported operations are Get, Add, Replace, and Delete. + +**Description framework properties**: -Value options: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- 0 - Email updates must be performed manually -- 15 (default) - Wait for 15 minutes between updates -- 30 - Wait for 30 minutes between updates -- 60 - Wait for 60 minutes between updates -- 120 - Wait for 120 minutes between updates. + + + -**KEEPMAX** -Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts. + -The limit is specified in KB. + +### {Account GUID}/CALENDARSERVER -Value options are 0, 25, 50, 125, and 250. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -A value of 0 meaning that no limit will be enforced. + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/CALENDARSERVER +``` + -Supported operations are Get, Add, Replace, and Delete. + + +Server for calendar sync if it is different from the email server. + -**NAME** -Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters. + + + -Supported operations are Get, Add, Replace, and Delete. + +**Description framework properties**: -**OUTSERVER** -Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- server name:port number + + + -Supported operations are Get, Add, Delete, and Replace. + -**REPLYADDR** -Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters. + +### {Account GUID}/CALENDARSERVERREQUIRESSL -Supported operations are Get, Add, Delete, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**SERVICENAME** -Required. Character string that specifies the name of the email service to create or edit (32 characters maximum). + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/CALENDARSERVERREQUIRESSL +``` + -Supported operations are Get, Add, Replace, and Delete. + + +Indicates if the connection to the calendar server requires SSL. + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/CALENDARSYNCSCHEDULE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/CALENDARSYNCSCHEDULE +``` + + + + +Sets the schedule for syncing calendar items. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/CELLULARONLY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/CELLULARONLY +``` + + + + +If this flag is set, the account only uses the cellular network and not Wi-Fi. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/CONTACTSSERVER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/CONTACTSSERVER +``` + + + + +Server for contact sync if it is different from the email server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/CONTACTSSERVERREQUIRESSL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/CONTACTSSERVERREQUIRESSL +``` + + + + +Indicates if the connection to the contact server requires SSL. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/CONTACTSSYNCSCHEDULE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/CONTACTSSYNCSCHEDULE +``` + + + + +Sets the schedule for syncing contact items. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/DOMAIN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/DOMAIN +``` + + + + +Character string that specifies the incoming server credentials domain. Limited to 255 characters. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/DWNDAY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/DWNDAY +``` + + + + +Character string that specifies how many days' worth of email should be downloaded from the server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| -1 | Specifies that all email currently on the server should be downloaded. | +| 7 | Specifies that 7 days’ worth of email should be downloaded. | +| 14 | Specifies that 14 days’ worth of email should be downloaded. | +| 30 | Specifies that 30 days’ worth of email should be downloaded. | +| 90 | Specifies that 90 days’ worth of email should be downloaded. | + + + + + + + + + +### {Account GUID}/INSERVER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/INSERVER +``` + + + + +Character string that specifies how many days' worth of email should be downloaded from the server. server name:port number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/KEEPMAX + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/KEEPMAX +``` + + + + +Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts. The limit is specified in KB. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| -1 | No limit is enforced. | +| 0 | No attachment is downloaded. | +| 25 | 25 KB. | +| 50 | 50 KB. | +| 100 | 100 KB. | +| 250 | 250 KB. | + + + + + + + + + +### {Account GUID}/LINGER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/LINGER +``` + + + + +Character string that specifies the length of time between email send/receive updates in minutes. 0 indicates that updates must be performed manually. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[(-1)-2147483647]` | +| Default Value | 15 | + + + + + + + + + +### {Account GUID}/NAME + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/NAME +``` + + + + +Character string that specifies the name of the sender displayed on a sent email. It should be set to the user's name. Limited to 255 characters. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/OUTSERVER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/OUTSERVER +``` + + + + +Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is: server name:port number. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/REPLYADDR + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/REPLYADDR +``` + + + + +Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### {Account GUID}/RETRIEVE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/RETRIEVE +``` + + + + +Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[(-1)-2147483647]` | + + + + + + + + + +### {Account GUID}/SERVERDELETEACTION + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SERVERDELETEACTION +``` + + + + +Character string that specifies how message is deleted on server. The default action depends on the transport. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Delete message on the server. | +| 2 | Keep the message on the server (delete to the Trash folder). | + + + + + + + + + +### {Account GUID}/SERVICENAME + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SERVICENAME +``` + + + + +Character string that specifies the name of the email service to create or edit (32 characters maximum). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + > [!NOTE] > The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created. + -**SERVICETYPE** -Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3"). + -Supported operations are Get, Add, Replace, and Delete. + +### {Account GUID}/SERVICETYPE -> **Note**   The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**RETRIEVE** -Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated. + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SERVICETYPE +``` + -Value options are 512, 1024, 2048, 5120, 20480, and 51200. + + +Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3"). + -Supported operations are Get, Add, Replace, and Delete. + + +> [!NOTE] +> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created. + -**SERVERDELETEACTION** -Optional. Character string that specifies how message is deleted on server. Value options are: + +**Description framework properties**: -- 1 - Delete message on the server. -- 2 - Keep the message on the server (delete to the Trash folder). +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Any other value results in default action, which depends on the transport. + + + -Supported operations are Get, Add, Replace, and Delete. + -**CELLULARONLY** -Optional. If this flag is set, the account only uses the cellular network and not Wi-Fi. + +### {Account GUID}/SMTPALTAUTHNAME -Value type is string. Supported operations are Get, Add, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**SYNCINGCONTENTTYPES** -Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar. + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTAUTHNAME +``` + -- No data (0x0) -- Contacts (0x1) -- Mail (0x2) -- Appointments (0x4) -- Tasks (0x8) -- Notes (0x10) -- Feeds (0x60) -- Network Photo (0x180) -- Group and room (0x200) -- Chat (0x400) -- Email Recipient Email (0x800) -- Server Link (0x1000) -- All items (0xffffffff) + + +Character string that specifies the display name associated with the user's alternative SMTP email account. + -Supported operations are Get, Add, Replace, and Delete. + + + -**CONTACTSSERVER** -Optional. Server for contact sync if it's different from the email server. + +**Description framework properties**: -Supported operations are Get, Add, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**CALENDARSERVER** -Optional. Server for calendar sync if it's different from the email server. + + + -Supported operations are Get, Add, Replace, and Delete. + -**CONTACTSSERVERREQUIRESSL** -Optional. Indicates if the connection to the contact server requires SSL. + +### {Account GUID}/SMTPALTDOMAIN -Supported operations are Get, Add, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**CALENDARSERVERREQUIRESSL** -Optional. Indicates if the connection to the calendar server requires SSL. + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTDOMAIN +``` + -Supported operations are Get, Add, Replace, and Delete. + + +Character string that specifies the domain name for the user's alternative SMTP account. + -**CONTACTSSYNCSCHEDULE** -Optional. Sets the schedule for syncing contact items. + + + -Supported operations are Get, Add, Replace, and Delete. + +**Description framework properties**: -**CALENDARSYNCSCHEDULE** -Optional. Sets the schedule for syncing calendar items. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Supported operations are Get, Add, Replace, and Delete. + + + -**SMTPALTAUTHNAME** -Optional. Character string that specifies the display name associated with the user's alternative SMTP email account. + -Supported operations are Get, Add, Replace, and Delete. + +### {Account GUID}/SMTPALTENABLED -**SMTPALTDOMAIN** -Optional. Character string that specifies the domain name for the user's alternative SMTP account. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Supported operations are Get, Add, Replace, and Delete. + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTENABLED +``` + -**SMTPALTENABLED** -Optional. Character string that specifies if the user's alternate SMTP account is enabled. + + +Character string that specifies if the user's alternate SMTP account is enabled. + -Supported operations are Get, Add, Replace, and Delete. + + + -A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled. + +**Description framework properties**: -**SMTPALTPASSWORD** -Optional. Character string that specifies the password for the user's alternate SMTP account. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Supported operations are Get, Add, Replace, and Delete. + +**Allowed values**: -**TAGPROPS** -Optional. Defines a group of properties with non-standard element names. +| Value | Description | +|:--|:--| +| 0 | The user's alternate SMTP email account is disabled. | +| 1 | The user's alternate SMTP email account is enabled. | + -Supported operations are Get, Add, Replace, and Delete. + + + -**TAGPROPS/8128000B** -Optional. Character string that specifies if the incoming email server requires SSL. + -Supported operations are Get, Add, Replace, and Delete. + +### {Account GUID}/SMTPALTPASSWORD -Value options are: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -- 0 - SSL isn't required. -- 1 - SSL is required. + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SMTPALTPASSWORD +``` + -**TAGPROPS/812C000B** -Optional. Character string that specifies if the outgoing email server requires SSL. + + +Character string that specifies the password for the user's alternate SMTP account. + -Supported operations are Get and Replace. + + + -Value options: + +**Description framework properties**: -- 0 - SSL isn't required. -- 1 - SSL is required. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + +### {Account GUID}/SYNCINGCONTENTTYPES + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/SYNCINGCONTENTTYPES +``` + + + + +Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x0 | No data. | +| 0x1 | Contacts. | +| 0x2 | Mail. | +| 0x4 | Appointments. | +| 0x8 | Tasks. | +| 0x10 | Notes. | +| 0x60 | Feeds. | +| 0x180 | Network Photo. | +| 0x200 | Group and room. | +| 0x400 | Chat. | +| 0x800 | Email Recipient Email. | +| 0x1000 | Server Link. | +| 0xffffffff | All items. | + + + + + + + + + +### {Account GUID}/TAGPROPS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/TAGPROPS +``` + + + + +Specifies that stated parameter element name attributes is nonstandard tag properties. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### {Account GUID}/TAGPROPS/8128000B + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/TAGPROPS/8128000B +``` + + + + +Character string that specifies if the incoming email server requires SSL. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | SSL is not required. | +| 1 | SSL is required. | + + + + + + + + + +#### {Account GUID}/TAGPROPS/812C000B + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/EMAIL2/{Account GUID}/TAGPROPS/812C000B +``` + + + + +Character string that specifies if the outgoing email server requires SSL. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | SSL is not required. | +| 1 | SSL is required. | + + + + + + + + + + ## Remarks When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored). @@ -349,7 +1492,10 @@ If the connection to the mail server is initiated with deferred SSL, the mail se 4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection 5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities. 6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL. + + + ## Related articles -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index cda01b7a53..20e168d936 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -1,39 +1,986 @@ --- title: EMAIL2 DDF file -description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/21/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # EMAIL2 DDF file -This topic shows the OMA DM device description framework (DDF) for the **EMAIL2** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the EMAIL2 configuration service provider. ```xml -]> +]> 1.2 + + + + EMAIL2 + ./User/Vendor/MSFT + + + + + Root node + + + + + + + + + + + + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + + + + + + + + + + + This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6. + + + + + + + + + + Account GUID + + + + + + + + \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + + - EMAIL2 - ./Vendor/MSFT + ACCOUNTICON + + + - Root characteristic + + + + + + + + + + + + + + + + + + + ACCOUNTTYPE + + + + + + + + Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail + + + + + + + + + + + + + + + Email + normal email + + + VVM + visual voice mail + + + + + + AUTHNAME + + + + + + + + Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name). + + + + + + + + + + + + + + + + + + AUTHREQUIRED + + + + + + + + Character string that specifies whether the outgoing server requires authentication. + 1 for TRUE + 0 for FALSE(default). + Note: If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP. + + + + + + + + + + + + + + + + 0 + Server authentication is not required. + + + 1 + Server authentication is required. + + + + + + AUTHSECRET + + + + + + + + Character string that specifies the user's password. The same password is used for SMTP authentication. + + + + + + + + + + + + + + + + + + DOMAIN + + + + + + + + Character string that specifies the incoming server credentials domain. Limited to 255 characters. + + + + + + + + + + + + + + + + + + DWNDAY + + + + + + + + Character string that specifies how many days' worth of email should be downloaded from the server. + + + + + + + + + + + + + + + -1 + Specifies that all email currently on the server should be downloaded. + + + 7 + Specifies that 7 days’ worth of email should be downloaded. + + + 14 + Specifies that 14 days’ worth of email should be downloaded. + + + 30 + Specifies that 30 days’ worth of email should be downloaded. + + + 90 + Specifies that 90 days’ worth of email should be downloaded. + + + + + + INSERVER + + + + + + + + Character string that specifies how many days' worth of email should be downloaded from the server. server name:port number + + + + + + + + + + + + + + + + + + LINGER + + + + + + + + 15 + Character string that specifies the length of time between email send/receive updates in minutes. 0 indicates that updates must be performed manually. + + + + + + + + + + + + + + [(-1)-2147483647] + + + + + KEEPMAX + + + + + + + + Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts. The limit is specified in KB. + + + + + + + + + + + + + + + -1 + No limit is enforced + + + 0 + No attachment is downloaded + + + 25 + 25 KB + + + 50 + 50 KB + + + 100 + 100 KB + + + 250 + 250 KB + + + + + + NAME + + + + + + + + Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters. + + + + + + + + + + + + + + + + + + OUTSERVER + + + + + + + + Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is: server name:port number + + + + + + + + + + + + + + + + + + REPLYADDR + + + + + + + + Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters. + + + + + + + + + + + + + + + + + + SERVICENAME + + + + + + + + Character string that specifies the name of the email service to create or edit (32 characters maximum). + + + + + + + + + + + + + + + + + + SERVICETYPE + + + + + + + + Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3"). + + + + + + + + + + + + + + + + + + RETRIEVE + + + + + + + + Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated. + + + + + + + + + + + + + + [(-1)-2147483647] + + + + + SERVERDELETEACTION + + + + + + + + Character string that specifies how message is deleted on server. The default action depends on the transport. + + + + + + + + + + + + + + + 1 + delete message on the server + + + 2 + keep the message on the server (delete to the Trash folder). + + + + + + CELLULARONLY + + + + + + + + If this flag is set, the account only uses the cellular network and not Wi-Fi. + + + + + + + + + + + + + + + + + + SYNCINGCONTENTTYPES + + + + + + + + Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar). + + + + + + + + + + + + + + + 0x0 + No data + + + 0x1 + Contacts + + + 0x2 + Mail + + + 0x4 + Appointments + + + 0x8 + Tasks + + + 0x10 + Notes + + + 0x60 + Feeds + + + 0x180 + Network Photo + + + 0x200 + Group and room + + + 0x400 + Chat + + + 0x800 + Email Recipient Email + + + 0x1000 + Server Link + + + 0xffffffff + All items + + + + + + CONTACTSSERVER + + + + + + + + Server for contact sync if it is different from the email server. + + + + + + + + + + + + + + + + + + CALENDARSERVER + + + + + + + + Server for calendar sync if it is different from the email server. + + + + + + + + + + + + + + + + + + CONTACTSSERVERREQUIRESSL + + + + + + + + Indicates if the connection to the contact server requires SSL. + + + + + + + + + + + + + + + + + + CALENDARSERVERREQUIRESSL + + + + + + + + Indicates if the connection to the calendar server requires SSL. + + + + + + + + + + + + + + + + + + CONTACTSSYNCSCHEDULE + + + + + + + + Sets the schedule for syncing contact items. + + + + + + + + + + + + + + + + + + CALENDARSYNCSCHEDULE + + + + + + + + Sets the schedule for syncing calendar items. + + + + + + + + + + + + + + + + + + SMTPALTAUTHNAME + + + + + + + + Character string that specifies the display name associated with the user's alternative SMTP email account. + + + + + + + + + + + + + + + + + + SMTPALTDOMAIN + + + + + + + + Character string that specifies the domain name for the user's alternative SMTP account. + + + + + + + + + + + + + + + + + + SMTPALTENABLED + + + + + + + + Character string that specifies if the user's alternate SMTP account is enabled. + + + + + + + + + + + + + + + 0 + The user's alternate SMTP email account is disabled. + + + 1 + The user's alternate SMTP email account is enabled. + + + + + + SMTPALTPASSWORD + + + + + + + + Character string that specifies the password for the user's alternate SMTP account. + + + + + + + + + + + + + + + + + + TAGPROPS + + + + + + + + Specifies that stated parameter element name attributes is nonstandard tag properties. @@ -41,839 +988,86 @@ The XML below is the current version for this CSP. - + - com.microsoft/1.0/MDM/EMAIL2 + - + 8128000B - - + + - This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6. + Character string that specifies if the incoming email server requires SSL. - + - 1 + - Account GUID - + + + + 0 + SSL is not required. + + + 1 + SSL is required. + + + + + + 812C000B + + + + + + + + Character string that specifies if the outgoing email server requires SSL. + + + + + + + + + + + + + + + 0 + SSL is not required. + + + 1 + SSL is required. + + - - ACCOUNTICON - - - - - - - - The location of the icon associated with the account. - - - - - - - - - - - text/plain - - - - - ACCOUNTTYPE - - - - - - - - Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail - - - - - - - - - - - text/plain - - - - - AUTHNAME - - - - - - - - User Name for Incoming server. Limited to 255 chars. - - - - - - - - - - - text/plain - - - - - AUTHREQUIRED - - - - - - - - This will specify whether the outgoing server requires authentication. - 1 for TRUE - 0 for FALSE(default). - Note: If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP. - - - - - - - - - - - - text/plain - - - - - AUTHSECRET - - - - - - - - Password. Limited to 255 chars. - - - - - - - - - - - text/plain - - - - - DOMAIN - - - - - - - - Incoming server credentials domain. Limited to 255 chars. - - - - - - - - - - - text/plain - - - - - DWNDAY - - - - - - - - Specifies how many days of email to download. (number of days worth going back into the past) - - - - - - - - - - - text/plain - - - - - INSERVER - - - - - - - - The incoming server name and port number. Limited to 62 chars. If the standard port number is used, the port number isn't necessary to be specified in this node. The value format is: - Server name:port number - - - - - - - - - - - - text/plain - - - - - LINGER - - - - - - - - Specifies how frequently Messaging performs scheduled send/receives. (Specified as the length of time in minutes, between updates.) - - - - - - - - - - - text/plain - - - - - KEEPMAX - - - - - - - - Specifies the maximum size for a message's attachment. (Attachments beyond this size will not be downloaded but will remain on the server. The message itself will be downloaded). This value can be set only for IMAP4 accounts. The limit is specified in KB, with a value of 0 meaning that no limit will be enforced. - - - - - - - - - - - text/plain - - - - - NAME - - - - - - - - User Display Name. Limited to 255 chars - - - - - - - - - - - text/plain - - - - - OUTSERVER - - - - - - - - The outcoming server name and port number. Limited to 62 chars. The value format is: - Server name:port number - If the standard port number is used, the port number isn't necessary to be specified in this node. - - - - - - - - - - - - text/plain - - - - - REPLYADDR - - - - - - - - SMTP reply address of the user. Limited to 255 chars. - - - - - - - - - - - text/plain - - - - - SERVICENAME - - - - - - - - This is the account name. It's limited to 32 characters. - - - - - - - - - - - text/plain - - - - - SERVICETYPE - - - - - - - - This is the type of account. Valid values are POP3/IMAP4. - - - - - - - - - - - text/plain - - - - - RETRIEVE - - - - - - - - Specifies the maximum size(in bytes) for messages retrieved from the incoming email server. Messages beyond this size will still be retrieved, but will be truncated. - - - - - - - - - - - text/plain - - - - - SERVERDELETEACTION - - - - - - - - Specifies how message is deleted on server. - 1 for delete message on server, - 2 for keep the message on server (delete to Trash folder), - any other value default action is used, which depends on the transport. - - - - - - - - - - - - text/plain - - - - - CELLULARONLY - - - - - - - - If this flag is set, the account uses cellular network only and not Wi-Fi. - - - - - - - - - - - text/plain - - - - - SYNCINGCONTENTTYPES - - - - - - - - Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar). No data (0x0), Contacts (0x1), Mail (0x2), Appointments (0x4), Tasks (0x8), Notes (0x10), Feeds (0x60), Network Photo (0x180), Group and room (0x200), Chat (0x400), Email Recipient Email (0x800), Server Link (0x1000), All items (0xffffffff). - - - - - - - - - - - text/plain - - - - - CONTACTSSERVER - - - - - - - - Server for contact sync if it is different from the email server. - - - - - - - - - - - text/plain - - - - - CALENDARSERVER - - - - - - - - Server for calendar sync if it is different from the email server. - - - - - - - - - - - text/plain - - - - - CONTACTSSERVERREQUIRESSL - - - - - - - - Defines if the connection to the contact server requires SSL. - - - - - - - - - - - text/plain - - - - - CALENDARSERVERREQUIRESSL - - - - - - - - Defines if the connection to the calendar server requires SSL. - - - - - - - - - - - text/plain - - - - - CONTACTSSYNCSCHEDULE - - - - - - - - Sets the schedule for syncing contact items. - - - - - - - - - - - text/plain - - - - - CALENDARSYNCSCHEDULE - - - - - - - - Sets the schedule for syncing calendar items. - - - - - - - - - - - text/plain - - - - - SMTPALTAUTHNAME - - - - - - - - If SMTPALTENABLED is true, then this will have the alternate User Name for SMTP. 255 chars. - - - - - - - - - - - text/plain - - - - - SMTPALTDOMAIN - - - - - - - - If SMTPALTENABLED is true, then this will have the alternate domain for SMTP. 255 chars. - - - - - - - - - - - text/plain - - - - - SMTPALTENABLED - - - - - - - - This is a bool value that specifies if we have separate SMTP credentials. -1 for true -0 for false (default) - - - - - - - - - - - text/plain - - - - - SMTPALTPASSWORD - - - - - - - - If SMTPALTENABLED is true, then this will have the alternate password for SMTP. 255 chars. - - - - - - - - - - - text/plain - - - - - TAGPROPS - - - - - - - - Specifies that stated parameter element name attributes is nonstandard tag properties. - - - - - - - - - - - - - - - 8128000B - - - - - - - - Specify whether incoming server requires SSL connection. -1- Require SSL connection -0- Doesn't require SSL connection (default) - - - - - - - - - - - text/plain - - - - - 812C000B - - - - - - - - Specify whether outgoing server requires SSL connection. -1- Require SSL connection -0- Doesn't require SSL connection (default) - - - - - - - - - - - text/plain - - - - + + ``` -## Related topics - - -[EMAIL2 configuration service provider](email2-csp.md) - -  - -  - - - - - +## Related articles +[EMAIL2 configuration service provider reference](email2-csp.md) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 62e50eadd1..394eabf465 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -1,83 +1,163 @@ --- title: EnterpriseDesktopAppManagement CSP -description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. -ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 -ms.reviewer: +description: Learn more about the EnterpriseDesktopAppManagement CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/27/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/11/2017 +ms.topic: reference --- + + + # EnterpriseDesktopAppManagement CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. Application installations can take some time to complete, hence they're done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). + -The following example shows the EnterpriseDesktopAppManagement CSP in tree format. + +The following list shows the EnterpriseDesktopAppManagement configuration service provider nodes: +- ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement + - [MSI](#devicemsi) + - [{ProductID}](#devicemsiproductid) + - [DownloadInstall](#devicemsiproductiddownloadinstall) + - [InstallDate](#devicemsiproductidinstalldate) + - [InstallPath](#devicemsiproductidinstallpath) + - [LastError](#devicemsiproductidlasterror) + - [LastErrorDesc](#devicemsiproductidlasterrordesc) + - [Name](#devicemsiproductidname) + - [Publisher](#devicemsiproductidpublisher) + - [Status](#devicemsiproductidstatus) + - [Version](#devicemsiproductidversion) + - [UpgradeCode](#devicemsiupgradecode) + - [{Guid}](#devicemsiupgradecodeguid) +- ./User/Vendor/MSFT/EnterpriseDesktopAppManagement + - [MSI](#usermsi) + - [{ProductID}](#usermsiproductid) + - [DownloadInstall](#usermsiproductiddownloadinstall) + - [InstallDate](#usermsiproductidinstalldate) + - [InstallPath](#usermsiproductidinstallpath) + - [LastError](#usermsiproductidlasterror) + - [LastErrorDesc](#usermsiproductidlasterrordesc) + - [Name](#usermsiproductidname) + - [Publisher](#usermsiproductidpublisher) + - [Status](#usermsiproductidstatus) + - [Version](#usermsiproductidversion) + - [UpgradeCode](#usermsiupgradecode) + - [{Guid}](#usermsiupgradecodeguid) + + + +## Device/MSI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI ``` -./Device/Vendor/MSFT -EnterpriseDesktopAppManagement -----MSI ---------ProductID -------------Version -------------Name -------------Publisher -------------InstallPath -------------InstallDate -------------DownloadInstall -------------Status -------------LastError -------------LastErrorDesc ---------UpgradeCode -------------Guid + + + + +Product Type is MSI. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/MSI/{ProductID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID} ``` + -**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** -The root node for the EnterpriseDesktopAppManagement configuration service provider. - -**MSI** -Node for all settings. - -**MSI/***ProductID* + + The MSI product code for the application. + -**MSI/*ProductID*/Version** -Version number. Value type is string. Supported operation is Get. + + + -**MSI/*ProductID*/Name** -Name of the application. Value type is string. Supported operation is Get. + +**Description framework properties**: -**MSI/*ProductID*/Publisher** -Publisher of application. Value type is string. Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Atomic Required | True | +| Dynamic Node Naming | UniqueName: The MSI product code for the application. | + -**MSI/*ProductID*/InstallPath** -Installation path of the application. Value type is string. Supported operation is Get. + + + -**MSI/*ProductID*/InstallDate** -Installation date of the application. Value type is string. Supported operation is Get. + -**MSI/*ProductID*/DownloadInstall** -Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get. + +#### Device/MSI/{ProductID}/DownloadInstall -In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (don't send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. `` 0 will set the timeout to infinite. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/DownloadInstall +``` + + + + +Executes the download and installation of the application. In Windows 10, version 1703 service release, a new tag `` was added to the `` section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. + + + + Here's an example: ```xml @@ -90,280 +170,1236 @@ Here's an example: ``` -**MSI/*ProductID*/Status** -Status of the application. Value type is string. Supported operation is Get. +For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-schema). + -| Status | Value | -|---------------------------|-------| -| Initialized | 10 | -| Download In Progress | 20 | -| Pending Download Retry | 25 | -| Download Failed | 30 | -| Download Completed | 40 | -| Pending User Session | 48 | -| Enforcement In Progress | 50 | -| Pending Enforcement Retry | 55 | -| Enforcement Failed | 60 | -| Enforcement Completed | 70 | + +**Description framework properties**: -**MSI/*ProductID*/LastError** -The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed. +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Add, Delete, Exec, Get | + -Value type is string. Supported operation is Get. + + + -**MSI/*ProductID*/LastErrorDesc** -Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there's no LastErrorDesc returned. + -Value type is string. Supported operation is Get. + +#### Device/MSI/{ProductID}/InstallDate -**MSI/UpgradeCode** -Added in the March service release of Windows 10, version 1607. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**MSI/UpgradeCode/_Guid_** -Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when an administrator wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallDate +``` + -Value type is string. Supported operation is Get. + + +Installation date of the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/MSI/{ProductID}/InstallPath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallPath +``` + + + + +Installation path of the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/MSI/{ProductID}/LastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastError +``` + + + + +The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/MSI/{ProductID}/LastErrorDesc + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastErrorDesc +``` + + + + +Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/MSI/{ProductID}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Name +``` + + + + +Name of the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/MSI/{ProductID}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Publisher +``` + + + + +Publisher of application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/MSI/{ProductID}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Status +``` + + + + +Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/MSI/{ProductID}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Version +``` + + + + +MSI Product Version. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Device/MSI/UpgradeCode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Case Sensitive | True | + + + + + + + + + +#### Device/MSI/UpgradeCode/{Guid} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode/{Guid} +``` + + + + +A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +## User/MSI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI +``` + + + + +Product Type is MSI. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/MSI/{ProductID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID} +``` + + + + +The MSI product code for the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Atomic Required | True | +| Dynamic Node Naming | UniqueName: The MSI product code for the application. | + + + + + + + + + +#### User/MSI/{ProductID}/DownloadInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/DownloadInstall +``` + + + + +Executes the download and installation of the application. In Windows 10, version 1703 service release, a new tag `` was added to the `` section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. + + + + +Here's an example: + +```xml + + /quiet + 5 + 3 + 5 + 1 + +``` + +For more information, see [DownloadInstall XSD Schema](#downloadinstall-xsd-schema). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Add, Delete, Exec, Get | + + + + + + + + + +#### User/MSI/{ProductID}/InstallDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallDate +``` + + + + +Installation date of the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/MSI/{ProductID}/InstallPath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/InstallPath +``` + + + + +Installation path of the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/MSI/{ProductID}/LastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastError +``` + + + + +The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/MSI/{ProductID}/LastErrorDesc + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/LastErrorDesc +``` + + + + +Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/MSI/{ProductID}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Name +``` + + + + +Name of the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/MSI/{ProductID}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Publisher +``` + + + + +Publisher of application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/MSI/{ProductID}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Status +``` + + + + +Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/MSI/{ProductID}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ProductID}/Version +``` + + + + +MSI Product Version. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### User/MSI/UpgradeCode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Case Sensitive | True | + + + + + + + + + +#### User/MSI/UpgradeCode/{Guid} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/UpgradeCode/{Guid} +``` + + + + +A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + + +## DownloadInstall XSD Schema + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` ## Examples -**SyncML to request CSP version information** +- SyncML to request CSP version information: -```xml - - - - 12345 - - - ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement?prop=Type - - - - - - -``` + ```xml + + + + 12345 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement?prop=Type + + + + + + + ``` -The following table describes the fields in the previous sample: + The following table describes the fields in the previous sample: -| Name | Description | -|--------|-------------------------------------------------------------------------------------------------------------------------------| -| Get | Operation being performed. The Get operation is a request to return information. | -| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | -| LocURI | Path to Win32 CSP command processor. | + | Name | Description | + |--------|------------------------------------------------------------------------------------------------------------------------------| + | Get | Operation being performed. The Get operation is a request to return information. | + | CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | + | LocURI | Path to Win32 CSP command processor. | -**SyncML to perform MSI operations for application uninstall:** +- SyncML to perform MSI operations for application uninstall: -```xml - - - - 12345 - - - ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D - - - - - - -``` + ```xml + + + + 12345 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D + + + + + + + ``` -The following table describes the fields in the previous sample: + The following table describes the fields in the previous sample: -| Name | Description | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. | -| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | -| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | + | Name | Description | + |--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. | + | CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | + | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | +- SyncML to perform MSI operations for application status reporting: + ```xml + + + + 12345 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D + + + + + + + ``` -**SyncML to perform MSI operations for application status reporting** + The following table describes the fields in the previous sample: -```xml - - - - 12345 - - - ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D - - - - - - -``` + | Name | Description | + |--------|------------------------------------------------------------------------------------------------------------------------------------------------------------| + | Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. | + | CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | + | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | -The following table describes the fields in the previous sample: +- SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command. -| Name | Description | -|--------|-----------------------| -| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.| -| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | -| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | + ```xml + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C384D2B-9B9A-0CB37243539C%7D/DownloadInstall + + + + + 6 + + + ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D/DownloadInstall + + + xml + text/plain + + + + + + + + http://bcl-w2k12r2-vm/testapps/msi/reboot/reboot.msi + + https://dp2.com/packages/myApp.msi + + + + 134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3 + + + /quiet + 5 + 3 + 5 + + + + + + + + + + ``` -**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.** + The following table describes the fields in the previous sample: -```xml - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C384D2B-9B9A-0CB37243539C%7D/DownloadInstall - - - - - 6 - - - ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D/DownloadInstall - - - xml - text/plain - - - - - - - - http://bcl-w2k12r2-vm/testapps/msi/reboot/reboot.msi - - https://dp2.com/packages/myApp.msi - - - -134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3 - - - /quiet - 5 - 3 - 5 - - - - - - - - - -``` + |Name|Description| + |--- |--- | + |Add|This field is required to precede the Exec command.
  • CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.| + |Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
  • CmdID - Input value used to reference the request. Responses will include this value that can be used to match request and response.
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
  • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
  • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).| -The following table describes the fields in the previous sample: + > [!NOTE] + > Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx). -|Name|Description| -|--- |--- | -|Add|This field is required to precede the Exec command.
  • CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.| -|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
  • CmdID - Input value used to reference the request. Responses will include this value that can be used to match request and response.
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
  • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
  • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).| - +- SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation): -> [!Note] -> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx). + ```xml + + + + 1 + + + ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall + + + + + + 67890 + + + ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall + + + xml + text/plain + + + + + + + http://bcl-w2k12r2-vm/testapps/msi/Orca/Orca.msi + https://dp2.com/packages/myApp.msi + + + + 4525065777EF18B9444ABF71DD4B48E5F64F4F0E1E029995FB8DA441CDE4296E + + + /quiet + 5 + 3 + 5 + + + + + + + + + + ``` -**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation):** + The following table MsiInstallJob describes the schema elements. -```xml - - - - 1 - - - ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall - - - - - - 67890 - - - ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall - - - xml - text/plain - - - - - - - http://bcl-w2k12r2-vm/testapps/msi/Orca/Orca.msi - https://dp2.com/packages/myApp.msi - - - - 4525065777EF18B9444ABF71DD4B48E5F64F4F0E1E029995FB8DA441CDE4296E - - - /quiet - 5 - 3 - 5 - - - - - - - - - -``` + | Element | Description | + |-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | MsiInstallJob | root element
    Attribute: "id" - the application identifier of the application being installed | + | Product | child element of MsiInstallJob
    Attribute: "Version" - string representation of application version | + | Download | child element of Product. Container for download configuration information. | + | ContentURLList | child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements. | + | ContentURL | Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file. | + | Validation | Contains information used to validate contend authenticity. • FileHash - SHA256 hash value of file content | + | FileHash | SHA256 hash value of file content | + | Enforcement | installation properties to be used when installing this MSI | + | CommandLine | Command-line options to be used when calling MSIEXEC.exe | + | TimeOut | Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. | + | RetryCount | The number of times the download and installation operation will be retried before the installation will be marked as failed. | + | RetryInterval | Amount of time, in minutes between retry operations. | -The following table MsiInstallJob describes the schema elements. + Here's an example of a common response to a request -|Element|Description| -|--- |--- | -|MsiInstallJob|root element
    Attribute: "id" - the application identifier of the application being installed| -|Product|child element of MsiInstallJob
    Attribute: “Version” – string representation of application version| -|Download|child element of Product. Container for download configuration information.| -|ContentURLList|child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements.| -|ContentURL|Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.| -|Validation|Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content| -|FileHash|SHA256 hash value of file content| -|Enforcement|installation properties to be used when installing this MSI| -|CommandLine|Command-line options to be used when calling MSIEXEC.exe| -|TimeOut|Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.| -|RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.| -|RetryInterval|Amount of time, in minutes between retry operations.| - -Here's an example of a common response to a request - -```xml - - - - - - 12345 - 1 - 0 - SyncHdr - 200 - - - 67890 - 1 - 1 - Add - 200 - - - - -``` + ```xml + + + + + + 12345 + 1 + 0 + SyncHdr + 200 + + + 67890 + 1 + 1 + Add + 200 + + + + + ``` ## How to determine which installation context to use for an MSI package @@ -395,7 +1431,6 @@ Here's a list of references: - [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10)) - [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx) -- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D) ## Alert example @@ -416,6 +1451,10 @@ Here's a list of references: ``` -## Related topics + -[Configuration service provider reference](index.yml) \ No newline at end of file + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 0a13970546..788f6427ae 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -1,370 +1,752 @@ --- -title: EnterpriseDesktopAppManagement DDF -description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. -ms.reviewer: +title: EnterpriseDesktopAppManagement DDF file +description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/27/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.topic: reference --- -# EnterpriseDesktopAppManagement DDF + -This topic shows the OMA DM device description framework (DDF) for the **EnterpriseDesktopAppManagement** configuration service provider. +# EnterpriseDesktopAppManagement DDF file -DDF files are used only with OMA DM provisioning XML. +The following XML file contains the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + EnterpriseDesktopAppManagement + ./User/Vendor/MSFT + + + + + The root node for the EnterpriseDesktopAppManagement configuration service provider. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - EnterpriseDesktopAppManagement - ./Device/Vendor/MSFT + MSI + + + + + Product Type is MSI + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - com.microsoft/1.0/MDM/EnterpriseDesktopAppManagement - + + + + + + The MSI product code for the application. + + + + + + + + + + ProductID + + + + + + + + The MSI product code for the application. + + - MSI - - - - - Product Type is MSI - - - - - - - - - - - - - - - - - - - - - - - - - MSI product code for Threshold - - - - - - - - - - - - - ProductID - - - - - - Version - - - - - MSI Product Version - - - - - - - - - - - - - - text/plain - - - - - Name - - - - - - - - - - - - - - - - - - text/plain - - - - - Publisher - - - - - - - - - - - - - - - - - - text/plain - - - - - InstallPath - - - - - - - - - - - - - - - - - - text/plain - - - - - InstallDate - - - - - - - - - - - - - - - - - - text/plain - - - - - DownloadInstall - - - - - - - - Method to download and install an MSI app - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - - - - text/plain - - - - - LastError - - - - - - - - - - - - - - - - - - text/plain - - - - - LastErrorDesc - - - - - - - - - - - - - - - - - - text/plain - - - - - - UpgradeCode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Guid - - text/plain - - - - + Version + + + + + MSI Product Version + + + + + + + + + + + + + + + + + + Name + + + + + Name of the application. + + + + + + + + + + + + + + + + + + + Publisher + + + + + Publisher of application. + + + + + + + + + + + + + + + + + + + InstallPath + + + + + Installation path of the application. + + + + + + + + + + + + + + + + + + + InstallDate + + + + + Installation date of the application. + + + + + + + + + + + + + + + + + + + DownloadInstall + + + + + + + + was added to the section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]> + + + + + + + + + + + + + + + + + + + + + Status + + + + + Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed + + + + + + + + + + + + + + + + + + + LastError + + + + + The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. + + + + + + + + + + + + + + + + + + + LastErrorDesc + + + + + Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. + + + + + + + + + + + + + + + + + + + + UpgradeCode + + + + + + + + + + + + + + + + + + + + + 10.0.14393 + 1.0 + + + + + + + + + + A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. + + + + + + + + + + Guid + + + + + + + + + + + + + + + EnterpriseDesktopAppManagement + ./Device/Vendor/MSFT + + + + + The root node for the EnterpriseDesktopAppManagement configuration service provider. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + MSI + + + + + Product Type is MSI + + + + + + + + + + + + + + + + + + + + + + + + + + The MSI product code for the application. + + + + + + + + + + ProductID + + + + + + + + The MSI product code for the application. + + + + + Version + + + + + MSI Product Version + + + + + + + + + + + + + + + + + + + Name + + + + + Name of the application. + + + + + + + + + + + + + + + + + + + Publisher + + + + + Publisher of application. + + + + + + + + + + + + + + + + + + + InstallPath + + + + + Installation path of the application. + + + + + + + + + + + + + + + + + + + InstallDate + + + + + Installation date of the application. + + + + + + + + + + + + + + + + + + + DownloadInstall + + + + + + + + was added to the section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.]]> + + + + + + + + + + + + + + + + + + + + + Status + + + + + Status of the application. Valid values: 10-Initialized, 20-Download In Progress, 25-Pending Download Retry, 30-Download Failed, 40-Download Completed, 48-Pending User Session, 50-Enforcement In Progress, 55-Pending Enforcement Retry, 60-Enforcement Failed, 70-Enforcement Completed + + + + + + + + + + + + + + + + + + + LastError + + + + + The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. + + + + + + + + + + + + + + + + + + + LastErrorDesc + + + + + Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. + + + + + + + + + + + + + + + + + + + + UpgradeCode + + + + + + + + + + + + + + + + + + + + + 10.0.14393 + 1.0 + + + + + + + + + + A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. + + + + + + + + + + Guid + + + + + + + + + + + + + + - ``` -  - -  - - - - - +## Related articles +[EnterpriseDesktopAppManagement configuration service provider reference](enterprisedesktopappmanagement-csp.md) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md deleted file mode 100644 index 7bdeb81114..0000000000 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: EnterpriseDesktopAppManagement XSD -description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# EnterpriseDesktopAppManagement XSD - -This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -The following table describes the various elements and attributes of the XSD file: - -  - -| Name | Description | -|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| MsiInstallJob | Root element | -| id | The application identifier for the application being installed. | -| Product | Child element of MsiInstallJob | -| Version | String representation of the application version | -| Download | Child element of Product. Container for download configuration information. | -| ContentURLList | Child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements. | -| ContentURL | Location that content should be downloaded from. Must be a property formatted URL that points to the MSI file. | -| Validation | Contains information used to validate content authenticity. | -| FileHash | SHA256 hash value of file content. | -| Enforcement | Installation properties to be used when installing this MSI | -| CommandLine | Command-line options to be used when calling MSIEXEC.exe | -| Timeout | Amount of time in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. | -| RetryCount | Number of times the download and installation operation will be retried before the installation will be marked as failed. | -| RetryInterval | Amount of time in minutes between retry operations. | - -  - -  - -  - - - - - - diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 534c2117a8..726ff88fb1 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,266 +1,335 @@ --- title: EnterpriseModernAppManagement CSP -description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. -ms.reviewer: +description: Learn more about the EnterpriseModernAppManagement CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2021 +ms.topic: reference --- + + + # EnterpriseModernAppManagement CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../enterprise-app-management.md). -> [!Note] +> [!NOTE] > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP. + -The following example shows the EnterpriseModernAppManagement configuration service provider in tree format. + +The following list shows the EnterpriseModernAppManagement configuration service provider nodes: -```console -./Vendor/MSFT -EnterpriseModernAppManagement -----AppManagement ---------EnterpriseID -------------PackageFamilyName -----------------PackageFullName ---------------------Name ---------------------Version ---------------------Publisher ---------------------Architecture ---------------------InstallLocation ---------------------IsFramework ---------------------IsBundle ---------------------InstallDate ---------------------ResourceID ---------------------PackageStatus ---------------------RequiresReinstall ---------------------Users ---------------------IsProvisioned -----------------DoNotUpdate -----------------AppSettingPolicy ---------------------SettingValue ---------UpdateScan ---------LastScanError ---------AppInventoryResults ---------AppInventoryQuery -----AppInstallation ---------PackageFamilyName -------------StoreInstall -------------HostedInstall -------------LastError -------------LastErrorDesc -------------Status -------------ProgressStatus -----AppLicenses ---------StoreLicenses -------------LicenseID -----------------LicenseCategory -----------------LicenseUsage -----------------RequesterID -----------------AddLicense -----------------GetLicenseFromStore +- ./Device/Vendor/MSFT/EnterpriseModernAppManagement + - [AppInstallation](#deviceappinstallation) + - [{PackageFamilyName}](#deviceappinstallationpackagefamilyname) + - [HostedInstall](#deviceappinstallationpackagefamilynamehostedinstall) + - [LastError](#deviceappinstallationpackagefamilynamelasterror) + - [LastErrorDesc](#deviceappinstallationpackagefamilynamelasterrordesc) + - [ProgressStatus](#deviceappinstallationpackagefamilynameprogressstatus) + - [Status](#deviceappinstallationpackagefamilynamestatus) + - [StoreInstall](#deviceappinstallationpackagefamilynamestoreinstall) + - [AppLicenses](#deviceapplicenses) + - [StoreLicenses](#deviceapplicensesstorelicenses) + - [{LicenseID}](#deviceapplicensesstorelicenseslicenseid) + - [AddLicense](#deviceapplicensesstorelicenseslicenseidaddlicense) + - [GetLicenseFromStore](#deviceapplicensesstorelicenseslicenseidgetlicensefromstore) + - [LicenseCategory](#deviceapplicensesstorelicenseslicenseidlicensecategory) + - [LicenseUsage](#deviceapplicensesstorelicenseslicenseidlicenseusage) + - [RequesterID](#deviceapplicensesstorelicenseslicenseidrequesterid) + - [AppManagement](#deviceappmanagement) + - [AppInventoryQuery](#deviceappmanagementappinventoryquery) + - [AppInventoryResults](#deviceappmanagementappinventoryresults) + - [AppStore](#deviceappmanagementappstore) + - [{PackageFamilyName}](#deviceappmanagementappstorepackagefamilyname) + - [{PackageFullName}](#deviceappmanagementappstorepackagefamilynamepackagefullname) + - [Architecture](#deviceappmanagementappstorepackagefamilynamepackagefullnamearchitecture) + - [InstallDate](#deviceappmanagementappstorepackagefamilynamepackagefullnameinstalldate) + - [InstallLocation](#deviceappmanagementappstorepackagefamilynamepackagefullnameinstalllocation) + - [IsBundle](#deviceappmanagementappstorepackagefamilynamepackagefullnameisbundle) + - [IsFramework](#deviceappmanagementappstorepackagefamilynamepackagefullnameisframework) + - [IsProvisioned](#deviceappmanagementappstorepackagefamilynamepackagefullnameisprovisioned) + - [IsStub](#deviceappmanagementappstorepackagefamilynamepackagefullnameisstub) + - [Name](#deviceappmanagementappstorepackagefamilynamepackagefullnamename) + - [PackageStatus](#deviceappmanagementappstorepackagefamilynamepackagefullnamepackagestatus) + - [Publisher](#deviceappmanagementappstorepackagefamilynamepackagefullnamepublisher) + - [RequiresReinstall](#deviceappmanagementappstorepackagefamilynamepackagefullnamerequiresreinstall) + - [ResourceID](#deviceappmanagementappstorepackagefamilynamepackagefullnameresourceid) + - [Users](#deviceappmanagementappstorepackagefamilynamepackagefullnameusers) + - [Version](#deviceappmanagementappstorepackagefamilynamepackagefullnameversion) + - [DoNotUpdate](#deviceappmanagementappstorepackagefamilynamedonotupdate) + - [MaintainProcessorArchitectureOnUpdate](#deviceappmanagementappstorepackagefamilynamemaintainprocessorarchitectureonupdate) + - [NonRemovable](#deviceappmanagementappstorepackagefamilynamenonremovable) + - [ReleaseManagement](#deviceappmanagementappstorereleasemanagement) + - [{ReleaseManagementKey}](#deviceappmanagementappstorereleasemanagementreleasemanagementkey) + - [ChannelId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeychannelid) + - [EffectiveRelease](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyeffectiverelease) + - [ChannelId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid) + - [ReleaseManagementId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid) + - [ReleaseManagementId](#deviceappmanagementappstorereleasemanagementreleasemanagementkeyreleasemanagementid) + - [LastScanError](#deviceappmanagementlastscanerror) + - [nonStore](#deviceappmanagementnonstore) + - [{PackageFamilyName}](#deviceappmanagementnonstorepackagefamilyname) + - [{PackageFullName}](#deviceappmanagementnonstorepackagefamilynamepackagefullname) + - [Architecture](#deviceappmanagementnonstorepackagefamilynamepackagefullnamearchitecture) + - [InstallDate](#deviceappmanagementnonstorepackagefamilynamepackagefullnameinstalldate) + - [InstallLocation](#deviceappmanagementnonstorepackagefamilynamepackagefullnameinstalllocation) + - [IsBundle](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisbundle) + - [IsFramework](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisframework) + - [IsProvisioned](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisprovisioned) + - [IsStub](#deviceappmanagementnonstorepackagefamilynamepackagefullnameisstub) + - [Name](#deviceappmanagementnonstorepackagefamilynamepackagefullnamename) + - [PackageStatus](#deviceappmanagementnonstorepackagefamilynamepackagefullnamepackagestatus) + - [Publisher](#deviceappmanagementnonstorepackagefamilynamepackagefullnamepublisher) + - [RequiresReinstall](#deviceappmanagementnonstorepackagefamilynamepackagefullnamerequiresreinstall) + - [ResourceID](#deviceappmanagementnonstorepackagefamilynamepackagefullnameresourceid) + - [Users](#deviceappmanagementnonstorepackagefamilynamepackagefullnameusers) + - [Version](#deviceappmanagementnonstorepackagefamilynamepackagefullnameversion) + - [DoNotUpdate](#deviceappmanagementnonstorepackagefamilynamedonotupdate) + - [MaintainProcessorArchitectureOnUpdate](#deviceappmanagementnonstorepackagefamilynamemaintainprocessorarchitectureonupdate) + - [NonRemovable](#deviceappmanagementnonstorepackagefamilynamenonremovable) + - [ReleaseManagement](#deviceappmanagementnonstorereleasemanagement) + - [{ReleaseManagementKey}](#deviceappmanagementnonstorereleasemanagementreleasemanagementkey) + - [ChannelId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeychannelid) + - [EffectiveRelease](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyeffectiverelease) + - [ChannelId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid) + - [ReleaseManagementId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid) + - [ReleaseManagementId](#deviceappmanagementnonstorereleasemanagementreleasemanagementkeyreleasemanagementid) + - [ResetPackage](#deviceappmanagementresetpackage) + - [System](#deviceappmanagementsystem) + - [{PackageFamilyName}](#deviceappmanagementsystempackagefamilyname) + - [{PackageFullName}](#deviceappmanagementsystempackagefamilynamepackagefullname) + - [Architecture](#deviceappmanagementsystempackagefamilynamepackagefullnamearchitecture) + - [InstallDate](#deviceappmanagementsystempackagefamilynamepackagefullnameinstalldate) + - [InstallLocation](#deviceappmanagementsystempackagefamilynamepackagefullnameinstalllocation) + - [IsBundle](#deviceappmanagementsystempackagefamilynamepackagefullnameisbundle) + - [IsFramework](#deviceappmanagementsystempackagefamilynamepackagefullnameisframework) + - [IsProvisioned](#deviceappmanagementsystempackagefamilynamepackagefullnameisprovisioned) + - [IsStub](#deviceappmanagementsystempackagefamilynamepackagefullnameisstub) + - [Name](#deviceappmanagementsystempackagefamilynamepackagefullnamename) + - [PackageStatus](#deviceappmanagementsystempackagefamilynamepackagefullnamepackagestatus) + - [Publisher](#deviceappmanagementsystempackagefamilynamepackagefullnamepublisher) + - [RequiresReinstall](#deviceappmanagementsystempackagefamilynamepackagefullnamerequiresreinstall) + - [ResourceID](#deviceappmanagementsystempackagefamilynamepackagefullnameresourceid) + - [Users](#deviceappmanagementsystempackagefamilynamepackagefullnameusers) + - [Version](#deviceappmanagementsystempackagefamilynamepackagefullnameversion) + - [AppUpdateSettings](#deviceappmanagementsystempackagefamilynameappupdatesettings) + - [AutoRepair](#deviceappmanagementsystempackagefamilynameappupdatesettingsautorepair) + - [PackageSource](#deviceappmanagementsystempackagefamilynameappupdatesettingsautorepairpackagesource) + - [AutoUpdateSettings](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettings) + - [AutomaticBackgroundTask](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsautomaticbackgroundtask) + - [Disable](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsdisable) + - [ForceUpdateFromAnyVersion](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsforceupdatefromanyversion) + - [HoursBetweenUpdateChecks](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingshoursbetweenupdatechecks) + - [OnLaunchUpdateCheck](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsonlaunchupdatecheck) + - [PackageSource](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingspackagesource) + - [ShowPrompt](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsshowprompt) + - [UpdateBlocksActivation](#deviceappmanagementsystempackagefamilynameappupdatesettingsautoupdatesettingsupdateblocksactivation) + - [DoNotUpdate](#deviceappmanagementsystempackagefamilynamedonotupdate) + - [MaintainProcessorArchitectureOnUpdate](#deviceappmanagementsystempackagefamilynamemaintainprocessorarchitectureonupdate) + - [NonRemovable](#deviceappmanagementsystempackagefamilynamenonremovable) + - [ReleaseManagement](#deviceappmanagementsystemreleasemanagement) + - [{ReleaseManagementKey}](#deviceappmanagementsystemreleasemanagementreleasemanagementkey) + - [ChannelId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeychannelid) + - [EffectiveRelease](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyeffectiverelease) + - [ChannelId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasechannelid) + - [ReleaseManagementId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid) + - [ReleaseManagementId](#deviceappmanagementsystemreleasemanagementreleasemanagementkeyreleasemanagementid) + - [UpdateScan](#deviceappmanagementupdatescan) +- ./User/Vendor/MSFT/EnterpriseModernAppManagement + - [AppInstallation](#userappinstallation) + - [{PackageFamilyName}](#userappinstallationpackagefamilyname) + - [HostedInstall](#userappinstallationpackagefamilynamehostedinstall) + - [LastError](#userappinstallationpackagefamilynamelasterror) + - [LastErrorDesc](#userappinstallationpackagefamilynamelasterrordesc) + - [ProgressStatus](#userappinstallationpackagefamilynameprogressstatus) + - [Status](#userappinstallationpackagefamilynamestatus) + - [StoreInstall](#userappinstallationpackagefamilynamestoreinstall) + - [AppLicenses](#userapplicenses) + - [StoreLicenses](#userapplicensesstorelicenses) + - [{LicenseID}](#userapplicensesstorelicenseslicenseid) + - [AddLicense](#userapplicensesstorelicenseslicenseidaddlicense) + - [GetLicenseFromStore](#userapplicensesstorelicenseslicenseidgetlicensefromstore) + - [LicenseCategory](#userapplicensesstorelicenseslicenseidlicensecategory) + - [LicenseUsage](#userapplicensesstorelicenseslicenseidlicenseusage) + - [RequesterID](#userapplicensesstorelicenseslicenseidrequesterid) + - [AppManagement](#userappmanagement) + - [AppInventoryQuery](#userappmanagementappinventoryquery) + - [AppInventoryResults](#userappmanagementappinventoryresults) + - [AppStore](#userappmanagementappstore) + - [{PackageFamilyName}](#userappmanagementappstorepackagefamilyname) + - [{PackageFullName}](#userappmanagementappstorepackagefamilynamepackagefullname) + - [Architecture](#userappmanagementappstorepackagefamilynamepackagefullnamearchitecture) + - [InstallDate](#userappmanagementappstorepackagefamilynamepackagefullnameinstalldate) + - [InstallLocation](#userappmanagementappstorepackagefamilynamepackagefullnameinstalllocation) + - [IsBundle](#userappmanagementappstorepackagefamilynamepackagefullnameisbundle) + - [IsFramework](#userappmanagementappstorepackagefamilynamepackagefullnameisframework) + - [IsProvisioned](#userappmanagementappstorepackagefamilynamepackagefullnameisprovisioned) + - [IsStub](#userappmanagementappstorepackagefamilynamepackagefullnameisstub) + - [Name](#userappmanagementappstorepackagefamilynamepackagefullnamename) + - [PackageStatus](#userappmanagementappstorepackagefamilynamepackagefullnamepackagestatus) + - [Publisher](#userappmanagementappstorepackagefamilynamepackagefullnamepublisher) + - [RequiresReinstall](#userappmanagementappstorepackagefamilynamepackagefullnamerequiresreinstall) + - [ResourceID](#userappmanagementappstorepackagefamilynamepackagefullnameresourceid) + - [Users](#userappmanagementappstorepackagefamilynamepackagefullnameusers) + - [Version](#userappmanagementappstorepackagefamilynamepackagefullnameversion) + - [AppSettingPolicy](#userappmanagementappstorepackagefamilynameappsettingpolicy) + - [{SettingValue}](#userappmanagementappstorepackagefamilynameappsettingpolicysettingvalue) + - [DoNotUpdate](#userappmanagementappstorepackagefamilynamedonotupdate) + - [MaintainProcessorArchitectureOnUpdate](#userappmanagementappstorepackagefamilynamemaintainprocessorarchitectureonupdate) + - [ReleaseManagement](#userappmanagementappstorereleasemanagement) + - [{ReleaseManagementKey}](#userappmanagementappstorereleasemanagementreleasemanagementkey) + - [ChannelId](#userappmanagementappstorereleasemanagementreleasemanagementkeychannelid) + - [EffectiveRelease](#userappmanagementappstorereleasemanagementreleasemanagementkeyeffectiverelease) + - [ChannelId](#userappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid) + - [ReleaseManagementId](#userappmanagementappstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid) + - [ReleaseManagementId](#userappmanagementappstorereleasemanagementreleasemanagementkeyreleasemanagementid) + - [LastScanError](#userappmanagementlastscanerror) + - [nonStore](#userappmanagementnonstore) + - [{PackageFamilyName}](#userappmanagementnonstorepackagefamilyname) + - [{PackageFullName}](#userappmanagementnonstorepackagefamilynamepackagefullname) + - [Architecture](#userappmanagementnonstorepackagefamilynamepackagefullnamearchitecture) + - [InstallDate](#userappmanagementnonstorepackagefamilynamepackagefullnameinstalldate) + - [InstallLocation](#userappmanagementnonstorepackagefamilynamepackagefullnameinstalllocation) + - [IsBundle](#userappmanagementnonstorepackagefamilynamepackagefullnameisbundle) + - [IsFramework](#userappmanagementnonstorepackagefamilynamepackagefullnameisframework) + - [IsProvisioned](#userappmanagementnonstorepackagefamilynamepackagefullnameisprovisioned) + - [IsStub](#userappmanagementnonstorepackagefamilynamepackagefullnameisstub) + - [Name](#userappmanagementnonstorepackagefamilynamepackagefullnamename) + - [PackageStatus](#userappmanagementnonstorepackagefamilynamepackagefullnamepackagestatus) + - [Publisher](#userappmanagementnonstorepackagefamilynamepackagefullnamepublisher) + - [RequiresReinstall](#userappmanagementnonstorepackagefamilynamepackagefullnamerequiresreinstall) + - [ResourceID](#userappmanagementnonstorepackagefamilynamepackagefullnameresourceid) + - [Users](#userappmanagementnonstorepackagefamilynamepackagefullnameusers) + - [Version](#userappmanagementnonstorepackagefamilynamepackagefullnameversion) + - [AppSettingPolicy](#userappmanagementnonstorepackagefamilynameappsettingpolicy) + - [{SettingValue}](#userappmanagementnonstorepackagefamilynameappsettingpolicysettingvalue) + - [DoNotUpdate](#userappmanagementnonstorepackagefamilynamedonotupdate) + - [MaintainProcessorArchitectureOnUpdate](#userappmanagementnonstorepackagefamilynamemaintainprocessorarchitectureonupdate) + - [ReleaseManagement](#userappmanagementnonstorereleasemanagement) + - [{ReleaseManagementKey}](#userappmanagementnonstorereleasemanagementreleasemanagementkey) + - [ChannelId](#userappmanagementnonstorereleasemanagementreleasemanagementkeychannelid) + - [EffectiveRelease](#userappmanagementnonstorereleasemanagementreleasemanagementkeyeffectiverelease) + - [ChannelId](#userappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasechannelid) + - [ReleaseManagementId](#userappmanagementnonstorereleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid) + - [ReleaseManagementId](#userappmanagementnonstorereleasemanagementreleasemanagementkeyreleasemanagementid) + - [RemovePackage](#userappmanagementremovepackage) + - [ResetPackage](#userappmanagementresetpackage) + - [System](#userappmanagementsystem) + - [{PackageFamilyName}](#userappmanagementsystempackagefamilyname) + - [{PackageFullName}](#userappmanagementsystempackagefamilynamepackagefullname) + - [Architecture](#userappmanagementsystempackagefamilynamepackagefullnamearchitecture) + - [InstallDate](#userappmanagementsystempackagefamilynamepackagefullnameinstalldate) + - [InstallLocation](#userappmanagementsystempackagefamilynamepackagefullnameinstalllocation) + - [IsBundle](#userappmanagementsystempackagefamilynamepackagefullnameisbundle) + - [IsFramework](#userappmanagementsystempackagefamilynamepackagefullnameisframework) + - [IsProvisioned](#userappmanagementsystempackagefamilynamepackagefullnameisprovisioned) + - [IsStub](#userappmanagementsystempackagefamilynamepackagefullnameisstub) + - [Name](#userappmanagementsystempackagefamilynamepackagefullnamename) + - [PackageStatus](#userappmanagementsystempackagefamilynamepackagefullnamepackagestatus) + - [Publisher](#userappmanagementsystempackagefamilynamepackagefullnamepublisher) + - [RequiresReinstall](#userappmanagementsystempackagefamilynamepackagefullnamerequiresreinstall) + - [ResourceID](#userappmanagementsystempackagefamilynamepackagefullnameresourceid) + - [Users](#userappmanagementsystempackagefamilynamepackagefullnameusers) + - [Version](#userappmanagementsystempackagefamilynamepackagefullnameversion) + - [AppSettingPolicy](#userappmanagementsystempackagefamilynameappsettingpolicy) + - [{SettingValue}](#userappmanagementsystempackagefamilynameappsettingpolicysettingvalue) + - [DoNotUpdate](#userappmanagementsystempackagefamilynamedonotupdate) + - [MaintainProcessorArchitectureOnUpdate](#userappmanagementsystempackagefamilynamemaintainprocessorarchitectureonupdate) + - [ReleaseManagement](#userappmanagementsystemreleasemanagement) + - [{ReleaseManagementKey}](#userappmanagementsystemreleasemanagementreleasemanagementkey) + - [ChannelId](#userappmanagementsystemreleasemanagementreleasemanagementkeychannelid) + - [EffectiveRelease](#userappmanagementsystemreleasemanagementreleasemanagementkeyeffectiverelease) + - [ChannelId](#userappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasechannelid) + - [ReleaseManagementId](#userappmanagementsystemreleasemanagementreleasemanagementkeyeffectivereleasereleasemanagementid) + - [ReleaseManagementId](#userappmanagementsystemreleasemanagementreleasemanagementkeyreleasemanagementid) + - [UpdateScan](#userappmanagementupdatescan) + + + +## Device/AppInstallation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation ``` + -**Device or User context** -For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. + + +Used to perform app installation. + -> [!Note] -> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP. + +This is a required node. + -**AppManagement** -Required. Used for inventory and app management (post-install). + +**Description framework properties**: -**AppManagement/UpdateScan** -Required. Used to start the Windows Update scan. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operation is Execute. + + + -**AppManagement/LastScanError** -Required. Reports the last error code returned by the update scan. + -Supported operation is Get. + +### Device/AppInstallation/{PackageFamilyName} -**AppManagement/AppInventoryResults** -Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operation is Get. - -Here's an example of AppInventoryResults operation. - -```xml - - 11 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults - - - + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} ``` + -**AppManagement/AppInventoryQuery** -Added in Windows 10, version 1511. Required. Specifies the query for app inventory. + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + -Query parameters: - -- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: - - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. - - PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall. - - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. -- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: - - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. - - nonStore - This classification is for apps that weren't acquired from the Microsoft Store. - - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. -- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: - - - Main - returns the main installed package. - - Bundle - returns installed bundle packages. - - Framework - returns installed framework packages. - - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle. - - XAP - returns XAP package types. This filter is only supported on Windows Mobile. - - All - returns all package types. - - If no value is specified, the combination of Main, Bundle, and Framework are returned. - -- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. - - If you don't specify this value, then all packages are returned. - -- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. - - If you don't specify this value, then all publishers are returned. - - -Supported operation is Get and Replace. - -The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. - -```xml - - 10 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery - - xml - - - -``` -**AppManagement/RemovePackage** -Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT. - -Parameters: -
    -Supported operation is Execute. - -The following example removes a package for all users: - -````XML - - 10 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage - - xml - - - - - -```` - -**AppManagement/nonStore** -Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. - -Supported operation is Get. - -**AppManagement/System** -Reports apps installed as part of the operating system. - -Supported operation is Get. - -**AppManagement/AppStore** -Required. Used for managing apps from the Microsoft Store. - -Supported operations are Get and Delete. - -**AppManagement/AppStore/ReleaseManagement** -Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + +This is an optional node. > [!NOTE] -> ReleaseManagement settings only apply to updates through the Microsoft Store. - -**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_** -Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app. - -**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId** -Added in Windows 10, version 1809. Specifies the app channel ID. - -Value type is string. - -Supported operations are Add, Get, Replace, and Delete. - -**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId** -Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. - -Value type is string. - -Supported operations are Add, Get, Replace, and Delete. - -**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease** -Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. - -**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId** -Added in Windows 10, version 1809. Returns the last user channel ID on the device. - -Value type is string. - -Supported operation is Get. - -**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId** -Added in Windows 10, version 1809. Returns the last user release ID on the device. - -Value type is string. - -Supported operation is Get. - -**.../***PackageFamilyName* -Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. - -Supported operations are Get and Delete. - -> [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: Package family name (PFN) of the app. | + + + +**Example**: Here's an example for uninstalling an app: @@ -280,155 +349,7755 @@ Here's an example for uninstalling an app: ``` + -**.../*PackageFamilyName*/***PackageFullName* -Optional. Full name of the package installed. + -Supported operations are Get and Delete. + +#### Device/AppInstallation/{PackageFamilyName}/HostedInstall -> [!Note] -> XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall +``` + -**.../*PackageFamilyName*/*PackageFullName*/Name** -Required. Name of the app. + + +Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). + -Value type is string. + +This is a required node. The following list shows the supported deployment options: -Supported operation is Get. +- ForceApplicationShutdown +- DevelopmentMode +- InstallAllResources +- ForceTargetApplicationShutdown +- ForceUpdateToAnyVersion +- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1. +- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803. +- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607. +- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1. +- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809. + -**.../*PackageFamilyName*/*PackageFullName*/Version** -Required. Version of the app. + +**Description framework properties**: -Value type is string. +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Add, Delete, Exec, Get | + -Supported operation is Get. + + + -**.../*PackageFamilyName*/*PackageFullName*/Publisher** -Required. Publisher name of the app. + -Value type is string. + +#### Device/AppInstallation/{PackageFamilyName}/LastError -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**.../*PackageFamilyName*/*PackageFullName*/Architecture** -Required. Architecture of installed package. + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastError +``` + -Value type is string. + + +Last error relating to the app installation. + -> [!Note] + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/AppInstallation/{PackageFamilyName}/LastErrorDesc + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastErrorDesc +``` + + + + +Description of last error relating to the app installation. + + + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/AppInstallation/{PackageFamilyName}/ProgressStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/ProgressStatus +``` + + + + +An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). + + + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/AppInstallation/{PackageFamilyName}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/Status +``` + + + + +Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. + + + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/AppInstallation/{PackageFamilyName}/StoreInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall +``` + + + + +Command to perform an install of an app and a license from the Microsoft Store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Add, Delete, Exec, Get | + + + + + + + + + +## Device/AppLicenses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses +``` + + + + +Used to manage licenses for app scenarios. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/AppLicenses/StoreLicenses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses +``` + + + + +Used to manage licenses for store apps. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Device/AppLicenses/StoreLicenses/{LicenseID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID} +``` + + + + +License ID for a store installed app. The license ID is generally the PFN of the app. + + + +This is an optional node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: License ID for a store installed app. The license ID is generally the PFN of the app. | + + + + + + + + + +##### Device/AppLicenses/StoreLicenses/{LicenseID}/AddLicense + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense +``` + + + + +Command to add license. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec | + + + + + + + + + +##### Device/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore +``` + + + + +Command to get license from the store. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec | + + + + + + + + + +##### Device/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory +``` + + + + +Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage +``` + + + + +Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/AppLicenses/StoreLicenses/{LicenseID}/RequesterID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/RequesterID +``` + + + + +Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Device/AppManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement +``` + + + + +Used for inventory and app management (post-install). + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/AppManagement/AppInventoryQuery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery +``` + + + + +Specifies the query for app inventory. + + + +This is a required node. Query parameters: + +- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: + - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. + - PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall. + - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. + +- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: + - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. + - nonStore - This classification is for apps that weren't acquired from the Microsoft Store. + - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. + +- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: + - Main - returns the main installed package. + - Bundle - returns installed bundle packages. + - Framework - returns installed framework packages. + - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle. + - XAP - returns XAP package types. This filter is only supported on Windows Mobile. + - All - returns all package types. + + If no value is specified, the combination of Main, Bundle, and Framework are returned. + +- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. + + If you don't specify this value, then all packages are returned. + +- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. + + If you don't specify this value, then all publishers are returned. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Get, Replace | + + + +**Example**: + +The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. + +```xml + + 10 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery + + xml + + + +``` + + + + + +### Device/AppManagement/AppInventoryResults + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults +``` + + + + +Returns the results for app inventory that was created after the AppInventoryQuery operation. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Get | + + + +**Example**: + +Here's an example of AppInventoryResults operation. + +```xml + + 11 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults + + + +``` + + + + + +### Device/AppManagement/AppStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore +``` + + + + + + + +This is a required node. Used for managing apps from the Microsoft Store. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### Device/AppManagement/AppStore/{PackageFamilyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} +``` + + + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + +> [!NOTE] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + +**Example**: + +Here's an example for uninstalling an app: + +```xml + + + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D + + + + + + +``` + + + + + +##### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} +``` + + + + +Full name of the package installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture +``` + + + + +Architecture of installed package. Value type is string. + + + +> [!NOTE] > Not applicable to XAP files. + -Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/InstallLocation** -Required. Install location of the app on the device. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Value type is string. + + + -> [!Note] + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate +``` + + + + +Date the app was installed. Value type is string. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation +``` + + + + +Install location of the app on the device. Value type is string. + + + +> [!NOTE] > Not applicable to XAP files. + -Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/IsFramework** -Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -> [!Note] + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle +``` + + + + +The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework +``` + + + + +Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + +> [!NOTE] > Not applicable to XAP files. + - Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/IsBundle** -Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned +``` + + + + +The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub +``` + + + + +This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + +The value is 1 if the package is a stub package and 0 (zero) for all other cases. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name +``` + + + + +Name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus +``` + + + + +Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher +``` + + + + +Publisher name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall +``` + + + + +Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + +This is a required node. + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID +``` + + + + +Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users +``` + + + + +Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + +This is a required node. Possible values: + +- 0 = Not Installed +- 1 = Staged +- 2 = Installed +- 6 = Paused + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version +``` + + + + +Version of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate +``` + + + + +Specifies whether you want to block a specific app from being updated via auto-updates. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### Device/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate +``` + + + + +Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + +Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). + +| Applicability Setting | CSP state | Result | +|-----------------------|----------------|----------------------| +| True | Not configured | X86 flavor is picked | +| True | Enabled | X86 flavor is picked | +| True | Disabled | X86 flavor is picked | +| False (not set) | Not configured | X64 flavor is picked | + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### Device/AppManagement/AppStore/{PackageFamilyName}/NonRemovable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/NonRemovable +``` + + + + +This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn't remove it for all users. + + + +NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | App is not in the nonremovable app policy list. | +| 1 | App is included in the nonremovable app policy list. | + + + +**Examples**: + +- Add an app to the nonremovable app policy list + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 1 + + + + + + ``` + +- Get the status for a particular app + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + + + + + ``` + +- Replace an app in the nonremovable app policy list (Data 0 = app isn't in the app policy list; Data 1 = app is in the app policy list) + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 0 + + + + + + ``` + + + + + +#### Device/AppManagement/AppStore/ReleaseManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement +``` + + + + +Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + +> [!NOTE] +> ReleaseManagement settings only apply to updates through the Microsoft Store. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | + + + + + + + + + +##### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey} +``` + + + + +Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | +| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. | + + + + + + + + + +###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId +``` + + + + +Specifies the app channel ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease +``` + + + + +Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId +``` + + + + +Returns the last user channel ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId +``` + + + + +Returns the last user release ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId +``` + + + + +The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/AppManagement/LastScanError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError +``` + + + + +Reports the last error code returned by the update scan. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Device/AppManagement/nonStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore +``` + + + + + + + +Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### Device/AppManagement/nonStore/{PackageFamilyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName} +``` + + + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + +> [!NOTE] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + +**Example**: + +Here's an example for uninstalling an app: + +```xml + + + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D + + + + + + +``` + + + + + +##### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName} +``` + + + + +Full name of the package installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture +``` + + + + +Architecture of installed package. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate +``` + + + + +Date the app was installed. Value type is string. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation +``` + + + + +Install location of the app on the device. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle +``` + + + + +The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework +``` + + + + +Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned +``` + + + + +The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub +``` + + + + +This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + +The value is 1 if the package is a stub package and 0 (zero) for all other cases. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name +``` + + + + +Name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus +``` + + + + +Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher +``` + + + + +Publisher name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall +``` + + + + +Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + +This is a required node. + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID +``` + + + + +Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users +``` + + + + +Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + +This is a required node. Possible values: + +- 0 = Not Installed +- 1 = Staged +- 2 = Installed +- 6 = Paused + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version +``` + + + + +Version of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate +``` + + + + +Specifies whether you want to block a specific app from being updated via auto-updates. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### Device/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate +``` + + + + +Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + +Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). + +| Applicability Setting | CSP state | Result | +|-----------------------|----------------|----------------------| +| True | Not configured | X86 flavor is picked | +| True | Enabled | X86 flavor is picked | +| True | Disabled | X86 flavor is picked | +| False (not set) | Not configured | X64 flavor is picked | + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### Device/AppManagement/nonStore/{PackageFamilyName}/NonRemovable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/NonRemovable +``` + + + + +This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn't remove it for all users. + + + +NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | App is not in the nonremovable app policy list. | +| 1 | App is included in the nonremovable app policy list. | + + + +**Examples**: + +- Add an app to the nonremovable app policy list + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 1 + + + + + + ``` + +- Get the status for a particular app + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + + + + + ``` + +- Replace an app in the nonremovable app policy list (Data 0 = app isn't in the app policy list; Data 1 = app is in the app policy list) + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 0 + + + + + + ``` + + + + + +#### Device/AppManagement/nonStore/ReleaseManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement +``` + + + + +Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | + + + + + + + + + +##### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey} +``` + + + + +Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | +| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. | + + + + + + + + + +###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId +``` + + + + +Specifies the app channel ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease +``` + + + + +Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId +``` + + + + +Returns the last user channel ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId +``` + + + + +Returns the last user release ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId +``` + + + + +The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/AppManagement/ResetPackage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/ResetPackage +``` + + + + +Used to restore the Windows app to its initial configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec, Get | + + + + + + + + + +### Device/AppManagement/System + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System +``` + + + + + + + +Reports apps installed as part of the operating system. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### Device/AppManagement/System/{PackageFamilyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName} +``` + + + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + +> [!NOTE] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +##### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName} +``` + + + + +Full name of the package installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture +``` + + + + +Architecture of installed package. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate +``` + + + + +Date the app was installed. Value type is string. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation +``` + + + + +Install location of the app on the device. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle +``` + + + + +The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework +``` + + + + +Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned +``` + + + + +The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub +``` + + + + +This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + +The value is 1 if the package is a stub package and 0 (zero) for all other cases. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name +``` + + + + +Name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus +``` + + + + +Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher +``` + + + + +Publisher name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall +``` + + + + +Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + +This is a required node. + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID +``` + + + + +Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users +``` + + + + +Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + +This is a required node. + +- 0 = Not Installed +- 1 = Staged +- 2 = Installed +- 6 = Paused + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version +``` + + + + +Version of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings +``` + + + + +AppUpdateSettings nodes to support the auto-update and auto-repair feature for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair +``` + + + + +AutoRepair node to support auto-repair feature for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair/PackageSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoRepair/PackageSource +``` + + + + +PackageSource node that points the update location for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Allowed Values | Regular Expression: `^(([^;]+(?i)(\.appx|\.eappx|\.appxbundle|\.eappxbundle|\.msix|\.emsix|\.msixbundle|\.emsixbundle)([;]|$)){0,10}|([^;]+(?i)(\.appinstaller)([;]|$)){0,10})$` | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings +``` + + + + +AutoUpdateSettings nodes to support the auto-updates for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/AutomaticBackgroundTask + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/AutomaticBackgroundTask +``` + + + + +Specifies whether AutomaticBackgroundTask is enabled/disabled for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| True | AutomaticBackgroundTask is enabled for the package. | +| False (Default) | AutomaticBackgroundTask is disabled for the package. | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/Disable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/Disable +``` + + + + +Specifies whether the auto-update settings is enabled/disabled for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| True | AutoUpdates settings is disabled for the package. | +| False (Default) | AutoUpdates settings is enabled for the package. | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ForceUpdateFromAnyVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ForceUpdateFromAnyVersion +``` + + + + +Specifies whether the auto-update setting ForceUpdateFromAnyVersion is enabled/disabled for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| True | ForceUpdateFromAnyVersion is enabled for the package. | +| False (Default) | ForceUpdateFromAnyVersion is disabled for the package. | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/HoursBetweenUpdateChecks + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/HoursBetweenUpdateChecks +``` + + + + +Specifies HoursBetweenUpdateChecks for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Allowed Values | Range: `[8-10000]` | +| Default Value | 8 | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/OnLaunchUpdateCheck + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/OnLaunchUpdateCheck +``` + + + + +Specifies whether OnLaunchUpdateCheck is enabled/disabled for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| True | OnLaunchUpdateCheck is enabled for the package. | +| False (Default) | OnLaunchUpdateCheck is disabled for the package. | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/PackageSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/PackageSource +``` + + + + +PackageSource node that points the update location for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Allowed Values | Regular Expression: `^(([^;]+(?i)(\.appinstaller)([;]|$)){1,11})$` | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ShowPrompt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/ShowPrompt +``` + + + + +Specifies whether the auto-update setting ShowPrompt is enabled/disabled for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| True | ShowPrompt is enabled for the package. | +| False (Default) | ShowPrompt is disabled for the package. | + + + + + + + + + +###### Device/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/UpdateBlocksActivation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppUpdateSettings/AutoUpdateSettings/UpdateBlocksActivation +``` + + + + +Specifies whether the auto-update setting UpdateBlocksActivation is enabled/disabled for a specific package. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| True | UpdateBlocksActivation is enabled for the package. | +| False (Default) | UpdateBlocksActivation is disabled for the package. | + + + + + + + + + +##### Device/AppManagement/System/{PackageFamilyName}/DoNotUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/DoNotUpdate +``` + + + + +Specifies whether you want to block a specific app from being updated via auto-updates. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### Device/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate +``` + + + + +Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + +Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). + +| Applicability Setting | CSP state | Result | +|-----------------------|----------------|----------------------| +| True | Not configured | X86 flavor is picked | +| True | Enabled | X86 flavor is picked | +| True | Disabled | X86 flavor is picked | +| False (not set) | Not configured | X64 flavor is picked | + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### Device/AppManagement/System/{PackageFamilyName}/NonRemovable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/NonRemovable +``` + + + + +This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn't remove it for all users. + + + +NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | App is not in the nonremovable app policy list. | +| 1 | App is included in the nonremovable app policy list. | + + + +**Examples**: + +- Add an app to the nonremovable app policy list + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 1 + + + + + + ``` + +- Get the status for a particular app + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + + + + + ``` + +- Replace an app in the nonremovable app policy list (Data 0 = app isn't in the app policy list; Data 1 = app is in the app policy list) + + ```xml + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 0 + + + + + + ``` + + + + + +#### Device/AppManagement/System/ReleaseManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement +``` + + + + +Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | + + + + + + + + + +##### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey} +``` + + + + +Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | +| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. | + + + + + + + + + +###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId +``` + + + + +Specifies the app channel ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease +``` + + + + +Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId +``` + + + + +Returns the last user channel ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId +``` + + + + +Returns the last user release ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### Device/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId +``` + + + + +The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/AppManagement/UpdateScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan +``` + + + + +Used to start the Windows Update scan. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +## User/AppInstallation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation +``` + + + + +Used to perform app installation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/AppInstallation/{PackageFamilyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} +``` + + + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + +> [!NOTE] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: Package family name (PFN) of the app. | + + + +**Example**: + +Here's an example for uninstalling an app: + +```xml + + + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D + + + + + + +``` + + + + + +#### User/AppInstallation/{PackageFamilyName}/HostedInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall +``` + + + + +Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). + + + +This is a required node. The following list shows the supported deployment options: + +- ForceApplicationShutdown +- DevelopmentMode +- InstallAllResources +- ForceTargetApplicationShutdown +- ForceUpdateToAnyVersion +- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1. +- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803. +- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607. +- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1. +- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Add, Delete, Exec, Get | + + + + + + + + + +#### User/AppInstallation/{PackageFamilyName}/LastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastError +``` + + + + +Last error relating to the app installation. + + + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/AppInstallation/{PackageFamilyName}/LastErrorDesc + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/LastErrorDesc +``` + + + + +Description of last error relating to the app installation. + + + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/AppInstallation/{PackageFamilyName}/ProgressStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/ProgressStatus +``` + + + + +An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). + + + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/AppInstallation/{PackageFamilyName}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/Status +``` + + + + +Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. + + + +> [!NOTE] +> This element isn't present after the app is installed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/AppInstallation/{PackageFamilyName}/StoreInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall +``` + + + + +Command to perform an install of an app and a license from the Microsoft Store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Add, Delete, Exec, Get | + + + + + + + + + +## User/AppLicenses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses +``` + + + + +Used to manage licenses for app scenarios. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/AppLicenses/StoreLicenses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses +``` + + + + +Used to manage licenses for store apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/AppLicenses/StoreLicenses/{LicenseID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID} +``` + + + + +License ID for a store installed app. The license ID is generally the PFN of the app. + + + +This is an optional node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: License ID for a store installed app. The license ID is generally the PFN of the app. | + + + + + + + + + +##### User/AppLicenses/StoreLicenses/{LicenseID}/AddLicense + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense +``` + + + + +Command to add license. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec | + + + + + + + + + +##### User/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/GetLicenseFromStore +``` + + + + +Command to get license from the store. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec | + + + + + + + + + +##### User/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseCategory +``` + + + + +Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### User/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/LicenseUsage +``` + + + + +Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### User/AppLicenses/StoreLicenses/{LicenseID}/RequesterID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/RequesterID +``` + + + + +Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/AppManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement +``` + + + + +Used for inventory and app management (post-install). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/AppManagement/AppInventoryQuery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery +``` + + + + +Specifies the query for app inventory. + + + +This is a required node. Query parameters: + +- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: + - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. + - PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall. + - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. +- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: + - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. + - nonStore - This classification is for apps that weren't acquired from the Microsoft Store. + - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. +- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by `|`. Valid values are: + - Main - returns the main installed package. + - Bundle - returns installed bundle packages. + - Framework - returns installed framework packages. + - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle. + - XAP - returns XAP package types. This filter is only supported on Windows Mobile. + - All - returns all package types. + + If no value is specified, the combination of Main, Bundle, and Framework are returned. + +- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. + + If you don't specify this value, then all packages are returned. + +- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. + + If you don't specify this value, then all publishers are returned. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Get, Replace | + + + +**Example**: + +The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. + +```xml + + 10 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery + + xml + + + +``` + + + + + +### User/AppManagement/AppInventoryResults + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults +``` + + + + +Returns the results for app inventory that was created after the AppInventoryQuery operation. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Get | + + + +**Example**: + +Here's an example of AppInventoryResults operation. + +```xml + + 11 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults + + + +``` + + + + + +### User/AppManagement/AppStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore +``` + + + + + + + +This is a required node. Used for managing apps from the Microsoft Store. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### User/AppManagement/AppStore/{PackageFamilyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} +``` + + + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + +> [!NOTE] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + +**Example**: + +Here's an example for uninstalling an app: + +```xml + + + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D + + + + + + +``` + + + + + +##### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} +``` + + + + +Full name of the package installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Architecture +``` + + + + +Architecture of installed package. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallDate +``` + + + + +Date the app was installed. Value type is string. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/InstallLocation +``` + + + + +Install location of the app on the device. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsBundle +``` + + + + +The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsFramework +``` + + + + +Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned +``` + + + + +The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/IsStub +``` + + + + +This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + +The value is 1 if the package is a stub package and 0 (zero) for all other cases. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Name +``` + + + + +Name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/PackageStatus +``` + + + + +Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Publisher +``` + + + + +Publisher name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall +``` + + + + +Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + +This is a required node. + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/ResourceID +``` + + + + +Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Users +``` + + + + +Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + +This is a required node. Possible values: + +- 0 = Not Installed +- 1 = Staged +- 2 = Installed +- 6 = Paused + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName}/Version +``` + + + + +Version of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### User/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy +``` + + + + +Interior node for all managed app setting values. + + + +> [!NOTE] +> This node is only supported in the user context. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue} +``` + + + + +The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container. + + + +This setting only works for apps that support the feature and it's only supported in the user context. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. | + + + +**Examples**: + +- The following example sets the value for the 'Server' + + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy/Server + + + chr + + server1.contoso.com + + + ``` + +- The following example gets all managed app settings for a specific app. + + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy?list=StructData + + + + ``` + + + + + +##### User/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate +``` + + + + +Specifies whether you want to block a specific app from being updated via auto-updates. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### User/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate +``` + + + + +Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + +Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). + +|Applicability Setting |CSP state |Result | +|---------|---------|---------| +|True |Not configured |X86 flavor is picked | +|True |Enabled |X86 flavor is picked | +|True |Disabled |X86 flavor is picked | +|False (not set) |Not configured |X64 flavor is picked | + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +#### User/AppManagement/AppStore/ReleaseManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement +``` + + + + +Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + +> [!NOTE] +> ReleaseManagement settings only apply to updates through the Microsoft Store. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | + + + + + + + + + +##### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey} +``` + + + + +Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | +| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. | + + + + + + + + + +###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId +``` + + + + +Specifies the app channel ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease +``` + + + + +Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId +``` + + + + +Returns the last user channel ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId +``` + + + + +Returns the last user release ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId +``` + + + + +The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/AppManagement/LastScanError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError +``` + + + + +Reports the last error code returned by the update scan. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### User/AppManagement/nonStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore +``` + + + + + + + +Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### User/AppManagement/nonStore/{PackageFamilyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName} +``` + + + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + +> [!NOTE] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + +```xml + + + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D + + + + + + +``` + + + + + +##### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName} +``` + + + + +Full name of the package installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Architecture +``` + + + + +Architecture of installed package. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallDate +``` + + + + +Date the app was installed. Value type is string. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/InstallLocation +``` + + + + +Install location of the app on the device. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsBundle +``` + + + + +The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsFramework +``` + + + + +Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsProvisioned +``` + + + + +The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/IsStub +``` + + + + +This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + +The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. + -Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/InstallDate** -Required. Date the app was installed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -Value type is string. + + + -Supported operation is Get. + -**.../*PackageFamilyName*/*PackageFullName*/ResourceID** -Required. Resource ID of the app. This value is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name -> [!Note] + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Name +``` + + + + +Name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/PackageStatus +``` + + + + +Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + +> [!NOTE] > Not applicable to XAP files. + -Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/PackageStatus** -Required. Provides information about the status of the package. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -Value type is int. Valid values are: + + + -- OK (0) - The package is usable. -- LicenseIssue (1) - The license of the package isn't valid. -- Modified (2) - The package payload was modified by an unknown source. -- Tampered (4) - The package payload was tampered intentionally. -- Disabled (8) - The package isn't available for use. It can still be serviced. + -> [!Note] + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Publisher +``` + + + + +Publisher name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/RequiresReinstall +``` + + + + +Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + +This is a required node. + +> [!NOTE] > Not applicable to XAP files. + -Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall** -Required. Specifies whether the package state has changed and requires a reinstallation of the app. This change of status can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -> [!Note] + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/ResourceID +``` + + + + +Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + +> [!NOTE] > Not applicable to XAP files. + -Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/Users** -Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Users +``` + + + + +Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + +Requried. - Not Installed = 0 - Staged = 1 - Installed = 2 - Paused = 6 + -Supported operation is Get. + +**Description framework properties**: -**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned** -Required. The value is 0 or 1 that indicates if the app is provisioned on the device. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -The value type is int. + + + -Supported operation is Get. + -**.../*PackageFamilyName*/*PackageFullName*/IsStub** -Added in Windows 10, version 2004. -Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + +###### User/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version -The value is 1 if the package is a stub package and 0 (zero) for all other cases. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Value type is int. + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/{PackageFullName}/Version +``` + -Supported operation is Get. + + +Version of the app. Value type is string. + -**.../*PackageFamilyName*/DoNotUpdate** -Required. Specifies whether you want to block a specific app from being updated via auto-updates. + + + -Supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -**.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT) -Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT) -Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. + + + + + + +##### User/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy +``` + + + + +Interior node for all managed app setting values. + + + +This node is only supported in the user context. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/AppSettingPolicy/{SettingValue} +``` + + + + +The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container. + + + This setting only works for apps that support the feature and it's only supported in the user context. + -Value type is string. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. | + + The following example sets the value for the 'Server' ```xml @@ -460,223 +8129,1747 @@ The following example gets all managed app settings for a specific app. ``` + -**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate** -Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + -Supported operations are Add, Get, Delete, and Replace. + +##### User/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate -Value type is integer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/DoNotUpdate +``` + + + + +Specifies whether you want to block a specific app from being updated via auto-updates. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### User/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate +``` + + + + +Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). -|Applicability Setting |CSP state |Result | -|---------|---------|---------| -|True |Not configured |X86 flavor is picked | -|True |Enabled |X86 flavor is picked | -|True |Disabled |X86 flavor is picked | -|False (not set) |Not configured |X64 flavor is picked | +| Applicability Setting | CSP state | Result | +|-----------------------|----------------|----------------------| +| True | Not configured | X86 flavor is picked | +| True | Enabled | X86 flavor is picked | +| True | Disabled | X86 flavor is picked | +| False (not set) | Not configured | X64 flavor is picked | + -**.../_PackageFamilyName_/NonRemovable** -Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user. + +**Description framework properties**: -This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This setting is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This setting is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. + +**Allowed values**: -Value type is integer. +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + -Supported operations are Add, Get, and Replace. + + + -Valid values: + -- 0 – app isn't in the nonremovable app policy list -- 1 – app is included in the nonremovable app policy list + +#### User/AppManagement/nonStore/ReleaseManagement -**Examples:** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Add an app to the nonremovable app policy list - -```xml - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable - - - int - - 1 - - - - - + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement ``` + -Get the status for a particular app + + +Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + -```xml - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable - - - - - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | + + + + + + + + + +##### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey} ``` + -Replace an app in the nonremovable app policy list -Data 0 = app isn't in the app policy list -Data 1 = app is in the app policy list + + +Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + -```xml - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable - - - int - - 0 - - - - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | +| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. | + + + + + + + + + +###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ChannelId ``` + -**AppInstallation** -Required node. Used to perform app installation. + + +Specifies the app channel ID. + -**AppInstallation/***PackageFamilyName* -Optional node. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + -Supported operations are Get and Add. + +**Description framework properties**: -> [!Note] +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease +``` + + + + +Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId +``` + + + + +Returns the last user channel ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId +``` + + + + +Returns the last user release ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId +``` + + + + +The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/AppManagement/RemovePackage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage +``` + + + + +Used to remove packages. + + + +Parameters: + +- Package + - Name: Specifies the PackageFullName of the particular package to remove. + - RemoveForAllUsers: + - 0 (default) - Package will be un-provisioned so that new users don't receive the package. The package will remain installed for current users. This option isn't currently supported. + - 1 - Package will be removed for all users only if it's a provisioned package. +- User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec, Get | + + + +**Example**: + +The following example removes a package for all users: + +````XML + + 10 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage + + xml + + + + + +```` + + + + + +### User/AppManagement/ResetPackage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/ResetPackage +``` + + + + +Used to restore the Windows app to its initial configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec, Get | + + + + + + + + + +### User/AppManagement/System + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System +``` + + + + + + + +Reports apps installed as part of the operating system. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### User/AppManagement/System/{PackageFamilyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName} +``` + + + + +Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + +> [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + -**AppInstallation/*PackageFamilyName*/StoreInstall** -Required. Command to perform an install of an app and a license from the Microsoft Store. + +**Description framework properties**: -Supported operation is Execute, Add, Delete, and Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + -**AppInstallation/*PackageFamilyName*/HostedInstall** -Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source). + +**Example**: -The following list shows the supported deployment options: +```xml + + + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D + + + + + + +``` + -- ForceApplicationShutdown -- DevelopmentMode  -- InstallAllResources -- ForceTargetApplicationShutdown  -- ForceUpdateToAnyVersion -- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1. -- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803. -- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607. -- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1. -- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809. + -Supported operation is Execute, Add, Delete, and Get. + +##### User/AppManagement/System/{PackageFamilyName}/{PackageFullName} -**AppInstallation/*PackageFamilyName*/LastError** -Required. Last error relating to the app installation. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operation is Get. + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName} +``` + -> [!Note] -> This element isn't present after the app is installed. + + +Full name of the package installed. + -**AppInstallation/*PackageFamilyName*/LastErrorDesc** -Required. Description of last error relating to the app installation. + + + -Supported operation is Get. + +**Description framework properties**: -> [!Note] -> This element isn't present after the app is installed. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + -**AppInstallation/*PackageFamilyName*/Status** -Required. Status of app installation. The following values are returned: + + + -- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed. -- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated. -- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. -- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear. + -Supported operation is Get. + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture -> [!Note] -> This element isn't present after the app is installed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Architecture +``` + -**AppInstallation/*PackageFamilyName*/ProgessStatus** -Required. An integer that indicates the progress of the app installation. For https locations, this integer indicates the download progress. ProgressStatus isn't available for provisioning and it's only for user-based installations. ProgressStatus value is always 0 (zero) in provisioning. + + +Architecture of installed package. Value type is string. + -Supported operation is Get. + +> [!NOTE] +> Not applicable to XAP files. + -> [!Note] -> This element isn't present after the app is installed. + +**Description framework properties**: -**AppLicenses** -Required node. Used to manage licenses for app scenarios. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**AppLicenses/StoreLicenses** -Required node. Used to manage licenses for store apps. + + + -**AppLicenses/StoreLicenses/***LicenseID* -Optional node. License ID for a store installed app. The license ID is generally the PFN of the app. + -Supported operations are Add, Get, and Delete. + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate -**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory** -Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid values are: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- Unknown - unknown license category -- Retail - license sold through retail channels, typically from the Microsoft Store -- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business -- OEM - license issued to an OEM -- Developer - developer license, typically installed during the app development or side-loading scenarios. + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallDate +``` + -Supported operation is Get. + + +Date the app was installed. Value type is string. + -**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage** -Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values are: + +This is a required node. + -- Unknown - usage is unknown. -- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. -- Offline - license is valid for use offline. You don't need a connection to the internet to use this license. -- Enterprise Root - + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**AppLicenses/StoreLicenses/*LicenseID*/RequesterID** -Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. + + + -Supported operation is Get. + -**AppLicenses/StoreLicenses/*LicenseID*/AddLicense** -Required. Command to add license. + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation -Supported operation is Execute. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore** -Added in Windows 10, version 1511. Required. Command to get license from the store. + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/InstallLocation +``` + -Supported operation is Execute. + + +Install location of the app on the device. Value type is string. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsBundle +``` + + + + +The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsFramework +``` + + + + +Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsProvisioned +``` + + + + +The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/IsStub +``` + + + + +This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + +The value is 1 if the package is a stub package and 0 (zero) for all other cases. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Name +``` + + + + +Name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/PackageStatus +``` + + + + +Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Publisher +``` + + + + +Publisher name of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/RequiresReinstall +``` + + + + +Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + +This is a required node. + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/ResourceID +``` + + + + +Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + +> [!NOTE] +> Not applicable to XAP files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Users +``` + + + + +Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + +This is a required node. + +- 0 = Not Installed +- 1 = Staged +- 2 = Installed +- 6 = Paused + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/{PackageFullName}/Version +``` + + + + +Version of the app. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### User/AppManagement/System/{PackageFamilyName}/AppSettingPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppSettingPolicy +``` + + + + +Interior node for all managed app setting values. + + + +This node is only supported in the user context. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/AppManagement/System/{PackageFamilyName}/AppSettingPolicy/{SettingValue} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/AppSettingPolicy/{SettingValue} +``` + + + + +The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container. + + + +This setting only works for apps that support the feature and it's only supported in the user context. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. | + + + +**Examples**: + +- The following example sets the value for the 'Server' + + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy/Server + + + chr + + server1.contoso.com + + + ``` + +- The following example gets all managed app settings for a specific app. + + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy?list=StructData + + + + ``` + + + + + +##### User/AppManagement/System/{PackageFamilyName}/DoNotUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/DoNotUpdate +``` + + + + +Specifies whether you want to block a specific app from being updated via auto-updates. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +##### User/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/{PackageFamilyName}/MaintainProcessorArchitectureOnUpdate +``` + + + + +Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + +Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). + +| Applicability Setting | CSP state | Result | +|-----------------------|----------------|----------------------| +| True | Not configured | X86 flavor is picked | +| True | Enabled | X86 flavor is picked | +| True | Disabled | X86 flavor is picked | +| False (not set) | Not configured | X64 flavor is picked | + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | False. | +| 1 | True. | + + + + + + + + + +#### User/AppManagement/System/ReleaseManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement +``` + + + + +Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | + + + + + + + + + +##### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey} +``` + + + + +Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get, Replace | +| Dynamic Node Naming | UniqueName: If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. | + + + + + + + + + +###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ChannelId +``` + + + + +Specifies the app channel ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease +``` + + + + +Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ChannelId +``` + + + + +Returns the last user channel ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/EffectiveRelease/ReleaseManagementId +``` + + + + +Returns the last user release ID on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +###### User/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/System/ReleaseManagement/{ReleaseManagementKey}/ReleaseManagementId +``` + + + + +The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/AppManagement/UpdateScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan +``` + + + + +Used to start the Windows Update scan. + + + +This is a required node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + + +## EnterpriseModernAppManagement XSD + +Here is the XSD for the application parameters. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` ## Examples @@ -717,7 +9910,10 @@ Subsequent query for a specific app for its properties. ``` + -## Related topics + -[Configuration service provider reference](index.yml) +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index a7c599a149..2e9e5509b9 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -1,34 +1,32 @@ --- -title: EnterpriseModernAppManagement DDF -description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP). -ms.reviewer: +title: EnterpriseModernAppManagement DDF file +description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/24/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/01/2019 +ms.topic: reference --- -# EnterpriseModernAppManagement DDF + -This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML. +# EnterpriseModernAppManagement DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider. ```xml -]> +]> 1.2 + + EnterpriseModernAppManagement - ./Vendor/MSFT + ./User/Vendor/MSFT @@ -43,8 +41,13 @@ The XML below is the current version for this CSP. - + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + AppManagement @@ -52,6 +55,7 @@ The XML below is the current version for this CSP. + Used for inventory and app management (post-install). @@ -62,11 +66,11 @@ The XML below is the current version for this CSP. - + - + AppStore @@ -82,19 +86,20 @@ The XML below is the current version for this CSP. - EnterpriseID - + - + + + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. @@ -106,17 +111,22 @@ The XML below is the current version for this CSP. PackageFamilyName - + + + + - + + + Full name of the package installed. @@ -128,8 +138,11 @@ The XML below is the current version for this CSP. PackageFullName - + + + + Name @@ -137,6 +150,7 @@ The XML below is the current version for this CSP. + Name of the app. Value type is string. @@ -147,7 +161,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -157,6 +171,7 @@ The XML below is the current version for this CSP. + Version of the app. Value type is string. @@ -167,7 +182,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -177,6 +192,7 @@ The XML below is the current version for this CSP. + Publisher name of the app. Value type is string. @@ -187,7 +203,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -197,6 +213,7 @@ The XML below is the current version for this CSP. + Architecture of installed package. Value type is string. @@ -207,7 +224,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -217,6 +234,7 @@ The XML below is the current version for this CSP. + Install location of the app on the device. Value type is string. @@ -227,7 +245,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -237,6 +255,7 @@ The XML below is the current version for this CSP. + Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. @@ -247,7 +266,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -257,6 +276,7 @@ The XML below is the current version for this CSP. + The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. @@ -267,7 +287,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -277,6 +297,7 @@ The XML below is the current version for this CSP. + Date the app was installed. Value type is string. @@ -287,7 +308,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -297,6 +318,7 @@ The XML below is the current version for this CSP. + Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. @@ -307,7 +329,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -317,6 +339,7 @@ The XML below is the current version for this CSP. + Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. @@ -327,7 +350,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -337,6 +360,7 @@ The XML below is the current version for this CSP. + Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. @@ -347,7 +371,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -357,6 +381,7 @@ The XML below is the current version for this CSP. + Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. @@ -367,7 +392,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -377,6 +402,7 @@ The XML below is the current version for this CSP. + The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. @@ -387,7 +413,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -397,6 +423,7 @@ The XML below is the current version for this CSP. + This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. @@ -407,8 +434,12 @@ The XML below is the current version for this CSP. - text/plain + + + 10.0.19041 + 1.2 + @@ -421,6 +452,7 @@ The XML below is the current version for this CSP. + Specifies whether you want to block a specific app from being updated via auto-updates. @@ -432,8 +464,18 @@ The XML below is the current version for this CSP. DoNotUpdate - text/plain + + + + 0 + False + + + 1 + True + + @@ -445,6 +487,7 @@ The XML below is the current version for this CSP. + Interior node for all managed app setting values. @@ -455,11 +498,12 @@ The XML below is the current version for this CSP. - + - + + @@ -467,6 +511,7 @@ The XML below is the current version for this CSP. + The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. @@ -478,8 +523,11 @@ The XML below is the current version for this CSP. SettingValue - text/plain + + + SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. + @@ -487,11 +535,12 @@ The XML below is the current version for this CSP. MaintainProcessorArchitectureOnUpdate - + + Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. @@ -503,31 +552,22 @@ The XML below is the current version for this CSP. MaintainProcessorArchitectureOnUpdate - text/plain - - - - - NonRemovable - - - - - - - - - - - - - - - - NonRemovable - - text/plain + + + 10.0.19041 + 1.2 + + + + 0 + False + + + 1 + True + + @@ -536,10 +576,9 @@ The XML below is the current version for this CSP. - - + Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. @@ -547,44 +586,48 @@ The XML below is the current version for this CSP. - + - + - + + - - + Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. - + - + ReleaseManagementKey - + + + If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. + ChannelId - + + Specifies the app channel ID. @@ -595,19 +638,22 @@ The XML below is the current version for this CSP. - text/plain + + + ReleaseManagementId - + + The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. @@ -618,8 +664,10 @@ The XML below is the current version for this CSP. - text/plain + + + @@ -628,17 +676,18 @@ The XML below is the current version for this CSP. + Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. - + - + - + @@ -647,6 +696,7 @@ The XML below is the current version for this CSP. + Returns the last user channel ID on the device. @@ -657,7 +707,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -667,6 +717,7 @@ The XML below is the current version for this CSP. + Returns the last user release ID on the device. @@ -677,7 +728,1341 @@ The XML below is the current version for this CSP. - text/plain + + + + + + + + + + nonStore + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + + + + + + + + PackageFamilyName + + + + + + + + + + + + + + + + + Full name of the package installed. + + + + + + + + + + PackageFullName + + + + + + + + + Name + + + + + Name of the app. Value type is string. + + + + + + + + + + + + + + + + Version + + + + + Version of the app. Value type is string. + + + + + + + + + + + + + + + + Publisher + + + + + Publisher name of the app. Value type is string. + + + + + + + + + + + + + + + + Architecture + + + + + Architecture of installed package. Value type is string. + + + + + + + + + + + + + + + + InstallLocation + + + + + Install location of the app on the device. Value type is string. + + + + + + + + + + + + + + + + IsFramework + + + + + Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + + + + + + + + + + + + + + IsBundle + + + + + The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + + + + + + + + + + InstallDate + + + + + Date the app was installed. Value type is string. + + + + + + + + + + + + + + + + ResourceID + + + + + Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + + + + + + + + + + + + + + PackageStatus + + + + + Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + + + + + + + + + + + + + + RequiresReinstall + + + + + Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + + + + + + + + + + + + + + Users + + + + + Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + + + + + + + + + + + + + + IsProvisioned + + + + + The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + + + + + + + + + + IsStub + + + + + This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + + + + + + + + + + + + 10.0.19041 + 1.2 + + + + + + DoNotUpdate + + + + + + + + Specifies whether you want to block a specific app from being updated via auto-updates. + + + + + + + + + + DoNotUpdate + + + + + + 0 + False + + + 1 + True + + + + + + AppSettingPolicy + + + + + + + + Interior node for all managed app setting values. + + + + + + + + + + + + + + + + + + + + + + + + The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. + + + + + + + + + + SettingValue + + + + + SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + 10.0.19041 + 1.2 + + + + 0 + False + + + 1 + True + + + + + + + ReleaseManagement + + + + + + Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + + + + + + + + + + + + + + + + Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + + + + ReleaseManagementKey + + + + + If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. + + + + ChannelId + + + + + + + + Specifies the app channel ID. + + + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + + + + The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + + + + + + + + + + + + EffectiveRelease + + + + + Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + + + + + + + + + ChannelId + + + + + Returns the last user channel ID on the device. + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + Returns the last user release ID on the device. + + + + + + + + + + + + + + + + + + + + System + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + + + + + + + + PackageFamilyName + + + + + + + + + + + + + + + + + Full name of the package installed. + + + + + + + + + + PackageFullName + + + + + + + + + Name + + + + + Name of the app. Value type is string. + + + + + + + + + + + + + + + + Version + + + + + Version of the app. Value type is string. + + + + + + + + + + + + + + + + Publisher + + + + + Publisher name of the app. Value type is string. + + + + + + + + + + + + + + + + Architecture + + + + + Architecture of installed package. Value type is string. + + + + + + + + + + + + + + + + InstallLocation + + + + + Install location of the app on the device. Value type is string. + + + + + + + + + + + + + + + + IsFramework + + + + + Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + + + + + + + + + + + + + + IsBundle + + + + + The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + + + + + + + + + + InstallDate + + + + + Date the app was installed. Value type is string. + + + + + + + + + + + + + + + + ResourceID + + + + + Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + + + + + + + + + + + + + + PackageStatus + + + + + Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + + + + + + + + + + + + + + RequiresReinstall + + + + + Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + + + + + + + + + + + + + + Users + + + + + Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + + + + + + + + + + + + + + IsProvisioned + + + + + The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + + + + + + + + + + IsStub + + + + + This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + + + + + + + + + + + + 10.0.19041 + 1.2 + + + + + + DoNotUpdate + + + + + + + + Specifies whether you want to block a specific app from being updated via auto-updates. + + + + + + + + + + DoNotUpdate + + + + + + 0 + False + + + 1 + True + + + + + + AppSettingPolicy + + + + + + + + Interior node for all managed app setting values. + + + + + + + + + + + + + + + + + + + + + + + + The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. + + + + + + + + + + SettingValue + + + + + SettingValue represents a Key in a Key Value Pair. Values can be found in LocalSettings in the Managed.App.Settings container. + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + 10.0.19041 + 1.2 + + + + 0 + False + + + 1 + True + + + + + + + ReleaseManagement + + + + + + Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + + + + + + + + + + + + + + + + Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + + + + ReleaseManagementKey + + + + + If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. + + + + ChannelId + + + + + + + + Specifies the app channel ID. + + + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + + + + The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + + + + + + + + + + + + EffectiveRelease + + + + + Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + + + + + + + + + ChannelId + + + + + Returns the last user channel ID on the device. + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + Returns the last user release ID on the device. + + + + + + + + + + + @@ -691,6 +2076,7 @@ The XML below is the current version for this CSP. + Used to start the Windows Update scan. @@ -701,7 +2087,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -711,6 +2097,7 @@ The XML below is the current version for this CSP. + Reports the last error code returned by the update scan. @@ -721,7 +2108,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -731,6 +2118,7 @@ The XML below is the current version for this CSP. + Returns the results for app inventory that was created after the AppInventoryQuery operation. @@ -741,7 +2129,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -752,6 +2140,7 @@ The XML below is the current version for this CSP. + Specifies the query for app inventory. @@ -762,8 +2151,10 @@ The XML below is the current version for this CSP. - text/plain + + + @@ -773,6 +2164,7 @@ The XML below is the current version for this CSP. + Used to remove packages. @@ -783,8 +2175,42 @@ The XML below is the current version for this CSP. - text/plain + + + 10.0.15063 + 1.2 + + + + + + + ResetPackage + + + + + + Used to restore the Windows app to its initial configuration. + + + + + + + + + + + + + + 10.0.22000 + 1.2 + + + @@ -794,6 +2220,7 @@ The XML below is the current version for this CSP. + Used to perform app installation. @@ -804,11 +2231,12 @@ The XML below is the current version for this CSP. - + - + + @@ -816,6 +2244,7 @@ The XML below is the current version for this CSP. + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. @@ -827,18 +2256,22 @@ The XML below is the current version for this CSP. PackageFamilyName - + + + Package family name (PFN) of the app. + StoreInstall - + + Command to perform an install of an app and a license from the Microsoft Store. @@ -849,7 +2282,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -857,11 +2290,12 @@ The XML below is the current version for this CSP. HostedInstall - + + Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). @@ -872,7 +2306,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -882,6 +2316,7 @@ The XML below is the current version for this CSP. + Last error relating to the app installation. @@ -892,7 +2327,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -902,6 +2337,7 @@ The XML below is the current version for this CSP. + Description of last error relating to the app installation. @@ -912,7 +2348,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -922,6 +2358,7 @@ The XML below is the current version for this CSP. + Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. @@ -932,7 +2369,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -942,6 +2379,7 @@ The XML below is the current version for this CSP. + An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). @@ -952,7 +2390,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -964,6 +2402,7 @@ The XML below is the current version for this CSP. + Used to manage licenses for app scenarios. @@ -974,7 +2413,7 @@ The XML below is the current version for this CSP. - + @@ -983,6 +2422,7 @@ The XML below is the current version for this CSP. + Used to manage licenses for store apps. @@ -993,17 +2433,19 @@ The XML below is the current version for this CSP. - + - + + + License ID for a store installed app. The license ID is generally the PFN of the app. @@ -1015,8 +2457,11 @@ The XML below is the current version for this CSP. LicenseID - + + + License ID for a store installed app. The license ID is generally the PFN of the app. + LicenseCategory @@ -1024,6 +2469,7 @@ The XML below is the current version for this CSP. + Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios. @@ -1034,7 +2480,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -1044,6 +2490,7 @@ The XML below is the current version for this CSP. + Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps. @@ -1054,7 +2501,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -1064,6 +2511,7 @@ The XML below is the current version for this CSP. + Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. @@ -1074,7 +2522,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -1084,6 +2532,7 @@ The XML below is the current version for this CSP. + Command to add license. @@ -1094,7 +2543,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -1104,6 +2553,7 @@ The XML below is the current version for this CSP. + Command to get license from the store. @@ -1114,7 +2564,2831 @@ The XML below is the current version for this CSP. - text/plain + + + + + + + + + + EnterpriseModernAppManagement + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + AppManagement + + + + + Used for inventory and app management (post-install). + + + + + + + + + + + + + + + AppStore + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + + + + + + + + PackageFamilyName + + + + + + + + + + + + + + + + + Full name of the package installed. + + + + + + + + + + PackageFullName + + + + + + + + + Name + + + + + Name of the app. Value type is string. + + + + + + + + + + + + + + + + Version + + + + + Version of the app. Value type is string. + + + + + + + + + + + + + + + + Publisher + + + + + Publisher name of the app. Value type is string. + + + + + + + + + + + + + + + + Architecture + + + + + Architecture of installed package. Value type is string. + + + + + + + + + + + + + + + + InstallLocation + + + + + Install location of the app on the device. Value type is string. + + + + + + + + + + + + + + + + IsFramework + + + + + Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + + + + + + + + + + + + + + IsBundle + + + + + The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + + + + + + + + + + InstallDate + + + + + Date the app was installed. Value type is string. + + + + + + + + + + + + + + + + ResourceID + + + + + Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + + + + + + + + + + + + + + PackageStatus + + + + + Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + + + + + + + + + + + + + + RequiresReinstall + + + + + Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + + + + + + + + + + + + + + Users + + + + + Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + + + + + + + + + + + + + + IsProvisioned + + + + + The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + + + + + + + + + + IsStub + + + + + This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + + + + + + + + + + + + 10.0.19041 + 1.2 + + + + + + DoNotUpdate + + + + + + + + Specifies whether you want to block a specific app from being updated via auto-updates. + + + + + + + + + + DoNotUpdate + + + + + + 0 + False + + + 1 + True + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + 10.0.19041 + 1.2 + + + + 0 + False + + + 1 + True + + + + + + NonRemovable + + + + + + + This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. + + + + + + + + + + NonRemovable + + + + + 10.0.17763 + 1.2 + + + + 0 + app is not in the nonremovable app policy list + + + 1 + app is included in the nonremovable app policy list + + + + + + + ReleaseManagement + + + + + + Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + + + + + + + + + + + + + + + + Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + + + + ReleaseManagementKey + + + + + If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. + + + + ChannelId + + + + + + + + Specifies the app channel ID. + + + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + + + + The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + + + + + + + + + + + + EffectiveRelease + + + + + Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + + + + + + + + + ChannelId + + + + + Returns the last user channel ID on the device. + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + Returns the last user release ID on the device. + + + + + + + + + + + + + + + + + + + + nonStore + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + + + + + + + + PackageFamilyName + + + + + + + + + + + + + + + + + Full name of the package installed. + + + + + + + + + + PackageFullName + + + + + + + + + Name + + + + + Name of the app. Value type is string. + + + + + + + + + + + + + + + + Version + + + + + Version of the app. Value type is string. + + + + + + + + + + + + + + + + Publisher + + + + + Publisher name of the app. Value type is string. + + + + + + + + + + + + + + + + Architecture + + + + + Architecture of installed package. Value type is string. + + + + + + + + + + + + + + + + InstallLocation + + + + + Install location of the app on the device. Value type is string. + + + + + + + + + + + + + + + + IsFramework + + + + + Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + + + + + + + + + + + + + + IsBundle + + + + + The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + + + + + + + + + + InstallDate + + + + + Date the app was installed. Value type is string. + + + + + + + + + + + + + + + + ResourceID + + + + + Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + + + + + + + + + + + + + + PackageStatus + + + + + Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + + + + + + + + + + + + + + RequiresReinstall + + + + + Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + + + + + + + + + + + + + + Users + + + + + Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + + + + + + + + + + + + + + IsProvisioned + + + + + The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + + + + + + + + + + IsStub + + + + + This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + + + + + + + + + + + + 10.0.19041 + 1.2 + + + + + + DoNotUpdate + + + + + + + + Specifies whether you want to block a specific app from being updated via auto-updates. + + + + + + + + + + DoNotUpdate + + + + + + 0 + False + + + 1 + True + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + 10.0.19041 + 1.2 + + + + 0 + False + + + 1 + True + + + + + + NonRemovable + + + + + + + This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. + + + + + + + + + + NonRemovable + + + + + 10.0.17763 + 1.2 + + + + 0 + app is not in the nonremovable app policy list + + + 1 + app is included in the nonremovable app policy list + + + + + + + ReleaseManagement + + + + + + Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + + + + + + + + + + + + + + + + Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + + + + ReleaseManagementKey + + + + + If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. + + + + ChannelId + + + + + + + + Specifies the app channel ID. + + + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + + + + The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + + + + + + + + + + + + EffectiveRelease + + + + + Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + + + + + + + + + ChannelId + + + + + Returns the last user channel ID on the device. + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + Returns the last user release ID on the device. + + + + + + + + + + + + + + + + + + + + System + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + + + + + + + + PackageFamilyName + + + + + + + + + + + + + + + + + Full name of the package installed. + + + + + + + + + + PackageFullName + + + + + + + + + Name + + + + + Name of the app. Value type is string. + + + + + + + + + + + + + + + + Version + + + + + Version of the app. Value type is string. + + + + + + + + + + + + + + + + Publisher + + + + + Publisher name of the app. Value type is string. + + + + + + + + + + + + + + + + Architecture + + + + + Architecture of installed package. Value type is string. + + + + + + + + + + + + + + + + InstallLocation + + + + + Install location of the app on the device. Value type is string. + + + + + + + + + + + + + + + + IsFramework + + + + + Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + + + + + + + + + + + + + + + + IsBundle + + + + + The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + + + + + + + + + + + + + + + + InstallDate + + + + + Date the app was installed. Value type is string. + + + + + + + + + + + + + + + + ResourceID + + + + + Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. + + + + + + + + + + + + + + + + PackageStatus + + + + + Provides information about the status of the package. Value type is int. Valid values are: OK (0) - The package is usable. LicenseIssue (1) - The license of the package is not valid. Modified (2) - The package payload was modified by an unknown source. Tampered (4) - The package payload was tampered intentionally. Disabled (8) - The package is not available for use. It can still be serviced. + + + + + + + + + + + + + + + + RequiresReinstall + + + + + Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. + + + + + + + + + + + + + + + + Users + + + + + Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. + + + + + + + + + + + + + + + + IsProvisioned + + + + + The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + + + + + + + + + + + + + + + + IsStub + + + + + This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. + + + + + + + + + + + + + + 10.0.19041 + 1.2 + + + + + + DoNotUpdate + + + + + + + + Specifies whether you want to block a specific app from being updated via auto-updates. + + + + + + + + + + DoNotUpdate + + + + + + 0 + False + + + 1 + True + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + 10.0.19041 + 1.2 + + + + 0 + False + + + 1 + True + + + + + + NonRemovable + + + + + + + This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. + + + + + + + + + + NonRemovable + + + + + 10.0.17763 + 1.2 + + + + 0 + app is not in the nonremovable app policy list + + + 1 + app is included in the nonremovable app policy list + + + + + + AppUpdateSettings + + + + + + + AppUpdateSettings nodes to support the auto-update and auto-repair feature for a specific package + + + + + + + + + + + + + + 10.0.22000 + 1.2 + + + + AutoUpdateSettings + + + + + + + AutoUpdateSettings nodes to support the auto-updates for a specific package + + + + + + + + + + + + + + + PackageSource + + + + + + PackageSource node that points the update location for a specific package + + + + + + + + + + + + + + ^(([^;]+(?i)(\.appinstaller)([;]|$)){1,11})$ + + + + + + AutomaticBackgroundTask + + + + + + False + Specifies whether AutomaticBackgroundTask is enabled/disabled for a specific package + + + + + + + + + + + + + + + True + AutomaticBackgroundTask is enabled for the package + + + False + AutomaticBackgroundTask is disabled for the package + + + + + + OnLaunchUpdateCheck + + + + + + False + Specifies whether OnLaunchUpdateCheck is enabled/disabled for a specific package + + + + + + + + + + + + + + + True + OnLaunchUpdateCheck is enabled for the package + + + False + OnLaunchUpdateCheck is disabled for the package + + + + + + HoursBetweenUpdateChecks + + + + + + 8 + Specifies HoursBetweenUpdateChecks for a specific package + + + + + + + + + + + + + + [8-10000] + + + + + ShowPrompt + + + + + + False + Specifies whether the auto-update setting ShowPrompt is enabled/disabled for a specific package + + + + + + + + + + + + + + + True + ShowPrompt is enabled for the package + + + False + ShowPrompt is disabled for the package + + + + + + UpdateBlocksActivation + + + + + + False + Specifies whether the auto-update setting UpdateBlocksActivation is enabled/disabled for a specific package + + + + + + + + + + + + + + + True + UpdateBlocksActivation is enabled for the package + + + False + UpdateBlocksActivation is disabled for the package + + + + + + ForceUpdateFromAnyVersion + + + + + + False + Specifies whether the auto-update setting ForceUpdateFromAnyVersion is enabled/disabled for a specific package + + + + + + + + + + + + + + + True + ForceUpdateFromAnyVersion is enabled for the package + + + False + ForceUpdateFromAnyVersion is disabled for the package + + + + + + Disable + + + + + + False + Specifies whether the auto-update settings is enabled/disabled for a specific package + + + + + + + + + + + + + + + True + AutoUpdates settings is disabled for the package + + + False + AutoUpdates settings is enabled for the package + + + + + + + AutoRepair + + + + + + + AutoRepair node to support auto-repair feature for a specific package + + + + + + + + + + + + + + + PackageSource + + + + + + PackageSource node that points the update location for a specific package + + + + + + + + + + + + + + ^(([^;]+(?i)(\.appx|\.eappx|\.appxbundle|\.eappxbundle|\.msix|\.emsix|\.msixbundle|\.emsixbundle)([;]|$)){0,10}|([^;]+(?i)(\.appinstaller)([;]|$)){0,10})$ + + + + + + + + + ReleaseManagement + + + + + + Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + + + + + + + + + + + + + + + + + + + + + + Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + + + + + + + + + ReleaseManagementKey + + + + + If there is only one app, the name is the PackageFamilyName. If it is for a set of apps, the name is the PackageFamilyName of the main app. + + + + ChannelId + + + + + + + + Specifies the app channel ID. + + + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + + + + The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on. + + + + + + + + + + + + + + + + + + EffectiveRelease + + + + + Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + + + + + + + + + + + + + + + ChannelId + + + + + Returns the last user channel ID on the device. + + + + + + + + + + + + + + + + ReleaseManagementId + + + + + Returns the last user release ID on the device. + + + + + + + + + + + + + + + + + + + + UpdateScan + + + + + Used to start the Windows Update scan. + + + + + + + + + + + + + + + + LastScanError + + + + + Reports the last error code returned by the update scan. + + + + + + + + + + + + + + + + AppInventoryResults + + + + + Returns the results for app inventory that was created after the AppInventoryQuery operation. + + + + + + + + + + + + + + + + AppInventoryQuery + + + + + + Specifies the query for app inventory. + + + + + + + + + + + + + + + + + + ResetPackage + + + + + + Used to restore the Windows app to its initial configuration. + + + + + + + + + + + + + + 10.0.22000 + 1.2 + + + + + + + + AppInstallation + + + + + Used to perform app installation. + + + + + + + + + + + + + + + + + + + + + + + + Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + + + + + + + + + + PackageFamilyName + + + + + Package family name (PFN) of the app. + + + + StoreInstall + + + + + + + + Command to perform an install of an app and a license from the Microsoft Store. + + + + + + + + + + + + + + + + HostedInstall + + + + + + + + Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). + + + + + + + + + + + + + + + + LastError + + + + + Last error relating to the app installation. + + + + + + + + + + + + + + + + LastErrorDesc + + + + + Description of last error relating to the app installation. + + + + + + + + + + + + + + + + Status + + + + + Status of app installation. The following values are returned: NOT_INSTALLED (0) - The node was added, but the execution has not completed. INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. + + + + + + + + + + + + + + + + ProgressStatus + + + + + An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). + + + + + + + + + + + + + + + + + + AppLicenses + + + + + Used to manage licenses for app scenarios. + + + + + + + + + + + + + + + StoreLicenses + + + + + Used to manage licenses for store apps. + + + + + + + + + + + + + + + + + + + + + + + License ID for a store installed app. The license ID is generally the PFN of the app. + + + + + + + + + + LicenseID + + + + + License ID for a store installed app. The license ID is generally the PFN of the app. + + + + LicenseCategory + + + + + Category of license that is used to classify various license sources. Valid value: Unknown - unknown license category. Retail - license sold through retail channels, typically from the Microsoft Store. Enterprise - license sold through the enterprise sales channel, typically from the Store for Business. OEM - license issued to an OEM. Developer - developer license, typically installed during the app development or side-loading scenarios. + + + + + + + + + + + + + + + + LicenseUsage + + + + + Indicates the allowed usage for the license. Valid values: Unknown - usage is unknown. Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. Offline - license is valid for use offline. You don't need a connection to the internet to use this license. Enterprise Root - The license is valid for line of business apps. + + + + + + + + + + + + + + + + RequesterID + + + + + Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. + + + + + + + + + + + + + + + + AddLicense + + + + + Command to add license. + + + + + + + + + + + + + + + + GetLicenseFromStore + + + + + Command to get license from the store. + + + + + + + + + + + @@ -1124,3 +5398,7 @@ The XML below is the current version for this CSP. ``` + +## Related articles + +[EnterpriseModernAppManagement configuration service provider reference](enterprisemodernappmanagement-csp.md) diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md deleted file mode 100644 index 423e4752c9..0000000000 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: EnterpriseModernAppManagement XSD -description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# EnterpriseModernAppManagement XSD - -Here is the XSD for the application parameters. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -  - -  - - - - - - diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 1d8c5255b7..bbd1a859ce 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,194 +1,1045 @@ --- title: eUICCs CSP -description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. +description: Learn more about the eUICCs CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/02/2018 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # eUICCs CSP -The table below shows the applicability of Windows: + + +The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +The following list shows the eUICCs configuration service provider nodes: -The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. +- ./Device/Vendor/MSFT/eUICCs + - [{eUICC}](#euicc) + - [Actions](#euiccactions) + - [ResetToFactoryState](#euiccactionsresettofactorystate) + - [Status](#euiccactionsstatus) + - [DownloadServers](#euiccdownloadservers) + - [{ServerName}](#euiccdownloadserversservername) + - [AutoEnable](#euiccdownloadserversservernameautoenable) + - [DiscoveryState](#euiccdownloadserversservernamediscoverystate) + - [IsDiscoveryServer](#euiccdownloadserversservernameisdiscoveryserver) + - [Identifier](#euiccidentifier) + - [IsActive](#euiccisactive) + - [Policies](#euiccpolicies) + - [LocalUIEnabled](#euiccpolicieslocaluienabled) + - [PPR1Allowed](#euiccppr1allowed) + - [PPR1AlreadySet](#euiccppr1alreadyset) + - [Profiles](#euiccprofiles) + - [{ICCID}](#euiccprofilesiccid) + - [ErrorDetail](#euiccprofilesicciderrordetail) + - [IsEnabled](#euiccprofilesiccidisenabled) + - [MatchingID](#euiccprofilesiccidmatchingid) + - [PPR1Set](#euiccprofilesiccidppr1set) + - [PPR2Set](#euiccprofilesiccidppr2set) + - [ServerName](#euiccprofilesiccidservername) + - [State](#euiccprofilesiccidstate) + -The following shows the eUICCs configuration service provider in tree format. + +## {eUICC} + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC} ``` -./Device/Vendor/MSFT -eUICCs -----eUICC ---------Identifier ---------IsActive ---------PPR1Allowed ---------PPR1AlreadySet ---------DownloadServers -------------ServerName -----------------DiscoveryState -----------------AutoEnable -----------------IsDiscoveryServer ---------Profiles -------------ICCID -----------------ServerName -----------------MatchingID -----------------State -----------------IsEnabled -----------------PPR1Set -----------------PPR2Set -----------------ErrorDetail ---------Policies -------------LocalUIEnabled ---------Actions -------------ResetToFactoryState -------------Status + + + + +Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | UniqueName: The eUICC ID (EID) associated with the device. | + + + + + + + + + +### {eUICC}/Actions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Actions ``` + -**./Vendor/MSFT/eUICCs** -Root node for the eUICCs CSP. + + +Actions that can be performed on the eUICC as a whole (when it is active). + -**_eUICC_** -Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + + + -Supported operation is Get. + +**Description framework properties**: -**_eUICC_/Identifier** -Required. Identifies an eUICC in an implementation-specific manner, for example, this identification could be an SHA-256 hash of the EID. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operation is Get. Value type is string. + + + -**_eUICC_/IsActive** -Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA. + -Supported operation is Get. Value type is boolean. + +#### {eUICC}/Actions/ResetToFactoryState -**_eUICC_/PPR1Allowed** -Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Actions/ResetToFactoryState +``` + -Value type is boolean. + + +An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + -**_eUICC_/PPR1AlreadySet** -Required. Indicates whether the eUICC already has a profile with PPR1. + + + -Supported operation is Get. + +**Description framework properties**: -Value type is boolean. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + -**_eUICC_/DownloadServers** -Interior node. Represents default SM-DP+ discovery requests. + + + -Supported operation is Get. + -**_eUICC_/DownloadServers/_ServerName_** -Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + +#### {eUICC}/Actions/Status -Supported operations are Add, Get, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**_eUICC_/DownloadServers/_ServerName_/DiscoveryState** -Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Actions/Status +``` + -Supported operation is Get. + + +Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + -Value type is integer. Default value is 1. + + + -**_eUICC_/DownloadServers/_ServerName_/AutoEnable** -Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created. + +**Description framework properties**: -Supported operations are Add, Get, and Replace. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + -Value type is bool. + + + -**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer** -Optional. Indicates whether the server is a discovery server. This setting must be defined by the MDM when the ServerName subtree is created. + -Supported operations are Add, Get, and Replace. + +### {eUICC}/DownloadServers -Value type is bool. Default value is false. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -**_eUICC_/Profiles** -Interior node. Required. Represents all enterprise-owned profiles. + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers +``` + -Supported operation is Get. + + +Represents default SM-DP+ discovery requests. + -**_eUICC_/Profiles/_ICCID_** -Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + + + -Supported operations are Add, Get, and Delete. + +**Description framework properties**: -**_eUICC_/Profiles/_ICCID_/ServerName** -Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operations are Add and Get. + + + -Value type is string. + -**_eUICC_/Profiles/_ICCID_/MatchingID** -Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + +#### {eUICC}/DownloadServers/{ServerName} -Supported operations are Add and Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Value type is string. + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName} +``` + -**_eUICC_/Profiles/_ICCID_/State** -Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + + +Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + -Supported operation is Get. + + + -Value type is integer. Default value is 1. + +**Description framework properties**: -**_eUICC_/Profiles/_ICCID_/IsEnabled** -Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once it’s successfully downloaded and installed on the device. Can also be queried and updated by the CSP. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: ServerName used for the discovery operation. | + -Supported operations are Add, Get, and Replace. + + + -Value type is bool. + -**_eUICC_/Policies** -Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). + +##### {eUICC}/DownloadServers/{ServerName}/AutoEnable -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -**_eUICC_/Policies/LocalUIEnabled** -Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/AutoEnable +``` + -Supported operations are Get and Replace. + + +Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + -Value type is boolean. Default value is true. + + + -**_eUICC_/Actions** -Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active). + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | + -**_eUICC_/Actions/ResetToFactoryState** -Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + +**Allowed values**: -Supported operation is Execute. +| Value | Description | +|:--|:--| +| false | Disable. | +| true | Enable. | + -Value type is string. + + + -**_eUICC_/Actions/Status** -Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + -Supported value is Get. + +##### {eUICC}/DownloadServers/{ServerName}/DiscoveryState -Value type is integer. Default is 0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/DiscoveryState +``` + -[Configuration service provider reference](index.yml) + + +Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 1 | + + + + + + + + + +##### {eUICC}/DownloadServers/{ServerName}/IsDiscoveryServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/IsDiscoveryServer +``` + + + + +Indicates whether the server is a discovery server. Optional, default value is false. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Is Not Discovery Server. | +| true | Is Discovery Server. | + + + + + + + + + +### {eUICC}/Identifier + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Identifier +``` + + + + +The EID. + + + + +Identifies an eUICC in an implementation-specific manner, for example, this identification could be an SHA-256 hash of the EID. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### {eUICC}/IsActive + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/IsActive +``` + + + + +Indicates whether this eUICC is physically present and active. Updated only by the LPA. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### {eUICC}/Policies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Policies +``` + + + + +Device policies associated with the eUICC as a whole (not per-profile). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### {eUICC}/Policies/LocalUIEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Policies/LocalUIEnabled +``` + + + + +Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true (Default) | Enabled. | + + + + + + + + + +### {eUICC}/PPR1Allowed + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/PPR1Allowed +``` + + + + +Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### {eUICC}/PPR1AlreadySet + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/PPR1AlreadySet +``` + + + + +Indicates whether the eUICC has already a profile with PPR1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### {eUICC}/Profiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles +``` + + + + +Represents all enterprise-owned profiles. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### {eUICC}/Profiles/{ICCID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID} +``` + + + + +Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: ICCID of the profile. | + + + + + + + + + +##### {eUICC}/Profiles/{ICCID}/ErrorDetail + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/ErrorDetail +``` + + + + +Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + + + + +##### {eUICC}/Profiles/{ICCID}/IsEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/IsEnabled +``` + + + + +Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + + + + + + + + + +##### {eUICC}/Profiles/{ICCID}/MatchingID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/MatchingID +``` + + + + +Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | +| Allowed Values | Regular Expression: `^([0-9a-fA-F]{5}-){3}[0-9a-fA-F]{5}$` | + + + + + + + + + +##### {eUICC}/Profiles/{ICCID}/PPR1Set + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/PPR1Set +``` + + + + +This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### {eUICC}/Profiles/{ICCID}/PPR2Set + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/PPR2Set +``` + + + + +This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### {eUICC}/Profiles/{ICCID}/ServerName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/ServerName +``` + + + + +Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +##### {eUICC}/Profiles/{ICCID}/State + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/Profiles/{ICCID}/State +``` + + + + +Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 1 | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index a6de1b34ab..7e78256e0b 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -1,594 +1,670 @@ --- title: eUICCs DDF file -description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/21/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/02/2018 +ms.topic: reference --- + + # eUICCs DDF file -This topic shows the OMA DM device description framework (DDF) for the **eUICCs** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below if for Windows 10, version 1803. +The following XML file contains the device description framework (DDF) for the eUICCs configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + eUICCs + ./Device/Vendor/MSFT + + + + + Subtree for all embedded UICCs (eUICC) + + + + + + + + + + + + + + + + + 10.0.16299 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - eUICCs - ./Device/Vendor/MSFT + + + + + + + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC. + + + + + + + + + + eUICC + + + + + The eUICC ID (EID) associated with the device. + + + + Identifier - - - - Subtree for all embedded UICCs (eUICC) - - - - - - - - - - - - - - com.microsoft/1.2/MDM/eUICCs - + + + + The EID. + + + + + + + + + + + + + + + + + + + IsActive + + + + + Indicates whether this eUICC is physically present and active. Updated only by the LPA. + + + + + + + + + + + + + + + + PPR1Allowed + + + + + Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed. + + + + + + + + + + + + + + + + PPR1AlreadySet + + + + + Indicates whether the eUICC has already a profile with PPR1. + + + + + + + + + + + + + + + + DownloadServers + + + + + Represents default SM-DP+ discovery requests. + + + + + + + + + + + + + + 10.0.22000 + 1.0 + - + + + + + + + + + + Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + + + + + + + + + + ServerName + + + + + ServerName used for the discovery operation. + + + + DiscoveryState - - - - Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC. - - - - - - - - - - eUICC - - - + + + + 1 + Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + + - - Identifier - - - - - The EID. - - - - - - - - - - - - - - text/plain - - - - - IsActive - - - - - Indicates whether this eUICC is physically present and active. Updated only by the LPA. - - - - - - - - - - - text/plain - - - - - PPR1Allowed - - - - - Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. - - - - - - - - - - - text/plain - - - - - PPR1AlreadySet - - - - - Indicates whether the eUICC already has a profile with PPR1. - - - - - - - - - - - text/plain - - - - - DownloadServers - - - - - Represents default SM-DP+ discovery requests. - - - - - - - - - - - - - - - - - - - - - - - Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. - - - - - - - - - - ServerName - - - - - - DiscoveryState - - - - - 1 - Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. - - - - - - - - - - - text/plain - - - - - AutoEnable - - - - - - - Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. - - - - - - - - - - - text/plain - - - - - IsDiscoveryServer - - - - - - - false - Indicates whether the server is a discovery server. Optional, default value is false. - - - - - - - - - - - text/plain - - - - - - - Profiles - - - - - Represents all enterprise-owned profiles. - - - - - - - - - - - - - - - - - - - - - - - Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). - - - - - - - - - - ICCID - - - - - - ServerName - - - - - - - Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. - - - - - - - - - - - - - - text/plain - - - - - MatchingID - - - - - - - Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. - - - - - - - - - - - - - - text/plain - - - - - State - - - - - 1 - Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. - - - - - - - - - - - text/plain - - - - - IsEnabled - - - - - - - Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP. - - - - - - - - - - - text/plain - - - - - PPR1Set - - - - - This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise). - - - - - - - - - - - text/plain - - - - - PPR2Set - - - - - This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise). - - - - - - - - - - - text/plain - - - - - ErrorDetail - - - - - 0 - Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14). - - - - - - - - - - - text/plain - - - - - - - Policies - - - - - Device policies associated with the eUICC as a whole (not per-profile). - - - - - - - - - - - - - - - LocalUIEnabled - - - - - - true - Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. - - - - - - - - - - - text/plain - - - - - - Actions - - - - - Actions that can be performed on the eUICC as a whole (when it is active). - - - - - - - - - - - - - - - ResetToFactoryState - - - - - An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. - - - - - - - - - - - text/plain - - - - - Status - - - - - 0 - Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. - - - - - - - - - - - text/plain - - - - + + + AutoEnable + + + + + + + Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + + + + + + + + + + + + + + + false + Disable + + + true + Enable + + + + + + IsDiscoveryServer + + + + + + + false + Indicates whether the server is a discovery server. Optional, default value is false. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Is Not Discovery Server + + + true + Is Discovery Server + + + + + + + Profiles + + + + + Represents all enterprise-owned profiles. + + + + + + + + + + + + + + + + + + + + + + + + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + + + + + + + + + + ICCID + + + + + ICCID of the profile. + + + + ServerName + + + + + + + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + + + + + + + + MatchingID + + + + + + + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + + + + ^([0-9a-fA-F]{5}-){3}[0-9a-fA-F]{5}$ + + + + + State + + + + + 1 + Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + + + + + + IsEnabled + + + + + + + Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP. + + + + + + + + + + + + + + 10.0.17134 + 1.0 + + + + false + Disabled + + + true + Enabled + + + + + + PPR1Set + + + + + This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + + + + + + PPR2Set + + + + + This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + + + + + + ErrorDetail + + + + + 0 + Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14). + + + + + + + + + + + + + + + + + + Policies + + + + + Device policies associated with the eUICC as a whole (not per-profile). + + + + + + + + + + + + + + + LocalUIEnabled + + + + + + true + Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + + Actions + + + + + Actions that can be performed on the eUICC as a whole (when it is active). + + + + + + + + + + + + + + + ResetToFactoryState + + + + + An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + + + + + + + + + + + + + + + + Status + + + + + 0 + Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + + + + + + + + + + + + + + + + ``` + +## Related articles + +[eUICCs configuration service provider reference](euiccs-csp.md) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index a425989761..e0917186af 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,299 +1,484 @@ --- title: Firewall CSP -description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings. +description: Learn more about the Firewall CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.reviewer: -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- -# Firewall configuration service provider (CSP) + -The table below shows the applicability of Windows: + +# Firewall CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. -The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. + + +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. -Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. +> [!NOTE] +> Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac). + -The following example shows the Firewall configuration service provider in tree format. + +The following list shows the Firewall configuration service provider nodes: + +- ./Vendor/MSFT/Firewall + - [MdmStore](#mdmstore) + - [DomainProfile](#mdmstoredomainprofile) + - [AllowLocalIpsecPolicyMerge](#mdmstoredomainprofileallowlocalipsecpolicymerge) + - [AllowLocalPolicyMerge](#mdmstoredomainprofileallowlocalpolicymerge) + - [AuthAppsAllowUserPrefMerge](#mdmstoredomainprofileauthappsallowuserprefmerge) + - [DefaultInboundAction](#mdmstoredomainprofiledefaultinboundaction) + - [DefaultOutboundAction](#mdmstoredomainprofiledefaultoutboundaction) + - [DisableInboundNotifications](#mdmstoredomainprofiledisableinboundnotifications) + - [DisableStealthMode](#mdmstoredomainprofiledisablestealthmode) + - [DisableStealthModeIpsecSecuredPacketExemption](#mdmstoredomainprofiledisablestealthmodeipsecsecuredpacketexemption) + - [DisableUnicastResponsesToMulticastBroadcast](#mdmstoredomainprofiledisableunicastresponsestomulticastbroadcast) + - [EnableFirewall](#mdmstoredomainprofileenablefirewall) + - [EnableLogDroppedPackets](#mdmstoredomainprofileenablelogdroppedpackets) + - [EnableLogIgnoredRules](#mdmstoredomainprofileenablelogignoredrules) + - [EnableLogSuccessConnections](#mdmstoredomainprofileenablelogsuccessconnections) + - [GlobalPortsAllowUserPrefMerge](#mdmstoredomainprofileglobalportsallowuserprefmerge) + - [LogFilePath](#mdmstoredomainprofilelogfilepath) + - [LogMaxFileSize](#mdmstoredomainprofilelogmaxfilesize) + - [Shielded](#mdmstoredomainprofileshielded) + - [DynamicKeywords](#mdmstoredynamickeywords) + - [Addresses](#mdmstoredynamickeywordsaddresses) + - [{Id}](#mdmstoredynamickeywordsaddressesid) + - [Addresses](#mdmstoredynamickeywordsaddressesidaddresses) + - [AutoResolve](#mdmstoredynamickeywordsaddressesidautoresolve) + - [Keyword](#mdmstoredynamickeywordsaddressesidkeyword) + - [FirewallRules](#mdmstorefirewallrules) + - [{FirewallRuleName}](#mdmstorefirewallrulesfirewallrulename) + - [Action](#mdmstorefirewallrulesfirewallrulenameaction) + - [Type](#mdmstorefirewallrulesfirewallrulenameactiontype) + - [App](#mdmstorefirewallrulesfirewallrulenameapp) + - [FilePath](#mdmstorefirewallrulesfirewallrulenameappfilepath) + - [Fqbn](#mdmstorefirewallrulesfirewallrulenameappfqbn) + - [PackageFamilyName](#mdmstorefirewallrulesfirewallrulenameapppackagefamilyname) + - [ServiceName](#mdmstorefirewallrulesfirewallrulenameappservicename) + - [Description](#mdmstorefirewallrulesfirewallrulenamedescription) + - [Direction](#mdmstorefirewallrulesfirewallrulenamedirection) + - [EdgeTraversal](#mdmstorefirewallrulesfirewallrulenameedgetraversal) + - [Enabled](#mdmstorefirewallrulesfirewallrulenameenabled) + - [IcmpTypesAndCodes](#mdmstorefirewallrulesfirewallrulenameicmptypesandcodes) + - [InterfaceTypes](#mdmstorefirewallrulesfirewallrulenameinterfacetypes) + - [LocalAddressRanges](#mdmstorefirewallrulesfirewallrulenamelocaladdressranges) + - [LocalPortRanges](#mdmstorefirewallrulesfirewallrulenamelocalportranges) + - [LocalUserAuthorizedList](#mdmstorefirewallrulesfirewallrulenamelocaluserauthorizedlist) + - [Name](#mdmstorefirewallrulesfirewallrulenamename) + - [PolicyAppId](#mdmstorefirewallrulesfirewallrulenamepolicyappid) + - [Profiles](#mdmstorefirewallrulesfirewallrulenameprofiles) + - [Protocol](#mdmstorefirewallrulesfirewallrulenameprotocol) + - [RemoteAddressDynamicKeywords](#mdmstorefirewallrulesfirewallrulenameremoteaddressdynamickeywords) + - [RemoteAddressRanges](#mdmstorefirewallrulesfirewallrulenameremoteaddressranges) + - [RemotePortRanges](#mdmstorefirewallrulesfirewallrulenameremoteportranges) + - [Status](#mdmstorefirewallrulesfirewallrulenamestatus) + - [Global](#mdmstoreglobal) + - [BinaryVersionSupported](#mdmstoreglobalbinaryversionsupported) + - [CRLcheck](#mdmstoreglobalcrlcheck) + - [CurrentProfiles](#mdmstoreglobalcurrentprofiles) + - [DisableStatefulFtp](#mdmstoreglobaldisablestatefulftp) + - [EnablePacketQueue](#mdmstoreglobalenablepacketqueue) + - [IPsecExempt](#mdmstoreglobalipsecexempt) + - [OpportunisticallyMatchAuthSetPerKM](#mdmstoreglobalopportunisticallymatchauthsetperkm) + - [PolicyVersion](#mdmstoreglobalpolicyversion) + - [PolicyVersionSupported](#mdmstoreglobalpolicyversionsupported) + - [PresharedKeyEncoding](#mdmstoreglobalpresharedkeyencoding) + - [SaIdleTime](#mdmstoreglobalsaidletime) + - [HyperVFirewallRules](#mdmstorehypervfirewallrules) + - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename) + - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction) + - [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype) + - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection) + - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled) + - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges) + - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges) + - [Name](#mdmstorehypervfirewallrulesfirewallrulenamename) + - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority) + - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol) + - [RemoteAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteaddressranges) + - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges) + - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus) + - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid) + - [HyperVVMSettings](#mdmstorehypervvmsettings) + - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid) + - [DefaultInboundAction](#mdmstorehypervvmsettingsvmcreatoriddefaultinboundaction) + - [DefaultOutboundAction](#mdmstorehypervvmsettingsvmcreatoriddefaultoutboundaction) + - [EnableFirewall](#mdmstorehypervvmsettingsvmcreatoridenablefirewall) + - [EnableLoopback](#mdmstorehypervvmsettingsvmcreatoridenableloopback) + - [PrivateProfile](#mdmstoreprivateprofile) + - [AllowLocalIpsecPolicyMerge](#mdmstoreprivateprofileallowlocalipsecpolicymerge) + - [AllowLocalPolicyMerge](#mdmstoreprivateprofileallowlocalpolicymerge) + - [AuthAppsAllowUserPrefMerge](#mdmstoreprivateprofileauthappsallowuserprefmerge) + - [DefaultInboundAction](#mdmstoreprivateprofiledefaultinboundaction) + - [DefaultOutboundAction](#mdmstoreprivateprofiledefaultoutboundaction) + - [DisableInboundNotifications](#mdmstoreprivateprofiledisableinboundnotifications) + - [DisableStealthMode](#mdmstoreprivateprofiledisablestealthmode) + - [DisableStealthModeIpsecSecuredPacketExemption](#mdmstoreprivateprofiledisablestealthmodeipsecsecuredpacketexemption) + - [DisableUnicastResponsesToMulticastBroadcast](#mdmstoreprivateprofiledisableunicastresponsestomulticastbroadcast) + - [EnableFirewall](#mdmstoreprivateprofileenablefirewall) + - [EnableLogDroppedPackets](#mdmstoreprivateprofileenablelogdroppedpackets) + - [EnableLogIgnoredRules](#mdmstoreprivateprofileenablelogignoredrules) + - [EnableLogSuccessConnections](#mdmstoreprivateprofileenablelogsuccessconnections) + - [GlobalPortsAllowUserPrefMerge](#mdmstoreprivateprofileglobalportsallowuserprefmerge) + - [LogFilePath](#mdmstoreprivateprofilelogfilepath) + - [LogMaxFileSize](#mdmstoreprivateprofilelogmaxfilesize) + - [Shielded](#mdmstoreprivateprofileshielded) + - [PublicProfile](#mdmstorepublicprofile) + - [AllowLocalIpsecPolicyMerge](#mdmstorepublicprofileallowlocalipsecpolicymerge) + - [AllowLocalPolicyMerge](#mdmstorepublicprofileallowlocalpolicymerge) + - [AuthAppsAllowUserPrefMerge](#mdmstorepublicprofileauthappsallowuserprefmerge) + - [DefaultInboundAction](#mdmstorepublicprofiledefaultinboundaction) + - [DefaultOutboundAction](#mdmstorepublicprofiledefaultoutboundaction) + - [DisableInboundNotifications](#mdmstorepublicprofiledisableinboundnotifications) + - [DisableStealthMode](#mdmstorepublicprofiledisablestealthmode) + - [DisableStealthModeIpsecSecuredPacketExemption](#mdmstorepublicprofiledisablestealthmodeipsecsecuredpacketexemption) + - [DisableUnicastResponsesToMulticastBroadcast](#mdmstorepublicprofiledisableunicastresponsestomulticastbroadcast) + - [EnableFirewall](#mdmstorepublicprofileenablefirewall) + - [EnableLogDroppedPackets](#mdmstorepublicprofileenablelogdroppedpackets) + - [EnableLogIgnoredRules](#mdmstorepublicprofileenablelogignoredrules) + - [EnableLogSuccessConnections](#mdmstorepublicprofileenablelogsuccessconnections) + - [GlobalPortsAllowUserPrefMerge](#mdmstorepublicprofileglobalportsallowuserprefmerge) + - [LogFilePath](#mdmstorepublicprofilelogfilepath) + - [LogMaxFileSize](#mdmstorepublicprofilelogmaxfilesize) + - [Shielded](#mdmstorepublicprofileshielded) + + + +## MdmStore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore ``` -./Vendor/MSFT -Firewall ----- ---------Global -------------PolicyVersionSupported -------------CurrentProfiles -------------DisableStatefulFtp -------------SaIdleTime -------------PresharedKeyEncoding -------------IPsecExempt -------------CRLcheck -------------PolicyVersion -------------BinaryVersionSupported -------------OpportunisticallyMatchAuthSetPerKM -------------EnablePacketQueue ---------DomainProfile -------------EnableFirewall -------------DisableStealthMode -------------Shielded -------------DisableUnicastResponsesToMulticastBroadcast -------------EnableLogDroppedPackets -------------EnableLogSuccessConnections -------------EnableLogIgnoredRules -------------LogMaxFileSize -------------LogFilePath -------------DisableInboundNotifications -------------AuthAppsAllowUserPrefMerge -------------GlobalPortsAllowUserPrefMerge -------------AllowLocalPolicyMerge -------------AllowLocalIpsecPolicyMerge -------------DefaultOutboundAction -------------DefaultInboundAction -------------DisableStealthModeIpsecSecuredPacketExemption ---------PrivateProfile -------------EnableFirewall -------------DisableStealthMode -------------Shielded -------------DisableUnicastResponsesToMulticastBroadcast -------------EnableLogDroppedPackets -------------EnableLogSuccessConnections -------------EnableLogIgnoredRules -------------LogMaxFileSize -------------LogFilePath -------------DisableInboundNotifications -------------AuthAppsAllowUserPrefMerge -------------GlobalPortsAllowUserPrefMerge -------------AllowLocalPolicyMerge -------------AllowLocalIpsecPolicyMerge -------------DefaultOutboundAction -------------DefaultInboundAction -------------DisableStealthModeIpsecSecuredPacketExemption ---------PublicProfile -------------EnableFirewall -------------DisableStealthMode -------------Shielded -------------DisableUnicastResponsesToMulticastBroadcast -------------EnableLogDroppedPackets -------------EnableLogSuccessConnections -------------EnableLogIgnoredRules -------------LogMaxFileSize -------------LogFilePath -------------DisableInboundNotifications -------------AuthAppsAllowUserPrefMerge -------------GlobalPortsAllowUserPrefMerge -------------AllowLocalPolicyMerge -------------AllowLocalIpsecPolicyMerge -------------DefaultOutboundAction -------------DefaultInboundAction -------------DisableStealthModeIpsecSecuredPacketExemption ---------FirewallRules -------------FirewallRuleName -----------------App ---------------------PackageFamilyName ---------------------FilePath ---------------------Fqbn ---------------------ServiceName -----------------Protocol -----------------LocalPortRanges -----------------RemotePortRanges -----------------IcmpTypesAndCodes -----------------LocalAddressRanges -----------------RemoteAddressRanges -----------------Description -----------------Enabled -----------------Profiles -----------------Action ---------------------Type -----------------Direction -----------------InterfaceTypes -----------------EdgeTraversal -----------------LocalUserAuthorizationList -----------------FriendlyName -----------------Status -----------------Name -----------------RemoteAddressDynamicKeywords ---------DynamicKeywords -----------------Addresses --------------------------Id ----------------------------------Keyword ----------------------------------Addresses ----------------------------------AutoResolve + + + + + + + + +Interior node. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### MdmStore/DomainProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile ``` + -**./Vendor/MSFT/Firewall** -Root node for the Firewall configuration service provider. + + + -**MdmStore** -Interior node. -Supported operation is Get. + + + -**MdmStore/Global** -Interior node. -Supported operations are Get. + +**Description framework properties**: -**MdmStore/Global/PolicyVersionSupported** -Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build. -Value type in integer. Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**MdmStore/Global/CurrentProfiles** -Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law. -Value type in integer. Supported operation is Get. + + + -**MdmStore/Global/DisableStatefulFtp** -Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win. -Default value is false. + -Data type is bool. Supported operations are Add, Get, Replace, and Delete. + +#### MdmStore/DomainProfile/AllowLocalIpsecPolicyMerge -**MdmStore/Global/SaIdleTime** -This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. -Default value is 300. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**MdmStore/Global/PresharedKeyEncoding** -Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. -Default value is 1. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalIpsecPolicyMerge +``` + -**MdmStore/Global/IPsecExempt** -This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. -Default value is 0. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + -**MdmStore/Global/CRLcheck** -This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued: + + + -- 0 disables CRL checking -- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail. -- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing + +**Description framework properties**: -Default value is 0. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + -**MdmStore/Global/PolicyVersion** -This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law. -Value type is string. Supported operation is Get. + +**Allowed values**: -**MdmStore/Global/BinaryVersionSupported** -This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. -Value type is string. Supported operation is Get. +| Value | Description | +|:--|:--| +| false | AllowLocalIpsecPolicyMerge Off. | +| true (Default) | AllowLocalIpsecPolicyMerge On. | + -**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. -Boolean value. Supported operations are Add, Get, Replace, and Delete. + + + -**MdmStore/Global/EnablePacketQueue** -This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values: + -- 0x00 indicates that all queuing is to be disabled -- 0x01 specifies that inbound encrypted packets are to be queued -- 0x02 specifies that packets are to be queued after decryption is performed for forwarding + +#### MdmStore/DomainProfile/AllowLocalPolicyMerge -Default value is 0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalPolicyMerge +``` + -**MdmStore/DomainProfile** -Interior node. Supported operation is Get. + + +This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + -**MdmStore/PrivateProfile** -Interior node. Supported operation is Get. + + + -**MdmStore/PublicProfile** -Interior node. Supported operation is Get. + +**Description framework properties**: -**/EnableFirewall** -Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. -Default value is true. -Value type is bool. Supported operations are Add, Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + -**/DisableStealthMode** -Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. -Default value is false. -Value type is bool. Supported operations are Add, Get and Replace. + +**Allowed values**: -**/Shielded** -Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win. -Default value is false. +| Value | Description | +|:--|:--| +| false | AllowLocalPolicyMerge Off. | +| true (Default) | AllowLocalPolicyMerge On. | + -Value type is bool. Supported operations are Get and Replace. + + + -**/DisableUnicastResponsesToMulticastBroadcast** -Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. -Default value is false. -Value type is bool. Supported operations are Add, Get and Replace. + -**/EnableLogDroppedPackets** -Boolean value. If this value is true, firewall will log all dropped packets. The merge law for this option is to let "on" values win. -Default value is false. Supported operations are Get and Replace. + +#### MdmStore/DomainProfile/AuthAppsAllowUserPrefMerge -**/EnableLogSuccessConnections** -Boolean value. If this value is true, firewall will log all successful inbound connections. The merge law for this option is to let "on" values win. -Default value is false. Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**/EnableLogIgnoredRules** -Boolean value. If this value is true, firewall will log ignored firewall rules. The merge law for this option is to let "on" values win. -Default value is false. Supported operations are Get and Replace. + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AuthAppsAllowUserPrefMerge +``` + -**/LogMaxFileSize** -Integer value that specifies the size, in kilobytes, of the log file where dropped packets, successful connections and ignored rules are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. -Default value is 1024. Supported operations are Get and Replace + + +This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + -**/LogFilePath** -String value that represents the file path to the log where firewall logs dropped packets, successful connections and ignored rules. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. Default value is "%systemroot%\system32\LogFiles\Firewall\pfirewall.log". Supported operations are Get and Replace + + + -**/DisableInboundNotifications** -Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. -Default value is false. -Value type is bool. Supported operations are Add, Get and Replace. + +**Description framework properties**: -**/AuthAppsAllowUserPrefMerge** -Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. -Default value is true. -Value type is bool. Supported operations are Add, Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + -**/GlobalPortsAllowUserPrefMerge** -Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. -Default value is true. -Value type is bool. Supported operations are Add, Get and Replace. + +**Allowed values**: -**/AllowLocalPolicyMerge** -Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. -Default value is true. +| Value | Description | +|:--|:--| +| false | AuthAppsAllowUserPrefMerge Off. | +| true (Default) | AuthAppsAllowUserPrefMerge On. | + -Value type is bool. Supported operations are Add, Get and Replace. + + + -**/AllowLocalIpsecPolicyMerge** -Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. -Default value is true. + -Value type is bool. Supported operations are Add, Get and Replace. + +#### MdmStore/DomainProfile/DefaultInboundAction -**/DefaultOutboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -- 0x00000000 - allow -- 0x00000001 - block + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultInboundAction +``` + -Default value is 0 (allow). -Value type is integer. Supported operations are Add, Get and Replace. + + +This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + -Sample syncxml to provision the firewall settings to evaluate + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Allow Inbound By Default. | +| 1 (Default) | Block Inbound By Default. | + + + + + + + + + +#### MdmStore/DomainProfile/DefaultOutboundAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultOutboundAction +``` + + + + +This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow Outbound By Default. | +| 1 | Block Outbound By Default. | + + + + +**Example**: ```xml @@ -315,217 +500,5222 @@ Sample syncxml to provision the firewall settings to evaluate - ``` + -**/DefaultInboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used. + -- 0x00000000 - allow -- 0x00000001 - block + +#### MdmStore/DomainProfile/DisableInboundNotifications -Default value is 1 (block). -Value type is integer. Supported operations are Add, Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**/DisableStealthModeIpsecSecuredPacketExemption** -Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. -Default value is true. -Value type is bool. Supported operations are Add, Get and Replace. + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableInboundNotifications +``` + -**FirewallRules** -A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. + + +This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + -**FirewallRules/_FirewallRuleName_** -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). -Supported operations are Add, Get, Replace, and Delete. + + + -**FirewallRules/_FirewallRuleName_/App** -Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes: + +**Description framework properties**: -- PackageFamilyName -- FilePath -- FQBN -- ServiceName +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + -If not specified, the default is All. -Supported operation is Get. + +**Allowed values**: -**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +| Value | Description | +|:--|:--| +| false (Default) | Firewall May Display Notification. | +| true | Firewall Must Not Display Notification. | + -**FirewallRules/_FirewallRuleName_/App/FilePath** -This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + -**FirewallRules/_FirewallRuleName_/App/Fqbn** -Fully Qualified Binary Name -Value type is string. Supported operations are Add, Get, Replace, and Delete. + -**FirewallRules/_FirewallRuleName_/App/ServiceName** -This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + +#### MdmStore/DomainProfile/DisableStealthMode -**FirewallRules/_FirewallRuleName_/Protocol** -0-255 number representing the ip protocol (TCP = 6, UDP = 17) -If not specified, the default is All. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**FirewallRules/_FirewallRuleName_/LocalPortRanges** -Comma separated list of ranges. For example, 100-120,200,300-320. -If not specified, the default is All. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableStealthMode +``` + -**FirewallRules/_FirewallRuleName_/RemotePortRanges** -Comma separated list of ranges, For example, 100-120,200,300-320. -If not specified, the default is All. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + + +This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + -**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** -Comma separated list of ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid. -If not specified, the default is All. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**Description framework properties**: -**FirewallRules/*FirewallRuleName*/LocalAddressRanges** -Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include: +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [EnableFirewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + -- "*" indicates any local address. If present, the local address must be the only token included. -- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. -- A valid IPv4 address. -- A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. + +**Allowed values**: -If not specified, the default is All. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +| Value | Description | +|:--|:--| +| false (Default) | Use Stealth Mode. | +| true | Disable Stealth Mode. | + -**FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: + + + -- "*" indicates any remote address. If present, the address must be the only token included. -- "Defaultgateway" -- "DHCP" -- "DNS" -- "WINS" -- "Intranet" -- "RmtIntranet" -- "Internet" -- "Ply2Renders" -- "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive. -- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. -- A valid IPv4 address. -- A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. + -If not specified, the default is All. -Value type is string. Supported operations are Add, Get, Replace, and Delete. -The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later. + +#### MdmStore/DomainProfile/DisableStealthModeIpsecSecuredPacketExemption -**FirewallRules/_FirewallRuleName_/Description** -Specifies the description of the rule. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**FirewallRules/_FirewallRuleName_/Enabled** -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -If not specified - a new rule is enabled by default. -Boolean value. Supported operations are Get and Replace. + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableStealthModeIpsecSecuredPacketExemption +``` + -**FirewallRules/_FirewallRuleName_/Profiles** -Specifies the profiles to which the rule belongs: Domain, Private, or Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. -If not specified, the default is All. -Value type is integer. Supported operations are Get and Replace. + + +This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + -**FirewallRules/_FirewallRuleName_/Action** -Specifies the action for the rule. -Supported operation is Get. + + + -**FirewallRules/_FirewallRuleName_/Action/Type** -Specifies the action the rule enforces. Supported values: + +**Description framework properties**: -- 0 - Block -- 1 - Allow +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + -If not specified, the default is allow. -Value type is integer. Supported operations are Get and Replace. + +**Allowed values**: -**FirewallRules/_FirewallRuleName_/Direction** -The rule is enabled based on the traffic direction as following. Supported values: +| Value | Description | +|:--|:--| +| false | FALSE. | +| true (Default) | TRUE. | + -- IN - the rule applies to inbound traffic. -- OUT - the rule applies to outbound traffic. -- If not specified, the default is Out. + + + -Value type is string. Supported operations are Get and Replace. + -**FirewallRules/_FirewallRuleName_/InterfaceTypes** -Comma separated list of interface types. Valid values: + +#### MdmStore/DomainProfile/DisableUnicastResponsesToMulticastBroadcast -- RemoteAccess -- Wireless -- Lan -- MBB (i.e. Mobile Broadband) + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -If not specified, the default is All. -Value type is string. Supported operations are Get and Replace. + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableUnicastResponsesToMulticastBroadcast +``` + -**FirewallRules/_FirewallRuleName_/EdgeTraversal** -Indicates whether edge traversal is enabled or disabled for this rule. -The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. -New rules have the EdgeTraversal property disabled by default. -Value type is bool. Supported operations are Add, Get, Replace, and Delete. + + +This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + -**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + -**FirewallRules/_FirewallRuleName_/Status** -Provides information about the specific version of the rule in deployment for monitoring purposes. -Value type is string. Supported operation is Get. + +**Description framework properties**: -**FirewallRules/_FirewallRuleName_/Name** -Name of the rule. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + -**FirewallRules/_FirewallRuleName_/RemoteAddressDynamicKeywords** -Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule. -Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**Allowed values**: +| Value | Description | +|:--|:--| +| false (Default) | Unicast Responses Not Blocked. | +| true | Unicast Responses Blocked. | + -**MdmStore/DynamicKeywords** -Interior node. -Supported operation is Get. + + + -**MdmStore/DynamicKeywords/Addresses** -Interior node. -Supported operation is Get. + -**MdmStore/DynamicKeywords/Addresses/Id** + +#### MdmStore/DomainProfile/EnableFirewall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall +``` + + + + +This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disable Firewall. | +| true (Default) | Enable Firewall. | + + + + + + + + + +#### MdmStore/DomainProfile/EnableLogDroppedPackets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets +``` + + + + +This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Dropped Packets. | +| true | Enable Logging Of Dropped Packets. | + + + + + + + + + +#### MdmStore/DomainProfile/EnableLogIgnoredRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogIgnoredRules +``` + + + + +This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Ignored Rules. | +| true | Enable Logging Of Ignored Rules. | + + + + + + + + + +#### MdmStore/DomainProfile/EnableLogSuccessConnections + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogSuccessConnections +``` + + + + +This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Successful Connections. | +| true | Enable Logging Of Successful Connections. | + + + + + + + + + +#### MdmStore/DomainProfile/GlobalPortsAllowUserPrefMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/GlobalPortsAllowUserPrefMerge +``` + + + + +This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | GlobalPortsAllowUserPrefMerge Off. | +| true (Default) | GlobalPortsAllowUserPrefMerge On. | + + + + + + + + + +#### MdmStore/DomainProfile/LogFilePath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath +``` + + + + +This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | %systemroot%\system32\LogFiles\Firewall\pfirewall.log | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + + + + + + + +#### MdmStore/DomainProfile/LogMaxFileSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize +``` + + + + +This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 1024 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + + + + + + + +#### MdmStore/DomainProfile/Shielded + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DomainProfile/Shielded +``` + + + + +This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Shielding Off. | +| true | Shielding On. | + + + + + + + + + +### MdmStore/DynamicKeywords + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MdmStore/DynamicKeywords/Addresses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses +``` + + + + +A list of dynamic keyword addresses for use within firewall rules. Dynamic keyword addresses can either be a simple alias object or fully-qualified domain names which will be auto-resolved in the presence of the Microsoft Defender Advanced Threat Protection Service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### MdmStore/DynamicKeywords/Addresses/{Id} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id} +``` + + + + A unique GUID string identifier for this dynamic keyword address. -Value type is string. Supported operations are Add, Delete, and Get. + -**MdmStore/DynamicKeywords/Addresses/Id/Keyword** -A String representing a keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain Name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). -Value type is string. Supported operations are Add, Delete, and Get. + + + -**MdmStore/DynamicKeywords/Addresses/Id/Addresses** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + + + + + + + + + +###### MdmStore/DynamicKeywords/Addresses/{Id}/Addresses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/Addresses +``` + + + + Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value should not be set if AutoResolve is true. - Valid tokens include: -- A subnet specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. -- A valid IPv4 address. -- A valid IPv6 address. -- An IPv4 address range in the format of "start address-end address" with no spaces included. -- An IPv6 address range in the format of "start address-end address" with no spaces included. -Supported operations are Add, Delete, Replace, and Get. +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. + -**MdmStore/DynamicKeywords/Addresses/Id/AutoResolve** -Boolean value. If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a Fully Qualified Domain Name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present. -Value type is string. Supported operations are Add, Delete, and Get. -Value type is string. Supported operations are Add, Delete, and Get. + + + + +**Description framework properties**: -## Related topics +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | +| Dependency [AutoResolve False] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/[Id]/AutoResolve`
    Dependency Allowed Value: `false`
    Dependency Allowed Value Type: `ENUM`
    | + -[Configuration service provider reference](index.yml) + + + + + + + +###### MdmStore/DynamicKeywords/Addresses/{Id}/AutoResolve + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/AutoResolve +``` + + + + +If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | AutoResolve False. | +| true | AutoResolve True. | + + + + + + + + + +###### MdmStore/DynamicKeywords/Addresses/{Id}/Keyword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/Keyword +``` + + + + +A String representing keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). If the AutoResolve value is false, then this can be any identifier string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get | + + + + + + + + + +### MdmStore/FirewallRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules +``` + + + + +A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MdmStore/FirewallRules/{FirewallRuleName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName} +``` + + + + +Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `^[^|/]*$` | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Action + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Action +``` + + + + +Specifies the action for the rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### MdmStore/FirewallRules/{FirewallRuleName}/Action/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Action/Type +``` + + + + +Specifies the action the rule enforces: +0 - Block +1 - Allow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Block. | +| 1 (Default) | Allow. | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/App + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App +``` + + + + +Rules that control connections for an app, program or service. + +Specified based on the intersection of the following nodes. + +PackageFamilyName +FilePath +FQBN +ServiceName. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### MdmStore/FirewallRules/{FirewallRuleName}/App/FilePath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/FilePath +``` + + + + +FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### MdmStore/FirewallRules/{FirewallRuleName}/App/Fqbn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/Fqbn +``` + + + + +Fully Qualified Binary Name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### MdmStore/FirewallRules/{FirewallRuleName}/App/PackageFamilyName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/PackageFamilyName +``` + + + + +PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### MdmStore/FirewallRules/{FirewallRuleName}/App/ServiceName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/ServiceName +``` + + + + +This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Description + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Description +``` + + + + +Specifies the description of the rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Direction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Direction +``` + + + + +Comma separated list. The rule is enabled based on the traffic direction as following. + +IN - the rule applies to inbound traffic. +OUT - the rule applies to outbound traffic. + +If not specified the default is OUT. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | OUT | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| IN | The rule applies to inbound traffic. | +| OUT (Default) | The rule applies to outbound traffic. | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/EdgeTraversal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/EdgeTraversal +``` + + + + +Indicates whether edge traversal is enabled or disabled for this rule. + +The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. + +New rules have the EdgeTraversal property disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 | Enabled. | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Enabled +``` + + + + +Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 | Enabled. | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/IcmpTypesAndCodes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/IcmpTypesAndCodes +``` + + + + + + + + +Comma separated list of ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the "\*" character. For specific ICMP types and codes, use the ":" character to separate the type and code, for example, 3:4, 1:\*. The "\*" character can be used to represent any code. The "\*" character cannot be used to specify any type; examples such as "\*:4" or "\*:\*" are invalid. If not specified, the default is All. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/InterfaceTypes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/InterfaceTypes +``` + + + + +String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MBB", and "All". +If more than one interface type is specified, the strings must be separated by a comma. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | All | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| RemoteAccess | RemoteAccess. | +| Wireless | Wireless. | +| Lan | Lan. | +| MBB | MobileBroadband. | +| All (Default) | All. | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/LocalAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalAddressRanges +``` + + + + +Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. +Valid tokens include: +"*" indicates any local address. If present, this must be the only token included. + +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/LocalPortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalPortRanges +``` + + + + +Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/LocalUserAuthorizedList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalUserAuthorizedList +``` + + + + +Specifies the list of authorized local users for the app container. +This is a string in Security Descriptor Definition Language (SDDL) format.. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | `` | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Name +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId +``` + + + + +Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^[A-Za-z0-9_.:/]+$` | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Profiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Profiles +``` + + + + +Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x1 | FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains. | +| 0x2 | FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD. | +| 0x4 | FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted. | +| 0x7FFFFFFF | FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets. | +| 0x80000000 | FW_PROFILE_TYPE_CURRENT: This value represents the current profiles to which the firewall and advanced security components determine the host is connected at the moment of the call. This value can be specified only in method calls, and it cannot be combined with other flags. | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Protocol + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Protocol +``` + + + + +0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-255]` | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressDynamicKeywords + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressDynamicKeywords +``` + + + + +Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressRanges +``` + + + + +Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: +"*" indicates any remote address. If present, this must be the only token included. +"Defaultgateway" +"DHCP" +"DNS" +"WINS" +"Intranet" +"RemoteCorpNetwork" +"Internet" +"PlayToRenderers" +"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/RemotePortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemotePortRanges +``` + + + + +Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/FirewallRules/{FirewallRuleName}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Status +``` + + + + +Provides information about the specific version of the rule in deployment for monitoring purposes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### MdmStore/Global + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MdmStore/Global/BinaryVersionSupported + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/BinaryVersionSupported +``` + + + + +This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### MdmStore/Global/CRLcheck + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/CRLcheck +``` + + + + +This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disables CRL checking. | +| 1 | Specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. | +| 2 | Means that checking is required and that certificate validation fails if any error is encountered during CRL processing. | + + + + + + + + + +#### MdmStore/Global/CurrentProfiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/CurrentProfiles +``` + + + + +Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### MdmStore/Global/DisableStatefulFtp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/DisableStatefulFtp +``` + + + + +This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Stateful FTP enabled. | +| true | Stateful FTP disabled. | + + + + + + + + + +#### MdmStore/Global/EnablePacketQueue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/EnablePacketQueue +``` + + + + +This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0x0 | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x0 (Default) | Indicates that all queuing is to be disabled. | +| 0x1 | Specifies that inbound encrypted packets are to be queued. | +| 0x2 | Specifies that packets are to be queued after decryption is performed for forwarding. | + + + + + + + + + +#### MdmStore/Global/IPsecExempt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/IPsecExempt +``` + + + + +This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](/openspecs/windows_protocols/ms-fasp/7daabd9f-74c3-4295-add6-e2402b01b191); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0x0 | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x0 (Default) | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NONE: No IPsec exemptions. | +| 0x1 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC: Exempt neighbor discover IPv6 ICMP type-codes from IPsec. | +| 0x2 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ICMP: Exempt ICMP from IPsec. | +| 0x4 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ROUTER_DISC: Exempt router discover IPv6 ICMP type-codes from IPsec. | +| 0x8 | FW_GLOBAL_CONFIG_IPSEC_EXEMPT_DHCP: Exempt both IPv4 and IPv6 DHCP traffic from IPsec. | + + + + + + + + + +#### MdmStore/Global/OpportunisticallyMatchAuthSetPerKM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/OpportunisticallyMatchAuthSetPerKM +``` + + + + +This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don't support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | FALSE. | +| true | TRUE. | + + + + + + + + + +#### MdmStore/Global/PolicyVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/PolicyVersion +``` + + + + +This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### MdmStore/Global/PolicyVersionSupported + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/PolicyVersionSupported +``` + + + + +Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### MdmStore/Global/PresharedKeyEncoding + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/PresharedKeyEncoding +``` + + + + +Specifies the preshared key encoding that is used. MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES](/openspecs/windows_protocols/ms-fasp/b9d24a5e-7755-4c60-adeb-e0c7a718f909) enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_NONE: Preshared key is not encoded. Instead, it is kept in its wide-character format. This symbolic constant has a value of 0. | +| 1 (Default) | FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8: Encode the preshared key using UTF-8. This symbolic constant has a value of 1. | + + + + + + + + + +#### MdmStore/Global/SaIdleTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/Global/SaIdleTime +``` + + + + +This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[300-3600]` | +| Default Value | 300 | + + + + + + + + + +### MdmStore/HyperVFirewallRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules +``` + + + + +A list of rules controlling traffic through the Windows Firewall for Hyper-V containers. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MdmStore/HyperVFirewallRules/{FirewallRuleName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName} +``` + + + + +Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `^[^|/]*$` | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action +``` + + + + +Specifies the action for the rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type +``` + + + + +Specifies the action the rule enforces: +0 - Block +1 - Allow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Block. | +| 1 (Default) | Allow. | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction +``` + + + + +Comma separated list. The rule is enabled based on the traffic direction as following. + +IN - the rule applies to inbound traffic. +OUT - the rule applies to outbound traffic. + +If not specified the default is OUT. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | OUT | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| IN | The rule applies to inbound traffic. | +| OUT (Default) | The rule applies to outbound traffic. | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Enabled +``` + + + + +Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 | Enabled. | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalAddressRanges +``` + + + + +Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. +Valid tokens include: +"*" indicates any local address. If present, this must be the only token included. + +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalPortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalPortRanges +``` + + + + +Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority +``` + + + + +0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-255]` | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Protocol + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Protocol +``` + + + + +0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-65535]` | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemoteAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemoteAddressRanges +``` + + + + +Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: +"*" indicates any remote address. If present, this must be the only token included. +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemotePortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemotePortRanges +``` + + + + +Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Status +``` + + + + +Provides information about the specific version of the rule in deployment for monitoring purposes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/VMCreatorId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/VMCreatorId +``` + + + + +This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + + + + + + + + + +### MdmStore/HyperVVMSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings +``` + + + + +Settings for the Windows Firewall for Hyper-V containers. Each setting applies on a per-VM Creator basis. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MdmStore/HyperVVMSettings/{VMCreatorId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId} +``` + + + + +VM Creator ID that these settings apply to. Valid format is a GUID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + + + + + + + + + +##### MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultInboundAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultInboundAction +``` + + + + +This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Allow Inbound By Default. | +| 1 (Default) | Block Inbound By Default. | + + + + + + + + + +##### MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultOutboundAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultOutboundAction +``` + + + + +This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow Outbound By Default. | +| 1 | Block Outbound By Default. | + + + + + + + + + +##### MdmStore/HyperVVMSettings/{VMCreatorId}/EnableFirewall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/EnableFirewall +``` + + + + +This value is an on/off switch for the firewall and advanced security enforcement. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disable Firewall. | +| true (Default) | Enable Firewall. | + + + + + + + + + +##### MdmStore/HyperVVMSettings/{VMCreatorId}/EnableLoopback + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/EnableLoopback +``` + + + + +This value is an on/off switch for loopback traffic. This determines if this VM type is able to send/receive loopback traffic. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable loopback. | +| true | Enable loopback. | + + + + + + + + + +### MdmStore/PrivateProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MdmStore/PrivateProfile/AllowLocalIpsecPolicyMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalIpsecPolicyMerge +``` + + + + +This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | AllowLocalIpsecPolicyMerge Off. | +| true (Default) | AllowLocalIpsecPolicyMerge On. | + + + + + + + + + +#### MdmStore/PrivateProfile/AllowLocalPolicyMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalPolicyMerge +``` + + + + +This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | AllowLocalPolicyMerge Off. | +| true (Default) | AllowLocalPolicyMerge On. | + + + + + + + + + +#### MdmStore/PrivateProfile/AuthAppsAllowUserPrefMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AuthAppsAllowUserPrefMerge +``` + + + + +This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | AuthAppsAllowUserPrefMerge Off. | +| true (Default) | AuthAppsAllowUserPrefMerge On. | + + + + + + + + + +#### MdmStore/PrivateProfile/DefaultInboundAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultInboundAction +``` + + + + +This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Allow Inbound By Default. | +| 1 (Default) | Block Inbound By Default. | + + + + + + + + + +#### MdmStore/PrivateProfile/DefaultOutboundAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultOutboundAction +``` + + + + +This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow Outbound By Default. | +| 1 | Block Outbound By Default. | + + + + +**Example**: + +```xml + + + + + + 2010 + + + ./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultOutboundAction + + + int + + 1 + + + + + +``` + + + + + +#### MdmStore/PrivateProfile/DisableInboundNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableInboundNotifications +``` + + + + +This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Firewall May Display Notification. | +| true | Firewall Must Not Display Notification. | + + + + + + + + + +#### MdmStore/PrivateProfile/DisableStealthMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableStealthMode +``` + + + + +This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Use Stealth Mode. | +| true | Disable Stealth Mode. | + + + + + + + + + +#### MdmStore/PrivateProfile/DisableStealthModeIpsecSecuredPacketExemption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableStealthModeIpsecSecuredPacketExemption +``` + + + + +This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | FALSE. | +| true (Default) | TRUE. | + + + + + + + + + +#### MdmStore/PrivateProfile/DisableUnicastResponsesToMulticastBroadcast + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableUnicastResponsesToMulticastBroadcast +``` + + + + +This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Unicast Responses Not Blocked. | +| true | Unicast Responses Blocked. | + + + + + + + + + +#### MdmStore/PrivateProfile/EnableFirewall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall +``` + + + + +This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disable Firewall. | +| true (Default) | Enable Firewall. | + + + + + + + + + +#### MdmStore/PrivateProfile/EnableLogDroppedPackets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets +``` + + + + +This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Dropped Packets. | +| true | Enable Logging Of Dropped Packets. | + + + + + + + + + +#### MdmStore/PrivateProfile/EnableLogIgnoredRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogIgnoredRules +``` + + + + +This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Ignored Rules. | +| true | Enable Logging Of Ignored Rules. | + + + + + + + + + +#### MdmStore/PrivateProfile/EnableLogSuccessConnections + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogSuccessConnections +``` + + + + +This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Successful Connections. | +| true | Enable Logging Of Successful Connections. | + + + + + + + + + +#### MdmStore/PrivateProfile/GlobalPortsAllowUserPrefMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/GlobalPortsAllowUserPrefMerge +``` + + + + +This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | GlobalPortsAllowUserPrefMerge Off. | +| true (Default) | GlobalPortsAllowUserPrefMerge On. | + + + + + + + + + +#### MdmStore/PrivateProfile/LogFilePath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath +``` + + + + +This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | %systemroot%\system32\LogFiles\Firewall\pfirewall.log | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + + + + + + + +#### MdmStore/PrivateProfile/LogMaxFileSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize +``` + + + + +This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 1024 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + + + + + + + +#### MdmStore/PrivateProfile/Shielded + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/Shielded +``` + + + + +This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Shielding Off. | +| true | Shielding On. | + + + + + + + + + +### MdmStore/PublicProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge +``` + + + + +This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | AllowLocalIpsecPolicyMerge Off. | +| true (Default) | AllowLocalIpsecPolicyMerge On. | + + + + + + + + + +#### MdmStore/PublicProfile/AllowLocalPolicyMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge +``` + + + + +This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | AllowLocalPolicyMerge Off. | +| true (Default) | AllowLocalPolicyMerge On. | + + + + + + + + + +#### MdmStore/PublicProfile/AuthAppsAllowUserPrefMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AuthAppsAllowUserPrefMerge +``` + + + + +This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | AuthAppsAllowUserPrefMerge Off. | +| true (Default) | AuthAppsAllowUserPrefMerge On. | + + + + + + + + + +#### MdmStore/PublicProfile/DefaultInboundAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultInboundAction +``` + + + + +This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Allow Inbound By Default. | +| 1 (Default) | Block Inbound By Default. | + + + + + + + + + +#### MdmStore/PublicProfile/DefaultOutboundAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultOutboundAction +``` + + + + +This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow Outbound By Default. | +| 1 | Block Outbound By Default. | + + + + +**Example**: + +```xml + + + + + + 2010 + + + ./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultOutboundAction + + + int + + 1 + + + + + +``` + + + + + +#### MdmStore/PublicProfile/DisableInboundNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableInboundNotifications +``` + + + + +This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Firewall May Display Notification. | +| true | Firewall Must Not Display Notification. | + + + + + + + + + +#### MdmStore/PublicProfile/DisableStealthMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableStealthMode +``` + + + + +This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Use Stealth Mode. | +| true | Disable Stealth Mode. | + + + + + + + + + +#### MdmStore/PublicProfile/DisableStealthModeIpsecSecuredPacketExemption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableStealthModeIpsecSecuredPacketExemption +``` + + + + +This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | FALSE. | +| true (Default) | TRUE. | + + + + + + + + + +#### MdmStore/PublicProfile/DisableUnicastResponsesToMulticastBroadcast + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableUnicastResponsesToMulticastBroadcast +``` + + + + +This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Unicast Responses Not Blocked. | +| true | Unicast Responses Blocked. | + + + + + + + + + +#### MdmStore/PublicProfile/EnableFirewall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall +``` + + + + +This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disable Firewall. | +| true (Default) | Enable Firewall. | + + + + + + + + + +#### MdmStore/PublicProfile/EnableLogDroppedPackets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets +``` + + + + +This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Dropped Packets. | +| true | Enable Logging Of Dropped Packets. | + + + + + + + + + +#### MdmStore/PublicProfile/EnableLogIgnoredRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogIgnoredRules +``` + + + + +This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Ignored Rules. | +| true | Enable Logging Of Ignored Rules. | + + + + + + + + + +#### MdmStore/PublicProfile/EnableLogSuccessConnections + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections +``` + + + + +This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Logging Of Successful Connections. | +| true | Enable Logging Of Successful Connections. | + + + + + + + + + +#### MdmStore/PublicProfile/GlobalPortsAllowUserPrefMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/GlobalPortsAllowUserPrefMerge +``` + + + + +This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | GlobalPortsAllowUserPrefMerge Off. | +| true (Default) | GlobalPortsAllowUserPrefMerge On. | + + + + + + + + + +#### MdmStore/PublicProfile/LogFilePath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath +``` + + + + +This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | %systemroot%\system32\LogFiles\Firewall\pfirewall.log | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + + + + + + + +#### MdmStore/PublicProfile/LogMaxFileSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize +``` + + + + +This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 1024 | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + + + + + + + +#### MdmStore/PublicProfile/Shielded + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/PublicProfile/Shielded +``` + + + + +This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | +| Dependency [Enable Firewall] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall`
    Dependency Allowed Value: `true`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Shielding Off. | +| true | Shielding On. | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index c270f2f6f9..a55d7cb441 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,38 +1,80 @@ --- title: Firewall DDF file -description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider. +description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/27/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Firewall CSP + +# Firewall DDF file -This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). +The following XML file contains the device description framework (DDF) for the Firewall configuration service provider. ```xml -]> +]> 1.2 + + + + Firewall + ./Vendor/MSFT + + + + + Root node for the Firewall configuration service provider. + + + + + + + + + + + + + + 10.0.16299 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + MdmStore + + + + + + + + + + + + + + + + + - Firewall - ./Vendor/MSFT + Global - Root node for the Firewall configuration service provider. @@ -43,17 +85,18 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - + - MdmStore + PolicyVersionSupported + Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. - + @@ -62,1214 +105,2973 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - + + + + CurrentProfiles + + + + + Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. + + + + + + + + + + + + + + + + DisableStatefulFtp + + + + + + false + This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + + false + Stateful FTP enabled + + + true + Stateful FTP disabled + + + + + + SaIdleTime + + + + + + 300 + This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + + + + [300-3600] + + + + + PresharedKeyEncoding + + + + + + 1 + Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + + + + + 0 + FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_NONE: Preshared key is not encoded. Instead, it is kept in its wide-character format. This symbolic constant has a value of 0. + + + 1 + FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8: Encode the preshared key using UTF-8. This symbolic constant has a value of 1. + + + + + + IPsecExempt + + + + + + 0x0 + This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + + + + + 0x0 + FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NONE: No IPsec exemptions. + + + 0x1 + FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC: Exempt neighbor discover IPv6 ICMP type-codes from IPsec. + + + 0x2 + FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ICMP: Exempt ICMP from IPsec. + + + 0x4 + FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ROUTER_DISC: Exempt router discover IPv6 ICMP type-codes from IPsec. + + + 0x8 + FW_GLOBAL_CONFIG_IPSEC_EXEMPT_DHCP: Exempt both IPv4 and IPv6 DHCP traffic from IPsec. + + + + + + CRLcheck + + + + + + This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + + + + + 0 + Disables CRL checking + + + 1 + Specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. + + + 2 + Means that checking is required and that certificate validation fails if any error is encountered during CRL processing + + + + + + PolicyVersion + + + + + This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law. + + + + + + + + + + + + + + + + BinaryVersionSupported + + + + + This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. + + + + + + + + + + + + + + + + OpportunisticallyMatchAuthSetPerKM + + + + + + This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + + + + + false + FALSE + + + true + TRUE + + + + + + EnablePacketQueue + + + + + + 0x0 + This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. + + + + + + + + + + + + + + + 0x0 + Indicates that all queuing is to be disabled + + + 0x1 + Specifies that inbound encrypted packets are to be queued + + + 0x2 + Specifies that packets are to be queued after decryption is performed for forwarding + + + + + + + DomainProfile + + + + + + + + + + + + + + + + + + + EnableFirewall + + + + + true + This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Disable Firewall + + + true + Enable Firewall + + + + + + DisableStealthMode + + + + + + false + This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Use Stealth Mode + + + true + Disable Stealth Mode + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + Shielded + + + + + false + This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + + false + Shielding Off + + + true + Shielding On + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableUnicastResponsesToMulticastBroadcast + + + + + + false + This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Unicast Responses Not Blocked + + + true + Unicast Responses Blocked + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogDroppedPackets + + + + + + false + This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Dropped Packets + + + true + Enable Logging Of Dropped Packets + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogSuccessConnections + + + + + + false + This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Successful Connections + + + true + Enable Logging Of Successful Connections + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogIgnoredRules + + + + + + false + This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Ignored Rules + + + true + Enable Logging Of Ignored Rules + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + LogMaxFileSize + + + + + + 1024 + This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + [0-4294967295] + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + LogFilePath + + + + + + %systemroot%\system32\LogFiles\Firewall\pfirewall.log + This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableInboundNotifications + + + + + + false + This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Firewall May Display Notification + + + true + Firewall Must Not Display Notification + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AuthAppsAllowUserPrefMerge + + + + + + true + This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + AuthAppsAllowUserPrefMerge Off + + + true + AuthAppsAllowUserPrefMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + GlobalPortsAllowUserPrefMerge + + + + + + true + This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + GlobalPortsAllowUserPrefMerge Off + + + true + GlobalPortsAllowUserPrefMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AllowLocalPolicyMerge + + + + + + true + This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + + + + + + + + + false + AllowLocalPolicyMerge Off + + + true + AllowLocalPolicyMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AllowLocalIpsecPolicyMerge + + + + + + true + This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + + + + + + + + + false + AllowLocalIpsecPolicyMerge Off + + + true + AllowLocalIpsecPolicyMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DefaultOutboundAction + + + + + + 0 + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + 0 + Allow Outbound By Default + + + 1 + Block Outbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DefaultInboundAction + + + + + + 1 + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + 0 + Allow Inbound By Default + + + 1 + Block Inbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableStealthModeIpsecSecuredPacketExemption + + + + + + true + This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + + + + + false + FALSE + + + true + TRUE + + + + + + Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + + PrivateProfile + + + + + + + + + + + + + + + + + + + EnableFirewall + + + + + + + true + This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Disable Firewall + + + true + Enable Firewall + + + + + + DisableStealthMode + + + + + + false + This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Use Stealth Mode + + + true + Disable Stealth Mode + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + Shielded + + + + + + false + This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + + false + Shielding Off + + + true + Shielding On + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableUnicastResponsesToMulticastBroadcast + + + + + + false + This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Unicast Responses Not Blocked + + + true + Unicast Responses Blocked + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogDroppedPackets + + + + + + false + This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Dropped Packets + + + true + Enable Logging Of Dropped Packets + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogSuccessConnections + + + + + + false + This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Successful Connections + + + true + Enable Logging Of Successful Connections + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogIgnoredRules + + + + + + false + This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Ignored Rules + + + true + Enable Logging Of Ignored Rules + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + LogMaxFileSize + + + + + + 1024 + This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + [0-4294967295] + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + LogFilePath + + + + + + %systemroot%\system32\LogFiles\Firewall\pfirewall.log + This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableInboundNotifications + + + + + + false + This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Firewall May Display Notification + + + true + Firewall Must Not Display Notification + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AuthAppsAllowUserPrefMerge + + + + + + true + This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + AuthAppsAllowUserPrefMerge Off + + + true + AuthAppsAllowUserPrefMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + GlobalPortsAllowUserPrefMerge + + + + + + true + This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + GlobalPortsAllowUserPrefMerge Off + + + true + GlobalPortsAllowUserPrefMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AllowLocalPolicyMerge + + + + + + true + This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + + + + + + + + + false + AllowLocalPolicyMerge Off + + + true + AllowLocalPolicyMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AllowLocalIpsecPolicyMerge + + + + + + true + This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + + + + + + + + + false + AllowLocalIpsecPolicyMerge Off + + + true + AllowLocalIpsecPolicyMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DefaultOutboundAction + + + + + + 0 + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + 0 + Allow Outbound By Default + + + 1 + Block Outbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DefaultInboundAction + + + + + + 1 + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + 0 + Allow Inbound By Default + + + 1 + Block Inbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableStealthModeIpsecSecuredPacketExemption + + + + + + true + This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + + + + + false + FALSE + + + true + TRUE + + + + + + Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + + PublicProfile + + + + + + + + + + + + + + + + + + + EnableFirewall + + + + + + true + This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Disable Firewall + + + true + Enable Firewall + + + + + + DisableStealthMode + + + + + + false + This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Use Stealth Mode + + + true + Disable Stealth Mode + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + Shielded + + + + + + false + This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + + false + Shielding Off + + + true + Shielding On + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableUnicastResponsesToMulticastBroadcast + + + + + + false + This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Unicast Responses Not Blocked + + + true + Unicast Responses Blocked + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogDroppedPackets + + + + + + false + This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Dropped Packets + + + true + Enable Logging Of Dropped Packets + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogSuccessConnections + + + + + + false + This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Successful Connections + + + true + Enable Logging Of Successful Connections + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + EnableLogIgnoredRules + + + + + + false + This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + false + Disable Logging Of Ignored Rules + + + true + Enable Logging Of Ignored Rules + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + LogMaxFileSize + + + + + + 1024 + This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + [0-4294967295] + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + LogFilePath + + + + + + %systemroot%\system32\LogFiles\Firewall\pfirewall.log + This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. + + + + + + + + + + + + + + 10.0.22621 + 1.0 + + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableInboundNotifications + + + + + + false + This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + Firewall May Display Notification + + + true + Firewall Must Not Display Notification + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AuthAppsAllowUserPrefMerge + + + + + + true + This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + AuthAppsAllowUserPrefMerge Off + + + true + AuthAppsAllowUserPrefMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + GlobalPortsAllowUserPrefMerge + + + + + + true + This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + false + GlobalPortsAllowUserPrefMerge Off + + + true + GlobalPortsAllowUserPrefMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AllowLocalPolicyMerge + + + + + + true + This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + + + + + + + + + false + AllowLocalPolicyMerge Off + + + true + AllowLocalPolicyMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + AllowLocalIpsecPolicyMerge + + + + + + true + This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + + + + + + + + + false + AllowLocalIpsecPolicyMerge Off + + + true + AllowLocalIpsecPolicyMerge On + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DefaultOutboundAction + + + + + + 0 + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + 0 + Allow Outbound By Default + + + 1 + Block Outbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DefaultInboundAction + + + + + + 1 + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + + + + + 0 + Allow Inbound By Default + + + 1 + Block Inbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + DisableStealthModeIpsecSecuredPacketExemption + + + + + + true + This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + + + + + false + FALSE + + + true + TRUE + + + + + + Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall + + + true + Enable Firewall + + + + + + + + + + HyperVVMSettings + + + + + Settings for the Windows Firewall for Hyper-V containers. Each setting applies on a per-VM Creator basis. + + + + + + + + + + + + + + + + + + + + + + + + VM Creator ID that these settings apply to. Valid format is a GUID + + + + + + + + + + VMCreatorId + + + + + + + + \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + + + - Global + EnableFirewall - + + true + This value is an on/off switch for the firewall and advanced security enforcement. - + - + - + + + + false + Disable Firewall + + + true + Enable Firewall + + - - PolicyVersionSupported - - - - - Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. - - - - - - - - - - - text/plain - - - - - CurrentProfiles - - - - - Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. - - - - - - - - - - - text/plain - - - - - DisableStatefulFtp - - - - - - - - FALSE - This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win. - - - - - - - - - - - text/plain - - - - - SaIdleTime - - - - - - - - 300 - This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. - - - - - - - - - - - text/plain - - - - - PresharedKeyEncoding - - - - - - - - 1 - Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. - - - - - - - - - - - text/plain - - - - - IPsecExempt - - - - - - - - 0 - This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. - - - - - - - - - - - text/plain - - - - - CRLcheck - - - - - - - - This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. - - - - - - - - - - - text/plain - - - - - PolicyVersion - - - - - This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law. - - - - - - - - - - - text/plain - - - - - BinaryVersionSupported - - - - - This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. - - - - - - - - - - - text/plain - - - - - OpportunisticallyMatchAuthSetPerKM - - - - - - - - This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. - - - - - - - - - - - text/plain - - - - - EnablePacketQueue - - - - - - - - 0 - This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. - - - - - - - - - - - text/plain - - - - DomainProfile + DefaultOutboundAction + + 0 + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. - + - + - + + + + 0 + Allow Outbound By Default + + + 1 + Block Outbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall + + + true + Enable Firewall + + + + + - - EnableFirewall - - - - - - - 1 - This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableStealthMode - - - - - - - 0 - This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - Shielded - - - - - - 0 - This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. - - - - - - - - - - - text/plain - - - - - DisableUnicastResponsesToMulticastBroadcast - - - - - - - 0 - This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableInboundNotifications - - - - - - - 0 - This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - AuthAppsAllowUserPrefMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - GlobalPortsAllowUserPrefMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - AllowLocalPolicyMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. - - - - - - - - - - - text/plain - - - - - AllowLocalIpsecPolicyMerge - - - - - - - 1 - This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. - - - - - - - - - - - text/plain - - - - - DefaultOutboundAction - - - - - - - 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DefaultInboundAction - - - - - - - 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableStealthModeIpsecSecuredPacketExemption - - - - - - - 1 - This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. - - - - - - - - - - - text/plain - - - - PrivateProfile + DefaultInboundAction + + 1 + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. - + - + - + + + + 0 + Allow Inbound By Default + + + 1 + Block Inbound By Default + + + + + + Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall + + + true + Enable Firewall + + + + + - - EnableFirewall - - - - - - - 1 - This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableStealthMode - - - - - - - 0 - This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - Shielded - - - - - - 0 - This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. - - - - - - - - - - - text/plain - - - - - DisableUnicastResponsesToMulticastBroadcast - - - - - - - 0 - This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableInboundNotifications - - - - - - - 0 - This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - AuthAppsAllowUserPrefMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - GlobalPortsAllowUserPrefMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - AllowLocalPolicyMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. - - - - - - - - - - - text/plain - - - - - AllowLocalIpsecPolicyMerge - - - - - - - 1 - This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. - - - - - - - - - - - text/plain - - - - - DefaultOutboundAction - - - - - - - 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DefaultInboundAction - - - - - - - 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableStealthModeIpsecSecuredPacketExemption - - - - - - - 1 - This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. - - - - - - - - - - - text/plain - - - - PublicProfile + EnableLoopback - + + false + This value is an on/off switch for loopback traffic. This determines if this VM type is able to send/receive loopback traffic. - + - + - + + + + false + Disable loopback + + + true + Enable loopback + + - - EnableFirewall - - - - - - - 1 - This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableStealthMode - - - - - - - 0 - This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - Shielded - - - - - - 0 - This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. - - - - - - - - - - - text/plain - - - - - DisableUnicastResponsesToMulticastBroadcast - - - - - - - 0 - This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableInboundNotifications - - - - - - - 0 - This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - AuthAppsAllowUserPrefMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - GlobalPortsAllowUserPrefMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - AllowLocalPolicyMerge - - - - - - - 1 - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. - - - - - - - - - - - text/plain - - - - - AllowLocalIpsecPolicyMerge - - - - - - - 1 - This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. - - - - - - - - - - - text/plain - - - - - DefaultOutboundAction - - - - - - - 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DefaultInboundAction - - - - - - - 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. - - - - - - - - - - - text/plain - - - - - DisableStealthModeIpsecSecuredPacketExemption - - - - - - - 1 - This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. - - - - - - - - - - - text/plain - - - + + + + FirewallRules + + + + + A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. + + + + + + + + + + + + + + + + + + + + + + + + Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). + + + + + + + + + + FirewallRuleName + + + + + + + + ^[^|/]*$ + + + - FirewallRules + App - A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. + Rules that control connections for an app, program or service. + +Specified based on the intersection of the following nodes. + +PackageFamilyName +FilePath +FQBN +ServiceName @@ -1280,11 +3082,11 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - + - + PackageFamilyName @@ -1292,227 +3094,220 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). + PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. - + - + - FirewallRuleName - + - - App - - - - - Rules that control connections for an app, program or service. - -Specified based on the intersection of the following nodes. - -PackageFamilyName -FilePath -FQBN -ServiceName - - - - - - - - - - - - - - - PackageFamilyName - - - - - - - - PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. - - - - - - - - - - - text/plain - - - - - FilePath - - - - - - - - FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. - - - - - - - - - - - text/plain - - - - - Fqbn - - - - - - - - Fully Qualified Binary Name - - - - - - - - - - - text/plain - - - - - ServiceName - - - - - - - - This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic. - - - - - - - - - - - text/plain - - - - - - Protocol - - - - - - - - 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. - - - - - - - - - - - text/plain - - - - - LocalPortRanges - - - - - - - - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - - - - - text/plain - - - - - RemotePortRanges - - - - - - - - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - - - - - text/plain - - - - - LocalAddressRanges - - - - - - - - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + + + FilePath + + + + + + + + FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. + + + + + + + + + + + + + + + + Fqbn + + + + + + + + Fully Qualified Binary Name + + + + + + + + + + + + + + + + ServiceName + + + + + + + + This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic. + + + + + + + + + + + + + + + + + Protocol + + + + + + + + 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. + + + + + + + + + + + + + + [0-255] + + + + + LocalPortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + + + + + + + + + + + + + RemotePortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + + + + + + + + + + + + + IcmpTypesAndCodes + + + + + + + + + String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma. + To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code. + The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid. + + + + + + + + + + + + + + + 10.0.19043 + 1.0 + + + + + + + + LocalAddressRanges + + + + + + + + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -1520,30 +3315,33 @@ A subnet can be specified using either the subnet mask or network prefix notatio A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. - - - - - - - - - - - text/plain - - - - - RemoteAddressRanges - - - - - - - - Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: + + + + + + + + + + + + + + + + + + + RemoteAddressRanges + + + + + + + + Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: "*" indicates any remote address. If present, this must be the only token included. "Defaultgateway" "DHCP" @@ -1558,288 +3356,1057 @@ A subnet can be specified using either the subnet mask or network prefix notatio A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. - - - - - - - - - - - text/plain - - - - - Description - - - - - - - - Specifies the description of the rule. - - - - - - - - - - - text/plain - - - - - Enabled - - - - - - Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. + + + + + + + + + + + + + + + + + + + RemoteAddressDynamicKeywords + + + + + + + + Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule. + + + + + + + + + + + + + + 99.9.99999 + 1.0 + + + \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + + + + + + Description + + + + + + + + Specifies the description of the rule. + + + + + + + + + + + + + + + + Enabled + + + + + + Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - - - - - text/plain - - - - - Profiles - - - - - - Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. - - - - - - - - - - - text/plain - - - - - Action - - - - - Specifies the action for the rule. - - - - - - - - - - - - - - - Type - - - - - - 1 - Specifies the action the rule enforces: + + + + + + + + + + + + + + + 0 + Disabled + + + 1 + Enabled + + + + + + Profiles + + + + + + Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. + + + + + + + + + + + + + + + 0x1 + FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains. + + + 0x2 + FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD. + + + 0x4 + FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted. + + + 0x7FFFFFFF + FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets. + + + 0x80000000 + FW_PROFILE_TYPE_CURRENT: This value represents the current profiles to which the firewall and advanced security components determine the host is connected at the moment of the call. This value can be specified only in method calls, and it cannot be combined with other flags. + + + + + + Action + + + + + Specifies the action for the rule. + + + + + + + + + + + + + + + Type + + + + + + 1 + Specifies the action the rule enforces: 0 - Block 1 - Allow - - - - - - - - - - - text/plain - - - - - - Direction - - - - - - IN - Comma separated list. The rule is enabled based on the traffic direction as following. + + + + + + + + + + + + + + + 0 + Block + + + 1 + Allow + + + + + + + Direction + + + + + + OUT + Comma separated list. The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. -If not specified the detault is IN. - - - - - - - - - - - text/plain - - - - - InterfaceTypes - - - - - - All - String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All". - If more than one interface type is specified, the strings must be separated by a comma. - - - - - - - - - - - text/plain - - - - - EdgeTraversal - - - - - - - - Indicates whether edge traversal is enabled or disabled for this rule. +If not specified the detault is OUT. + + + + + + + + + + + + + + + IN + The rule applies to inbound traffic. + + + OUT + The rule applies to outbound traffic. + + + + + + InterfaceTypes + + + + + + + + All + + String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MBB", and "All". + If more than one interface type is specified, the strings must be separated by a comma. + + + + + + + + + + + + + + + + RemoteAccess + RemoteAccess + + + Wireless + Wireless + + + Lan + Lan + + + MBB + MobileBroadband + + + All + All + + + + + + + EdgeTraversal + + + + + + + + Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. - - - - - - - - - - - text/plain - - - - - LocalUserAuthorizedList - - - - - - - - Specifies the list of authorized local users for the app container. + + + + + + + + + + + + + + + 0 + Disabled + + + 1 + Enabled + + + + + + LocalUserAuthorizedList + + + + + + + + Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.. - - - - - - - - - - - text/plain - - - - - Status - - - - - Provides information about the specific verrsion of the rule in deployment for monitoring purposes. - - - - - - - - - - - text/plain - - - - - Name - - - - - - - - - - - - - - - - - - text/plain - - - + + + + + + + + + + + + + + + + + + PolicyAppId + + + + + + + + Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". + + + + + + + + + + + + + + 99.9.99999 + 1.1 + + + ^[A-Za-z0-9_.:/]+$ + + + + + Status + + + + + Provides information about the specific verrsion of the rule in deployment for monitoring purposes. + + + + + + + + + + + + + + + + Name + + + + + + + + + + + + + + + + + + + + + + + + + HyperVFirewallRules + + + + + A list of rules controlling traffic through the Windows Firewall for Hyper-V containers. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. + + + + + + + + + + + + + + + + + + + + + + + + Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). + + + + + + + + + + FirewallRuleName + + + + + + + + ^[^|/]*$ + + + + + Priority + + + + + + + + 0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. + + + + + + + + + + + + + + [0-255] + + + + + Direction + + + + + + OUT + Comma separated list. The rule is enabled based on the traffic direction as following. + +IN - the rule applies to inbound traffic. +OUT - the rule applies to outbound traffic. + +If not specified the detault is OUT. + + + + + + + + + + + + + + + IN + The rule applies to inbound traffic. + + + OUT + The rule applies to outbound traffic. + + + + + + VMCreatorId + + + + + + + + This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators. + + + + + + + + + + + + + + + \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + + + + + Protocol + + + + + + + + 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. + + + + + + + + + + + + + + [0-65535] + + + + + LocalAddressRanges + + + + + + + + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. +Valid tokens include: +"*" indicates any local address. If present, this must be the only token included. + +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. + + + + + + + + + + + + + + + + + + + LocalPortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + + + + + + + + + + + + + RemoteAddressRanges + + + + + + + + Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: +"*" indicates any remote address. If present, this must be the only token included. +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. + + + + + + + + + + + + + + + + + + + RemotePortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + + + + + + + + + + + + + + + + + + Action + + + + + Specifies the action for the rule. + + + + + + + + + + + + + + + Type + + + + + + 1 + Specifies the action the rule enforces: +0 - Block +1 - Allow + + + + + + + + + + + + + + + 0 + Block + + + 1 + Allow + + + + + + + Enabled + + + + + + Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default. + + + + + + + + + + + + + + + 0 + Disabled + + + 1 + Enabled + + + + + + Status + + + + + Provides information about the specific verrsion of the rule in deployment for monitoring purposes. + + + + + + + + + + + + + + + + Name + + + + + + + + + + + + + + + + + + + + + + + + + DynamicKeywords + + + + + + + + + + + + + + + + + + 99.9.99999 + 1.0 + + + + Addresses + + + + + A list of dynamic keyword addresses for use within firewall rules. Dynamic keyword addresses can either be a simple alias object or fully-qualified domain names which will be autoresolved in the presence of the Microsoft Defender Advanced Threat Protection Service. + + + + + + + + + + + + + + + + + + + + + + + A unique GUID string identifier for this dynamic keyword address. + + + + + + + + + + Id + + + + + + + + \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + + + + + Keyword + + + + + + + A String reprsenting keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). If the AutoResolve value is false, then this can be any identifier string. + + + + + + + + + + + + + + + + + + Addresses + + + + + + + + Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value should not be set if AutoResolve is true. + Valid tokens include: + A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. + A valid IPv6 address. + An IPv4 address range in the format of "start address - end address" with no spaces included. + An IPv6 address range in the format of "start address - end address" with no spaces included. + + + + + + + + + + + + + + + + + + + Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/[Id]/AutoResolve + + + false + AutoResolve False + + + + + + + + + AutoResolve + + + + + + + false + If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present. + + + + + + + + + + + + + + + false + AutoResolve False + + + true + AutoResolve True + + + + + ``` + +## Related articles + +[Firewall configuration service provider reference](firewall-csp.md) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 63c5843f83..a7eb92f01a 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,29 +1,23 @@ --- -title: Device HealthAttestation CSP -description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. -ms.reviewer: +title: HealthAttestation CSP +description: Learn more about the HealthAttestation CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 4/5/2022 +ms.topic: reference --- -# Device HealthAttestation CSP + -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +# HealthAttestation CSP + + The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following list is a description of the functions performed by the Device HealthAttestation CSP: @@ -32,32 +26,782 @@ The following list is a description of the functions performed by the Device Hea - Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device - Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) + + +The following list shows the HealthAttestation configuration service provider nodes: + +- ./Vendor/MSFT/HealthAttestation + - [AttestStatus](#atteststatus) + - [Certificate](#certificate) + - [CorrelationID](#correlationid) + - [CurrentProtocolVersion](#currentprotocolversion) + - [ForceRetrieve](#forceretrieve) + - [GetAttestReport](#getattestreport) + - [GetServiceCorrelationIDs](#getservicecorrelationids) + - [HASEndpoint](#hasendpoint) + - [MaxSupportedProtocolVersion](#maxsupportedprotocolversion) + - [Nonce](#nonce) + - [PreferredMaxProtocolVersion](#preferredmaxprotocolversion) + - [Status](#status) + - [TpmReadyStatus](#tpmreadystatus) + - [TriggerAttestation](#triggerattestation) + - [VerifyHealth](#verifyhealth) + + + +## AttestStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/AttestStatus +``` + + + + +AttestStatus maintains the success or failure status code for the last attestation session. + + + + +The status is always cleared prior to making the attest service call. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + +**Example**: + +- Templated SyncML Call: + + ```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/AttestStatus + + + + + + + + ``` + +- Sample Response: + + ```console + If Successful: 0 + If Failed: A corresponding HRESULT error code. Example: 0x80072efd, WININET_E_CANNOT_CONNECT + ``` + + + + + +## Certificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/Certificate +``` + + + + +Instructs the DHA-CSP to forward DHA-Data to the MDM server. + + + + +Value type is a base64 string. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## CorrelationID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/CorrelationID +``` + + + + +Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## CurrentProtocolVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/CurrentProtocolVersion +``` + + + + +Provides the current protocol version that the client is using to communicate with the Health Attestation Service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## ForceRetrieve + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/ForceRetrieve +``` + + + + +Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | False. | +| true | True. | + + + + + + + + + +## GetAttestReport + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/GetAttestReport +``` + + + + +Retrieve attestation session report if exists. + + + + +The report is stored in a registry key in the respective MDM enrollment store. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + +**Example**: + +- Templated SyncML Call: + + ```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport + + + + + + + + ``` + +- Sample data: + + ```console + If Success: JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc + If failed: Previously cached report if available (the token may have already expired per the attestation policy). + OR Sync ML 404 error if no cached report available. + ``` + + + + + +## GetServiceCorrelationIDs + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs +``` + + + + +Retrieve service correlation IDs if exist. + + + + +If there's more than one correlation ID, they're separated by ";" in the string. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + +**Example**: + +- Templated SyncML Call: + + ```xml + + + + + + + ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs + + + + + + + + ``` + +- Sample data: + + ```console + If success: GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM + If Trigger Attestation call failed and no previous data is present: The field remains empty. + Otherwise, the last service correlation id will be returned. + In a successful attestation there are two calls between client and MAA and for each call the GUID is separated by semicolon. + ``` + + + + + +## HASEndpoint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/HASEndpoint +``` + + + + +Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | has.spserv.microsoft.com. | + + + + + + + + + +## MaxSupportedProtocolVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/MaxSupportedProtocolVersion +``` + + + + +Returns the maximum protocol version that this client can support. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## Nonce + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/Nonce +``` + + + + +Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Default Value | \0 | + + + + + + + + + +## PreferredMaxProtocolVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/PreferredMaxProtocolVersion +``` + + + + +Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 3 | + + + + + + + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/Status +``` + + + + +Provides the current status of the device health request. For the complete list of status values, see [HealthAttestation CSP status and error codes](#healthattestation-csp-status-and-error-codes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## TpmReadyStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/TpmReadyStatus +``` + + + + +Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## TriggerAttestation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/TriggerAttestation +``` + + + + +Notifies the device to trigger an attestation session asynchronously. + + + + +If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + +**Example**: + +- Templated SyncML Call: + + ```xml + + + + VERIFYHEALTHV2 + + + + ./Vendor/MSFT/HealthAttestation/TriggerAttestation + + + + { + rpID : "rpID", serviceEndpoint : "MAA endpoint", + nonce : "nonce", aadToken : "aadToken", "cv" : "CorrelationVector" + } + + + + + + + ``` + +- Data fields: + + - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. + - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. + - nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks. + - aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service. + - cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes. + +- Sample ``: + + ```json + { + "rpid" : "https://www.contoso.com/attestation", + "endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01", + "nonce" : "5468697320697320612054657374204e6f6e6365", + "aadToken" : "dummytokenstring", + "cv" : "testonboarded" + } + ``` + + + + + +## VerifyHealth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/HealthAttestation/VerifyHealth +``` + + + + +Notifies the device to prepare a device health verification request. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + + ## Windows 11 Device health attestation Windows 11 introduces an update to the device health attestation feature. This update helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces more child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. -### Terms +Terms used: - **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. - - **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. - - **MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**: The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. - -- **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**: The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service. - - The following list of operations is performed by MAA-CSP: - +- **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**: The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service. The following list of operations is performed by MAA-CSP: - Receives attestation trigger requests from a HealthAttestation enabled MDM provider. - The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device. - Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider. - Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device. - - **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. - - **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it's digitally signed. JWTs can be signed using a secret or a public/private key pair. ### Attestation Flow with Microsoft Azure Attestation Service @@ -72,197 +816,6 @@ Attestation flow can be broadly in three main steps: For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol). -### Configuration Service Provider Nodes - -Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service. - -```console -./Vendor/MSFT -HealthAttestation -----... -----TriggerAttestation | -----AttestStatus | Added in Windows 11 -----GetAttestReport | -----GetServiceCorrelationIDs | -----VerifyHealth -----Status -----ForceRetrieve -----Certificate -----Nonce -----CorrelationID -----HASEndpoint -----TpmReadyStatus -----CurrentProtocolVersion -----PreferredMaxProtocolVersion -----MaxSupportedProtocolVersion -``` - -**./Vendor/MSFT/HealthAttestation** - -The root node for the device HealthAttestation configuration service provider. - -**TriggerAttestation** (Required) - -Node type: EXECUTE - -This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. - -Templated SyncML Call: - -```xml - - - - VERIFYHEALTHV2 - - - - ./Vendor/MSFT/HealthAttestation/TriggerAttestation - - - - { - rpID : "rpID", serviceEndpoint : "MAA endpoint", - nonce : "nonce", aadToken : "aadToken", "cv" : "CorrelationVector" - } - - - - - - -``` - -Data fields: - -- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. -- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. -- nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks. -- aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service. -- cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes. - -Sample Data: - -```json - -{ -"rpid" : "https://www.contoso.com/attestation", -"endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01", -"nonce" : "5468697320697320612054657374204e6f6e6365", -"aadToken" : "dummytokenstring", -"cv" : "testonboarded" -} - -``` - -**AttestStatus** - -Node type: GET - -This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step. -The status is always cleared prior to making the attest service call. - -Templated SyncML Call: - -```xml - - - - - - - ./Device/Vendor/MSFT/HealthAttestation/AttestStatus - - - - - - - -``` - -Sample Data: - -```console -If Successful: 0 -If Failed: A corresponding HRESULT error code -Example: 0x80072efd, WININET_E_CANNOT_CONNECT -``` - -**GetAttestReport** - -Node type: GET - -This node will retrieve the attestation report per the call made by the TriggerAttestation, if there's any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. - -Templated SyncML Call: - -```xml - - - - - - - ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport - - - - - - - -``` - -Sample data: - -```console -If Success: -JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc -If failed: -Previously cached report if available (the token may have already expired per the attestation policy). -OR Sync ML 404 error if not cached report available. -``` - -**GetServiceCorrelationIDs** - -Node type: GET - -This node will retrieve the service-generated correlation IDs for the given MDM provider. If there's more than one correlation ID, they're separated by “;” in the string. - -Templated SyncML Call: - -```xml - - - - - - - ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs - - - - - - - -``` - -Sample data: - -```console -If success: -GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM -If Trigger Attestation call failed and no previous data is present. The field remains empty. -Otherwise, the last service correlation id will be returned. In a successful attestation there are two -calls between client and MAA and for each call the GUID is separated by semicolon. -``` - -> [!NOTE] -> MAA CSP nodes are available on arm64 but isn't currently supported. - - ### MAA CSP Integration Steps 1. Set up an MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal). @@ -278,136 +831,136 @@ calls between client and MAA and for each call the GUID is separated by semicolo }; authorizationrules { - => permit(); + => permit(); }; - issuancerules{ + issuancerules { - // SecureBoot enabled - c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); - c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); - ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); + // SecureBoot enabled + c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); + c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); + ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); - // Retrieve bool properties - c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); - c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); - ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); + // Retrieve bool properties + c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); + c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); - // Bitlocker Boot Status, The first non zero measurement or zero. - c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); - c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); - [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); - ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); + // Bitlocker Boot Status, The first non zero measurement or zero. + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); + [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); + ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); - // Elam Driver (windows defender) Loaded - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); - [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); - ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); + // Elam Driver (windows defender) Loaded + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); + [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); + ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); - // Boot debugging - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); - c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); - ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); + // Boot debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); + c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); - // Kernel Debugging - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); - c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); - ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); + // Kernel Debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); + c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); - // DEP Policy - c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); - ![type=="depPolicy"] => issue(type="depPolicy", value=0); + // DEP Policy + c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); + ![type=="depPolicy"] => issue(type="depPolicy", value=0); - // Test Signing - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); - c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); - ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); + // Test Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); + c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); - // Flight Signing - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); - c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); - ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); + // Flight Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); + c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); + ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); - // VSM enabled - c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); - c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); - c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); - c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); - ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); - c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); + // VSM enabled + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); + c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); + c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); - // HVCI - c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); - c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); - ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); + // HVCI + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); + c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); + ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); - // IOMMU - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); - c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); - ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); + // IOMMU + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); + c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); - // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements - // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 - c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); - c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); - [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); + // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); - // Find the first EVENT_APPLICATION_SVN. - c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); - c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); - c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + // Find the first EVENT_APPLICATION_SVN. + c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); + c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); + c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); - // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN - c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN + c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); - // OS Rev List Info - c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); + // OS Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); - // Safe mode - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); - c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); - ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); + // Safe mode + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); + c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); + ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); - // Win PE - c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); - c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); - ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); + // Win PE + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); + c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); + ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); - // CI Policy - c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); + // CI Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); - // Secure Boot Custom Policy - c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); + // Secure Boot Custom Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); - // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 - c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); - c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); - [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it's not present + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it's not present - //Finding the Boot App SVN - // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR - c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); - c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); - c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); + //Finding the Boot App SVN + // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); + c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); + c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); - // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. - c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); - c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); - c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); + // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. + c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); + c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); - // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. - c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); - c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); - c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. + c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); - // Finding the Boot Rev List Info - c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); + // Finding the Boot Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); }; ``` -3. Call TriggerAttestation with your rpid, Azure Active Directory token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm). +3. Call TriggerAttestation with your `rpid`, `Azure Active Directory token` and the `attestURI`: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm). 4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy. @@ -468,74 +1021,46 @@ calls between client and MAA and for each call the GUID is separated by semicolo More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/). - ## Windows 10 Device HealthAttestation -### Terms +Terms used: - **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. - - **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. - - **DHA-Enabled device (Device HealthAttestation enabled device)**: A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0. +- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. The following list of transactions is performed in one DHA-Session: -- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. - - The following list of transactions is performed in one DHA-Session: + ![DHA session healthattestation session diagram](./images/HealthAttestation_1.png) - DHA-CSP and DHA-Service communication: - DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service - DHA-Service replies with an encrypted data blob (DHA-EncBlob) - - DHA-CSP and MDM-Server communication: - MDM-Server sends a device health verification request to DHA-CSP - DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob - - MDM-Server and DHA-Service communication: - MDM-Server posts data it receives from devices to DHA-Service - DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report) - - ![DHA session healthattestation session diagram](./images/HealthAttestation_1.png) - - **DHA session data (Device HealthAttestation session data)**: The following list of data is produced or consumed in one DHA-Transaction: - - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. - - DHA-SignedBlob: it's a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. + - DHA-SignedBlob: it's a signed snapshot of the current state of a device's runtime that is captured by DHA-CSP at device health attestation time. - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: - - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service - DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP - - DHA-Report: the report that is issued by DHA-Service to MDM-Server - Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks - -- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature. - - DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system. - - The following list of operations is performed by DHA-Enabled-MDM - +- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature. DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system. The following list of operations is performed by DHA-Enabled-MDM: - Enables the DHA feature on a DHA-Enabled device - Issues device health attestation requests to enrolled/managed devices - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action - -- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed. - - The following list of operations is performed by DHA-CSP: - +- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device's TPM and firmware to measure critical security properties of the device's BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed. The following list of operations is performed by DHA-CSP: - Collects device boot data (DHA-BootData) from a managed device - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device - Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) - -- **DHA-Service (Device HealthAttestation Service)**: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel. - - DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios. - - The following list of operations is performed by DHA-Service: - +- **DHA-Service (Device HealthAttestation Service)**: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel. DHA-Service is available in two flavors: "DHA-Cloud" and "DHA-Server2016". DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios. The following list of operations is performed by DHA-Service: - Receives device boot data (DHA-BootData) from a DHA-Enabled device - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device @@ -545,91 +1070,10 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes |DHA-Service type|Description|Operation cost| |--- |--- |--- | -|Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
  • Available in Windows for free
  • Running on a high-availability and geo-balanced cloud infrastructure
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
  • Accessible to all enterprise-managed devices via following:
    • | -|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
  • Hosted on an enterprise owned and managed server device/hardware
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following settings:
    • | +|Device Health Attestation - Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
  • Available in Windows for free
  • Running on a high-availability and geo-balanced cloud infrastructure
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
  • Accessible to all enterprise-managed devices via following:
    • | +|Device Health Attestation - On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
  • Hosted on an enterprise owned and managed server device/hardware
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following settings:
    • | |Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
  • Offered to Windows Server 2016 customers with no extra licensing cost (no added licensing cost for enabling/running DHA-Service)
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following settings:
    • | -### CSP diagram and node descriptions - -The following shows the Device HealthAttestation configuration service provider in tree format. - -```console -./Vendor/MSFT -HealthAttestation -----VerifyHealth -----Status -----ForceRetrieve -----Certificate -----Nonce -----CorrelationID -----HASEndpoint -----TpmReadyStatus -----CurrentProtocolVersion -----PreferredMaxProtocolVersion -----MaxSupportedProtocolVersion -``` - -**./Vendor/MSFT/HealthAttestation** - -The root node for the device HealthAttestation configuration service provider. - -**VerifyHealth** (Required) - -Notifies the device to prepare a device health verification request. - -The supported operation is Execute. - -**Status** (Required) - -Provides the current status of the device health request. - -The supported operation is Get. - -The following list shows some examples of supported values. For the complete list of status, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). - -- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service -- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device -- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes -- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup - -**ForceRetrieve** (Optional) - -Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. - -Boolean value. The supported operation is Replace. - -**Certificate** (Required) - -Instructs the DHA-CSP to forward DHA-Data to the MDM server. - -Value type is b64. The supported operation is Get. - -**Nonce** (Required) - -Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. - -The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. - -The supported operations are Get and Replace. - -**CorrelationId** (Required) - -Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. - -Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get. - -**HASEndpoint** (Optional) - -Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN isn't assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. - -Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com. - -**TpmReadyStatus** (Required) - -Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. - -Value type is integer. The supported operation is Get. - ### DHA-CSP integration steps The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): @@ -645,7 +1089,7 @@ The following list of validation and development tasks are required for integrat Each step is described in detail in the following sections of this topic. -### Step 1: Verify HTTPS access +### Step 1: Verify HTTPS access Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). @@ -696,12 +1140,12 @@ SSL-Session: Verify return code: 20 (unable to get local issuer certificate) ``` -### Step 2: Assign an enterprise trusted DHA-Service +### Step 2: Assign an enterprise trusted DHA-Service There are three types of DHA-Service: -- Device Health Attestation – Cloud (owned and operated by Microsoft) -- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises) +- Device Health Attestation - Cloud (owned and operated by Microsoft) +- Device Health Attestation - On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises) - Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud) DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider. @@ -722,7 +1166,7 @@ The following example shows a sample call that instructs a managed device to com ``` -### Step 3: Instruct client to prepare health data for verification +### Step 3: Instruct client to prepare health data for verification Send a SyncML call to start collection of the DHA-Data. @@ -748,7 +1192,7 @@ The following example shows a sample call that triggers collection and verificat ``` -### Step 4: Take action based on the client's response +### Step 4: Take action based on the client's response After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. @@ -774,9 +1218,9 @@ Here's a sample alert that is issued by DHA_CSP: ``` -- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). +- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [HealthAttestation CSP status and error codes](#healthattestation-csp-status-and-error-codes). -### Step 5: Instruct the client to forward health attestation data for verification +### Step 5: Instruct the client to forward health attestation data for verification Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. @@ -812,9 +1256,9 @@ Here's an example: ``` -### Step 6: Forward device health attestation data to DHA-service +### Step 6: Forward device health attestation data to DHA-service -In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). +In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). When the MDM-Server receives the above data, it must: @@ -836,7 +1280,8 @@ When the MDM-Server receives the above data, it must: - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: `https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3` - DHA-OnPrem or DHA-EMC: `https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3` -### Step 7: Receive response from the DHA-service + +### Step 7: Receive response from the DHA-service When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps: @@ -844,7 +1289,7 @@ When the Microsoft Device Health Attestation Service receives a request for veri - Validates the data it has received. - Creates a report, and shares the evaluation results to the MDM server via SSL in XML format. -### Step 8: Take appropriate policy action based on evaluation results +### Step 8: Take appropriate policy action based on evaluation results After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be: @@ -852,506 +1297,6 @@ After the MDM server receives the verified data, the information can be used to - Allow the device to access the resources, but flag the device for further investigation. - Prevent a device from accessing resources. -The following list of data points is verified by the DHA-Service in DHA-Report version 3: - -- [Issued](#issued ) -- [AIKPresent](#aikpresent) -- [ResetCount](#resetcount) * -- [RestartCount](#restartcount) * -- [DEPPolicy](#deppolicy) -- [BitlockerStatus](#bitlockerstatus) ** -- [BootManagerRevListVersion](#bootmanagerrevlistversion) -- [CodeIntegrityRevListVersion](#codeintegrityrevlistversion) -- [SecureBootEnabled](#securebootenabled) -- [BootDebuggingEnabled](#bootdebuggingenabled) -- [OSKernelDebuggingEnabled](#oskerneldebuggingenabled) -- [CodeIntegrityEnabled](#codeintegrityenabled) -- [TestSigningEnabled](#testsigningenabled) -- [SafeMode](#safemode) -- [WinPE](#winpe) -- [ELAMDriverLoaded](#elamdriverloaded) *** -- [VSMEnabled](#vsmenabled) -- [PCRHashAlgorithmID](#pcrhashalgorithmid) -- [BootAppSVN](#bootappsvn) -- [BootManagerSVN](#bootmanagersvn) -- [TpmVersion](#tpmversion) -- [PCR0](#pcr0) -- [SBCPHash](#sbcphash) -- [CIPolicy](#cipolicy) -- [BootRevListInfo](#bootrevlistinfo) -- [OSRevListInfo](#osrevlistinfo) -- [HealthStatusMismatchFlags](#healthstatusmismatchflags) - -\* TPM 2.0 only -\*\* Reports if BitLocker was enabled during initial boot. -\*\*\* The "Hybrid Resume" must be disabled on the device. Reports first-party ELAM "Defender" was loaded during boot. - -Each of these data points is described in further detail in the following sections, along with the recommended actions to take. - -**Issued** - -The date and time DHA-report was evaluated or issued to MDM. - -**AIKPresent** - -When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate. - -If AIKPresent = True (1), then allow access. - -If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. - -**ResetCount** (Reported only for devices that support TPM 2.0) - -This attribute reports the number of times a PC device has hibernated or resumed. - -**RestartCount** (Reported only for devices that support TPM 2.0) - -This attribute reports the number of times a PC device has rebooted. - -**DEPPolicy** - -A device can be trusted more if the DEP Policy is enabled on the device. - -Data Execution Prevention (DEP) Policy defines a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on. - -DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: - -- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** -- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** - -If DEPPolicy = 1 (On), then allow access. - -If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. - -DEP policy evaluation is a non binary status when queried. It is then mapped to an On/Off state. - -|DEP policy level |Description | Attestation reported level | Property value | -|--------------|-----------|------------|-------------| -|OptIn (default configuration) |Only Windows system components and services have DEP applied. | 0 | 2 | -|OptOut |DEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied. | 1 | 3 | -|AlwaysOn |DEP is enabled for all processess. | 3 | 1 | -|AlwaysOff |DEP is not enabled for any process. | 2 | 0 | - - -**BitLockerStatus** (at boot time) - -When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. - -Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen. - -If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM has verified the state of the computer. - -If BitLockerStatus = 1 (On), then allow access. - -If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. - -**BootManagerRevListVersion** - -This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment. - -If BootManagerRevListVersion = [CurrentVersion], then allow access. - -If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI and MBI assets. -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. - -**CodeIntegrityRevListVersion** - -This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it's exposed to security risks (revoked), and enforce an appropriate policy action. - -If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. - -If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI and MBI assets. -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. - -**SecureBootEnabled** - -When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this requirement before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot. - -If SecureBootEnabled = 1 (True), then allow access. - -If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. - -**BootDebuggingEnabled** - -Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development. - -Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script: - -- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**. -- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**. - -If BootdebuggingEnabled = 0 (False), then allow access. - -If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. - -**OSKernelDebuggingEnabled** - -OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development. - -If OSKernelDebuggingEnabled = 0 (False), then allow access. - -If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. - -**CodeIntegrityEnabled** - -When code integrity is enabled, code execution is restricted to integrity verified code. - -Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges. - -On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. - -If CodeIntegrityEnabled = 1 (True), then allow access. - -If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. - -**TestSigningEnabled** - -When test signing is enabled, the device doesn't enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. - -Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: - -- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**. -- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**. - -If TestSigningEnabled = 0 (False), then allow access. - -If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI and MBI assets. -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. - -**SafeMode** - -Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. - -If SafeMode = 0 (False), then allow access. - -If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. - -**WinPE** - -Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup. - -If WinPE = 0 (False), then allow access. - -If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation. - -**ELAMDriverLoaded** (Windows Defender) - -To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. - -In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot. - -If a device is expected to use a third-party antivirus program, ignore the reported state. - -If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access. - -If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. - -**Bcdedit.exe /set {current} vsmlaunchtype auto** - -If ELAMDriverLoaded = 1 (True), then allow access. - -If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. - -**VSMEnabled** - -Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering. - -VSM can be enabled by using the following command in WMI or a PowerShell script: - -`bcdedit.exe /set {current} vsmlaunchtype auto` - -If VSMEnabled = 1 (True), then allow access. -If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Disallow access to HBI assets. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue - -**PCRHashAlgorithmID** - -This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required. - -**BootAppSVN** - -This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device - -If reported BootAppSVN equals an accepted value, then allow access. - -If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Direct the device to an enterprise honeypot, to further monitor the device's activities. - -**BootManagerSVN** - -This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device. - -If reported BootManagerSVN equals an accepted value, then allow access. - -If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Direct the device to an enterprise honeypot, to further monitor the device's activities. - -**TPMVersion** - -This attribute identifies the version of the TPM that is running on the attested device. TPMVersion node provides to replies "1" and "2": - -- 1 means TPM specification version 1.2 -- 2 means TPM specification version 2.0 - -Based on the reply you receive from TPMVersion node: - -- If reported TPMVersion equals an accepted value, then allow access. -- If reported TPMVersion doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - - Disallow all access - - Direct the device to an enterprise honeypot, to further monitor the device's activities. - -**PCR0** - -The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer. - -Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison. - -If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action. -If PCR[0] equals an accepted allowlist value, then allow access. - -If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Direct the device to an enterprise honeypot, to further monitor the device's activities. - -**SBCPHash** - -SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs. - -If SBCPHash isn't present, or is an accepted allow-listed value, then allow access. - -If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Place the device in a watch list to monitor the device more closely for potential risks. - -**CIPolicy** - -This attribute indicates the Code Integrity policy that is controlling the security of the boot environment. - -If CIPolicy isn't present, or is an accepted allow-listed value, then allow access. - -If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Place the device in a watch list to monitor the device more closely for potential risks. - -**BootRevListInfo** - -This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device. - -If reported BootRevListInfo version equals an accepted value, then allow access. - -If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Direct the device to an enterprise honeypot, to further monitor the device's activities. - -**OSRevListInfo** - -This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device. - -If reported OSRevListInfo version equals an accepted value, then allow access. - -If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - -- Disallow all access. -- Direct the device to an enterprise honeypot, to further monitor the device's activities. - -**HealthStatusMismatchFlags** - -HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation. - -If an issue is detected, a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute. - -### Device HealthAttestation CSP status and error codes - -Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED -Error description: This state is the initial state for devices that have never participated in a DHA-Session. - -Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED -Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. - -Error code: 2 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED -Error description: This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. - -Error code: 3 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE -Error description: This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. - -Error code: 4 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL -Error description: Deprecated in Windows 10, version 1607. - -Error code: 5 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL -Error description: DHA-CSP failed to get a claim quote. - -Error code: 6 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY -Error description: DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. - -Error code: 7 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL -Error description: DHA-CSP failed in retrieving Windows AIK - -Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL -Error description: Deprecated in Windows 10, version 1607. - -Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION -Error description: Invalid TPM version (TPM version isn't 1.2 or 2.0) - -Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL -Error description: Nonce wasn't found in the registry. - -Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL -Error description: Correlation ID wasn't found in the registry. - -Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL -Error description: Deprecated in Windows 10, version 1607. - -Error code: 13 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL -Error description: Deprecated in Windows 10, version 1607. - -Error code: 14 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL -Error description: Failure in Encoding functions. (Extremely unlikely scenario) - -Error code: 15 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL -Error description: Deprecated in Windows 10, version 1607. - -Error code: 16 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML -Error description: DHA-CSP failed to load the payload it received from DHA-Service - -Error code: 17 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML -Error description: DHA-CSP received a corrupted response from DHA-Service. - -Error code: 18 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML -Error description: DHA-CSP received an empty response from DHA-Service. - -Error code: 19 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK -Error description: DHA-CSP failed in decrypting the AES key from the EK challenge. - -Error code: 20 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK -Error description: DHA-CSP failed in decrypting the health cert with the AES key. - -Error code: 21 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB -Error description: DHA-CSP failed in exporting the AIK Public Key. - -Error code: 22 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY -Error description: DHA-CSP failed in trying to create a claim with AIK attestation data. - -Error code: 23 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB -Error description: DHA-CSP failed in appending the AIK Pub to the request blob. - -Error code: 24 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT -Error description: DHA-CSP failed in appending the AIK Cert to the request blob. - -Error code: 25 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE -Error description: DHA-CSP failed to obtain a Session handle. - -Error code: 26 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE -Error description: DHA-CSP failed to connect to the DHA-Service. - -Error code: 27 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHAND -Error description: DHA-CSP failed to create an HTTP request handle. - -Error code: 28 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION -Error description: DHA-CSP failed to set options. - -Error code: 29 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS -Error description: DHA-CSP failed to add request headers. - -Error code: 30 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST -Error description: DHA-CSP failed to send the HTTP request. - -Error code: 31 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE -Error description: DHA-CSP failed to receive a response from the DHA-Service. - -Error code: 32 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS -Error description: DHA-CSP failed to query headers when trying to get HTTP status code. - -Error code: 33 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE -Error description: DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. - -Error code: 34 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE -Error description: DHA-CSP received an empty response along with an HTTP error code from DHA-Service. - -Error code: 35 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER -Error description: DHA-CSP failed to impersonate user. - -Error code: 36 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR -Error description: DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. - -Error code: 0xFFFF | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN -Error description: DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. - -Error code: 400 | Error name: Bad_Request_From_Client -Error description: DHA-CSP has received a bad (malformed) attestation request. - -Error code: 404 | Error name: Endpoint_Not_Reachable -Error description: DHA-Service isn't reachable by DHA-CSP - ### DHA-Report V3 schema ```xml @@ -1455,6 +1400,287 @@ Error description: DHA-Service isn't reachable by DHA-CSP ``` +The following list of data points is verified by the DHA-Service in DHA-Report version 3. + +- **Issued**: The date and time DHA-report was evaluated or issued to MDM. + +- **AIKPresent**: When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn't have an EK certificate. + + If AIKPresent = True (1), then allow access. + + If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. + - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +- **ResetCount** (Reported only for devices that support TPM 2.0): This attribute reports the number of times a PC device has hibernated or resumed. + +- **RestartCount** (Reported only for devices that support TPM 2.0): This attribute reports the number of times a PC device has rebooted. + +- **DEPPolicy**: A device can be trusted more if the DEP Policy is enabled on the device. + + Data Execution Prevention (DEP) Policy defines a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on. + + DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: + + - To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** + - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** + + If DEPPolicy = 1 (On), then allow access. + + If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. + - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + + DEP policy evaluation is a non binary status when queried. It is then mapped to an On/Off state. + + |DEP policy level |Description | Attestation reported level | Property value | + |--------------|-----------|------------|-------------| + |OptIn (default configuration) |Only Windows system components and services have DEP applied. | 0 | 2 | + |OptOut |DEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied. | 1 | 3 | + |AlwaysOn |DEP is enabled for all processess. | 3 | 1 | + |AlwaysOff |DEP is not enabled for any process. | 2 | 0 | + +- **BitLockerStatus** (Reports if BitLocker was enabled during initial boot.): + + When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. + + Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen. + + If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM has verified the state of the computer. + + If BitLockerStatus = 1 (On), then allow access. + + If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. + - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +- **BootManagerRevListVersion**: This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment. + + If BootManagerRevListVersion = [CurrentVersion], then allow access. + + If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI and MBI assets. + - Place the device in a watch list to monitor the device more closely for potential risks. + - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +- **CodeIntegrityRevListVersion**: This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it's exposed to security risks (revoked), and enforce an appropriate policy action. + + If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. + + If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI and MBI assets. + - Place the device in a watch list to monitor the device more closely for potential risks. + - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +- **SecureBootEnabled**: When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this requirement before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot. + + If SecureBootEnabled = 1 (True), then allow access. + + If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. + - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +- **BootDebuggingEnabled**: Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development. + + Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script: + + - To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**. + - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**. + + If BootdebuggingEnabled = 0 (False), then allow access. + + If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Place the device in a watch list to monitor the device more closely for potential risks. + - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. + +- **OSKernelDebuggingEnabled**: OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development. + + If OSKernelDebuggingEnabled = 0 (False), then allow access. + + If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Place the device in a watch list to monitor the device more closely for potential risks. + - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +- **CodeIntegrityEnabled**: When code integrity is enabled, code execution is restricted to integrity verified code. + + Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges. + + On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. + + If CodeIntegrityEnabled = 1 (True), then allow access. + + If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. + - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +- **TestSigningEnabled**: When test signing is enabled, the device doesn't enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. + + Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: + + - To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**. + - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**. + + If TestSigningEnabled = 0 (False), then allow access. + + If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI and MBI assets. + - Place the device in a watch list to monitor the device more closely for potential risks. + - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. + +- **SafeMode**: Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. + + If SafeMode = 0 (False), then allow access. + + If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +- **WinPE**: Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup. + + If WinPE = 0 (False), then allow access. + + If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation. + +- **ELAMDriverLoaded** (Windows Defender): To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. + + In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot. + + If a device is expected to use a third-party antivirus program, ignore the reported state. + + If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access. + + If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +- **VSMEnabled**: Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering. + + VSM can be enabled by using the following command in WMI or a PowerShell script: + + `bcdedit.exe /set {current} vsmlaunchtype auto` + + If VSMEnabled = 1 (True), then allow access. + If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Disallow access to HBI assets. + - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue + +- **PCRHashAlgorithmID**: This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required. + +- **BootAppSVN**: This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device + + If reported BootAppSVN equals an accepted value, then allow access. + + If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Direct the device to an enterprise honeypot, to further monitor the device's activities. + +- **BootManagerSVN**: This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device. + + If reported BootManagerSVN equals an accepted value, then allow access. + + If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Direct the device to an enterprise honeypot, to further monitor the device's activities. + +- **TPMVersion**: This attribute identifies the version of the TPM that is running on the attested device. TPMVersion node provides to replies "1" and "2": + + - 1 means TPM specification version 1.2 + - 2 means TPM specification version 2.0 + + Based on the reply you receive from TPMVersion node: + + - If reported TPMVersion equals an accepted value, then allow access. + - If reported TPMVersion doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: + - Disallow all access + - Direct the device to an enterprise honeypot, to further monitor the device's activities. + +- **PCR0**: The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer. + + Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison. + + If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action. + If PCR[0] equals an accepted allowlist value, then allow access. + + If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Direct the device to an enterprise honeypot, to further monitor the device's activities. + +- **SBCPHash**: SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs. + + If SBCPHash isn't present, or is an accepted allow-listed value, then allow access. + + If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Place the device in a watch list to monitor the device more closely for potential risks. + +- **CIPolicy**: This attribute indicates the Code Integrity policy that is controlling the security of the boot environment. + + If CIPolicy isn't present, or is an accepted allow-listed value, then allow access. + + If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Place the device in a watch list to monitor the device more closely for potential risks. + +- **BootRevListInfo**: This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device. + + If reported BootRevListInfo version equals an accepted value, then allow access. + + If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Direct the device to an enterprise honeypot, to further monitor the device's activities. + +- **OSRevListInfo**: This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device. + + If reported OSRevListInfo version equals an accepted value, then allow access. + + If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: + + - Disallow all access. + - Direct the device to an enterprise honeypot, to further monitor the device's activities. + +- **HealthStatusMismatchFlags**: HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation. + + If an issue is detected, a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute. + ### DHA-Report example ```xml @@ -1492,10 +1718,60 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio ``` +### HealthAttestation CSP status and error codes + +| Error Code | Error Name | Error Description | +|---|---|---| +| 0 | HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED | This state is the initial state for devices that have never participated in a DHA-Session. | +| 1 | HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED | This state signifies that MDM client's Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. | +| 2 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED | This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. | +| 3 | HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE | This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. | +| 4 | HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL | Deprecated in Windows 10, version 1607. | +| 5 | HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL | DHA-CSP failed to get a claim quote. | +| 6 | HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY | DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. | +| 7 | HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL | DHA-CSP failed in retrieving Windows AIK | +| 8 | HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL | Deprecated in Windows 10, version 1607. | +| 9 | HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION | Invalid TPM version (TPM version isn't 1.2 or 2.0) | +| 10 | HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL | Nonce wasn't found in the registry. | +| 11 | HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL | Correlation ID wasn't found in the registry. | +| 12 | HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL | Deprecated in Windows 10, version 1607. | +| 13 | HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL | Deprecated in Windows 10, version 1607. | +| 14 | HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL | Failure in Encoding functions. (Extremely unlikely scenario) | +| 15 | HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL | Deprecated in Windows 10, version 1607. | +| 16 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML | DHA-CSP failed to load the payload it received from DHA-Service. | +| 17 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML | DHA-CSP received a corrupted response from DHA-Service. | +| 18 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY | DHA-CSP received an empty response from DHA-Service. | +| 19 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK | DHA-CSP failed in decrypting the AES key from the EK challenge. | +| 20 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK | DHA-CSP failed in decrypting the health cert with the AES key. | +| 21 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB | DHA-CSP failed in exporting the AIK Public Key. | +| 22 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY | DHA-CSP failed in trying to create a claim with AIK attestation data. | +| 23 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB | DHA-CSP failed in appending the AIK Pub to the request blob. | +| 24 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT | DHA-CSP failed in appending the AIK Cert to the request blob. | +| 25 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE | DHA-CSP failed to obtain a Session handle. | +| 26 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE | DHA-CSP failed to connect to the DHA-Service. | +| 27 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHAND | DHA-CSP failed to create an HTTP request handle. | +| 28 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION | DHA-CSP failed to set options. | +| 29 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS | DHA-CSP failed to add request headers. | +| 30 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST | DHA-CSP failed to send the HTTP request. | +| 31 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE | DHA-CSP failed to receive a response from the DHA-Service. | +| 32 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS | DHA-CSP failed to query headers when trying to get HTTP status code. | +| 33 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE | DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. | +| 34 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE | DHA-CSP received an empty response along with an HTTP error code from DHA-Service. | +| 35 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER | DHA-CSP failed to impersonate user. | +| 36 | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR | DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. | +| 0xFFFF | HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN | DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. | +| 400 | Bad_Request_From_Client | DHA-CSP has received a bad (malformed) attestation request. | +| 404 | Endpoint_Not_Reachable | DHA-Service isn't reachable by DHA-CSP | + ## Security Considerations + DHA anchors its trust in the TPM and its measurements. If TPM measurements can be spoofed or tampered, DHA can't provide any guarantee of device health for that device. + For more information, see [PC Client TPM Certification](https://trustedcomputinggroup.org/resource/pc-client-tpm-certification/). + -## Related topics + -[Configuration service provider reference](index.yml) +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 74a707236c..3870db4bb5 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -1,458 +1,432 @@ --- -title: HealthAttestation DDF -description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider. -ms.reviewer: +title: HealthAttestation DDF file +description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/27/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- -# HealthAttestation DDF + +# HealthAttestation DDF file -This topic shows the OMA DM device description framework (DDF) for the **HealthAttestation** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the HealthAttestation configuration service provider. ```xml - - - - - 1.2 - $(runtime.windows)\system32\hascsp.dll - - {9DCCCE22-C057-424E-B8D1-67935988B174} - - HealthAttestation - ./Vendor/MSFT - - - - - The root node for the device HealthAttestation configuration service provider. - - - - - - - - - - - com.microsoft/1.4/MDM/HealthAttestation - - - 10.0.10586 - 1.0 - - - - - - - - VerifyHealth - - - - - Notifies the device to prepare a device health verification request. - - - - - - - - - - - text/plain - - - - - - Status - - - - - Provides the current status of the device health request. For the complete list of status see https://learn.microsoft.com/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes - - - - - - - - - - - text/plain - - - - - ForceRetrieve - - - - - - False - Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. - - - - - - - - - - - text/plain - - - - false - False - - - true - True - - - - - - Certificate - - - - - Instructs the DHA-CSP to forward DHA-Data to the MDM server. - - - - - - - - - - - text/plain - - - - - Nonce - - - - - - \0 - Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. - - - - - - - - - - - text/plain - - - - - - - CorrelationID - - - - - Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. - - - - - - - - - - - text/plain - - - - - - - HASEndpoint - - - - - - has.spserv.microsoft.com. - Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. - - - - - - - - - - - text/plain - - - - - - - TpmReadyStatus - - - - - Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. - - - - - - - - - - - text/plain - - - 10.0.14393 - 1.1 - - - - - CurrentProtocolVersion - - - - - Provides the current protocol version that the client is using to communicate with the Health Attestation Service. - - - - - - - - - - - text/plain - - - 10.0.16299 - 1.3 - - - - - PreferredMaxProtocolVersion - - - - - - 3 - Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it. - - - - - - - - - - - text/plain - - - 10.0.16299 - 1.3 - - - - - - - MaxSupportedProtocolVersion - - - - - Returns the maximum protocol version that this client can support. - - - - - - - - - - - text/plain - - - 10.0.16299 - 1.3 - - - - - TriggerAttestation - - - - - Notifies the device to trigger an attestation session asynchronously. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.4 - - - - - - - GetAttestReport - - - - - Retrieve attestation session report if exists. - - - - - - - - - - - - - - 99.9.99999 - 1.4 - - - - - AttestStatus - - - - - AttestStatus maintains the success or failure status code for the last attestation session. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.4 - - - - - GetServiceCorrelationIDs - - - - - Retrieve service correlation IDs if exist. - - - - - - - - - - - - - - 99.9.99999 - 1.4 - - - - - - - - - + +]> + + 1.2 + + + + HealthAttestation + ./Vendor/MSFT + + + + + The root node for the device HealthAttestation configuration service provider. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + VerifyHealth + + + + + Notifies the device to prepare a device health verification request. + + + + + + + + + + + + + + + + Status + + + + + Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes + + + + + + + + + + + + + + + + ForceRetrieve + + + + + + False + Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. + + + + + + + + + + + + + + + false + False + + + true + True + + + + + + Certificate + + + + + Instructs the DHA-CSP to forward DHA-Data to the MDM server. + + + + + + + + + + + + + + + + Nonce + + + + + + \0 + Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. + + + + + + + + + + + + + + + + + + CorrelationID + + + + + Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. + + + + + + + + + + + + + + + + + + HASEndpoint + + + + + + has.spserv.microsoft.com. + Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. + + + + + + + + + + + + + + + + + + TpmReadyStatus + + + + + Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + + + + CurrentProtocolVersion + + + + + Provides the current protocol version that the client is using to communicate with the Health Attestation Service. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + + PreferredMaxProtocolVersion + + + + + + 3 + Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + + + + MaxSupportedProtocolVersion + + + + + Returns the maximum protocol version that this client can support. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + + TriggerAttestation + + + + + Notifies the device to trigger an attestation session asynchronously. + + + + + + + + + + + + + + 10.0.22000 + 1.4 + + + + + GetAttestReport + + + + + Retrieve attestation session report if exists. + + + + + + + + + + + + + + 10.0.22000 + 1.4 + + + + + AttestStatus + + + + + AttestStatus maintains the success or failure status code for the last attestation session. + + + + + + + + + + + + + + 10.0.22000 + 1.4 + + + + + GetServiceCorrelationIDs + + + + + Retrieve service correlation IDs if exist. + + + + + + + + + + + + + + 10.0.22000 + 1.4 + + + + + ``` -## Related topics +## Related articles - -[HealthAttestation configuration service provider](healthattestation-csp.md) - -  - -  +[HealthAttestation configuration service provider reference](healthattestation-csp.md) diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index d8bd8ed982..094b2b87da 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -11,6 +11,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier1 ms.custom: intro-hub-or-landing author: vinaypamnani-msft ms.author: vinpa @@ -47,7 +48,7 @@ landingContent: - text: Policy CSP url: policy-configuration-service-provider.md - text: Policy DDF file - url: policy-ddf-file.md + url: configuration-service-provider-ddf.md - text: Policy CSP - Start url: policy-csp-start.md - text: Policy CSP - Update diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md new file mode 100644 index 0000000000..398f64ec81 --- /dev/null +++ b/windows/client-management/mdm/language-pack-management-ddf-file.md @@ -0,0 +1,378 @@ +--- +title: LanguagePackManagement DDF file +description: View the XML file containing the device description framework (DDF) for the LanguagePackManagement configuration service provider. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/17/2023 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + +# LanguagePackManagement DDF file + +The following XML file contains the device description framework (DDF) for the LanguagePackManagement configuration service provider. + +```xml + +]> + + 1.2 + + + + LanguagePackManagement + ./Device/Vendor/MSFT + + + + + + + CSP for managing language packs and language settings. + + + + + + + + + + + + + + 99.9.9999 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + InstalledLanguages + + + + + Languages currently installed on the device. + + + + + + + + + + + + + + + + + + + + + + Language tag of an installed language on the device. Delete to uninstall. + + + + + + + + + + Language ID + + + + + + + + + Providers + + + + + Numeric representation of how a language is installed. 1 - The system language pack is installed; 2 - The Local Experience Pack is installed; 3 - Both are installed. + + + + + + + + + + + + + + + + LanguageFeatures + + + + + Numeric representation of the language features installed. Basic Typing - 1 (0x1), Fonts - 2 (0x2), Handwriting - 4 (0x4), Speech - 8 (0x8), TextToSpeech - 16 (0x10), OCR - 32 (0x20), LocaleData - 64 (0x40), SupplementFonts - 128 (0x80). + + + + + + + + + + + + + + + + + + Install + + + + + Language to be installed or being installed. + + + + + + + + + + + + + + + + + + + + + + + Language tag of the language to be installed or being installed. + + + + + + + + + + Language ID + + + + + Language tag of the language to be installed or being installed. + + + + Status + + + + + Status of the language queued for install. 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 – partially succeeded. + + + + + + + + + + + + + + + + ErrorCode + + + + + Error code of queued language installation. 0 if there is no error. + + + + + + + + + + + + + + + + CopyToDeviceInternationalSettings + + + + + + + + false + Copies the language to the international settings (i.e., locale, input layout, speech recognizer, preferred UI language) of the device immediately after installation if the value is true. Default value is false. + + + + + + + + + + + + + + + false + Don't copy the language to the international settings immediately after installation. + + + true + Copy the language to the international settings immediately after installation. + + + + + + EnableLanguageFeatureInstallations + + + + + + + + true + Enables installations of all available language features when the value is true. Default value is true. + + + + + + + + + + + + + + + true + Install all available language features. + + + false + Install only the required language features. + + + + + + StartInstallation + + + + + Execution node to queue a language for installation on the device. + + + + + + + + + + + + + + + + + + LanguageSettings + + + + + Language settings of the device. + + + + + + + + + + + + + + + SystemPreferredUILanguages + + + + + + System Preferred UI Language of the device. + + + + + + + + + + + + + + + + + + + +``` + +## Related articles + +[LanguagePackManagement configuration service provider reference](language-pack-management-csp.md) diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index f5c69b2fcd..9c4f8440b5 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -1,512 +1,837 @@ --- -title: Local Administrator Password Solution CSP -description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords. -ms.author: jsimmons -author: jay98014 -ms.reviewer: vinpa +title: LAPS CSP +description: Learn more about the LAPS CSP. +author: vinaypamnani-msft manager: aaroncz -ms.topic: reference +ms.author: vinpa +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -ms.localizationpriority: medium -ms.date: 09/20/2022 +ms.topic: reference --- -# Local Administrator Password Solution CSP + -The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145. + +# LAPS CSP > [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + + + +The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings). + +> [!NOTE] > Windows LAPS currently is available only in [Windows 11 Insider Preview Build 25145 and later](/windows-insider/flight-hub/#active-development-builds-of-windows-11). Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario. > [!TIP] > This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps). + -The following example shows the LAPS CSP in tree format. + +The following list shows the LAPS configuration service provider nodes: -```xml -./Device/Vendor/MSFT -LAPS -----Policies ---------BackupDirectory ---------PasswordAgeDays ---------PasswordLength ---------PasswordComplexity ---------PasswordExpirationProtectionEnabled ---------AdministratorAccountName ---------ADPasswordEncryptionEnabled ---------ADPasswordEncryptionPrincipal ---------ADEncryptedPasswordHistorySize ---------PostAuthenticationResetDelay ---------PostAuthenticationActions -----Actions ---------ResetPassword ---------ResetPasswordStatus +- ./Device/Vendor/MSFT/LAPS + - [Actions](#actions) + - [ResetPassword](#actionsresetpassword) + - [ResetPasswordStatus](#actionsresetpasswordstatus) + - [Policies](#policies) + - [ADEncryptedPasswordHistorySize](#policiesadencryptedpasswordhistorysize) + - [AdministratorAccountName](#policiesadministratoraccountname) + - [ADPasswordEncryptionEnabled](#policiesadpasswordencryptionenabled) + - [ADPasswordEncryptionPrincipal](#policiesadpasswordencryptionprincipal) + - [BackupDirectory](#policiesbackupdirectory) + - [PasswordAgeDays](#policiespasswordagedays) + - [PasswordComplexity](#policiespasswordcomplexity) + - [PasswordExpirationProtectionEnabled](#policiespasswordexpirationprotectionenabled) + - [PasswordLength](#policiespasswordlength) + - [PostAuthenticationActions](#policiespostauthenticationactions) + - [PostAuthenticationResetDelay](#policiespostauthenticationresetdelay) + + + +## Actions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Actions ``` - -The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2. - -|Setting name|Azure-joined|Hybrid-joined| -|---|---|---| -|BackupDirectory|Yes|Yes -|PasswordAgeDays|Yes|Yes -|PasswordLength|Yes|Yes| -|PasswordComplexity|Yes|Yes| -|PasswordExpirationProtectionEnabled|No|Yes| -|AdministratorAccountName|Yes|Yes| -|ADPasswordEncryptionEnabled|No|Yes| -|ADPasswordEncryptionPrincipal|No|Yes| -|ADEncryptedPasswordHistorySize|No|Yes| -|PostAuthenticationResetDelay|Yes|Yes| -|PostAuthenticationActions|Yes|Yes| -|ResetPassword|Yes|Yes| -|ResetPasswordStatus|Yes|Yes| - -> [!IMPORTANT] -> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings). - -## ./Device/Vendor/MSFT/LAPS - -Defines the root node for the LAPS CSP. - - -### Policies - -Defines the interior parent node for all configuration-related settings in the LAPS CSP. - - - -### BackupDirectory - -Allows the administrator to configure which directory the local administrator account password is backed up to. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - -Data type is integer. Supported operations are Add, Get, Replace, and Delete. - - -The allowable settings are: - -|Value|Description of setting| -|--- |--- | -|0|Disabled (password won't be backed up)| -|1|Back up the password to Azure AD only| -|2|Back up the password to Active Directory only| - -If not specified, this setting will default to 0 (disabled). - - - - -### PasswordAgeDays - -Use this policy to configure the maximum password age of the managed local administrator account. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - -If not specified, this setting will default to 30 days - -This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD. - -This setting has a maximum allowed value of 365 days. - - -Data type is integer. - -Supported operations are Add, Get, Replace, and Delete. - - - -### PasswordComplexity - -Use this setting to configure password complexity of the managed local administrator account. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - -The allowable settings are: - -|Value|Description of setting| -|--- |--- | -|1|Large letters| -|2|Large letters + small letters| -|3|Large letters + small letters + numbers| -|4|Large letters + small letters + numbers + special characters| - - -If not specified, this setting will default to 4. - -> [!IMPORTANT] -> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4. - - -Data type is integer. - -Supported operations are Add, Get, Replace, and Delete. - - - -### PasswordLength - -Use this setting to configure the length of the password of the managed local administrator account. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - -If not specified, this setting will default to 14 characters. - -This setting has a minimum allowed value of 8 characters. - -This setting has a maximum allowed value of 64 characters. - - -Data type is integer. - -Supported operations are Add, Get, Replace, and Delete. - - - -### AdministratorAccountName - -Use this setting to configure the name of the managed local administrator account. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - -If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). - -If specified, the specified account's password will be managed. - -> [!IMPORTANT] -> If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created. - - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - - -### PasswordExpirationProtectionEnabled - -Use this setting to configure enforcement of maximum password age for the managed local administrator account. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - -When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy. - -If not specified, this setting defaults to True. - -> [!IMPORTANT] -> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory. - - -Data type is boolean. - -Supported operations are Add, Get, Replace, and Delete. - - - -### ADPasswordEncryptionEnabled - -Use this setting to configure whether the password is encrypted before being stored in Active Directory. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - -This setting is ignored if the password is currently being stored in Azure. - -If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory. - -If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory. - -If not specified, this setting defaults to False. -> [!IMPORTANT] -> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher. - - -Data type is boolean. - -Supported operations are Add, Get, Replace, and Delete. - - - -### ADPasswordEncryptionPrincipal - -Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - -This setting is ignored if the password is currently being stored in Azure. - -If not specified, the password can only be decrypted by the Domain Admins group in the device's domain. - -If specified, the specified user or group will be able to decrypt the password stored in Active Directory. - -If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain. -> [!IMPORTANT] -> The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include: -> -> "S-1-5-21-2127521184-1604012920-1887927527-35197" -> -> "contoso\LAPSAdmins" -> -> "lapsadmins@contoso.com" -> -> The principal identified (either by SID or user\group name) must exist and be resolvable by the device. - -> [!IMPORTANT] -> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. - - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - - -### ADEncryptedPasswordHistorySize - + + + + + + + + +Defines the parent interior node for all action-related settings in the LAPS CSP. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Actions/ResetPassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Actions/ResetPassword +``` + + + + +Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account. + + + + +This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +### Actions/ResetPasswordStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Actions/ResetPasswordStatus +``` + + + + +Use this setting to query the status of the last submitted ResetPassword execute action. + + + + +The value returned is an HRESULT code: + +- S_OK (0x0): The last submitted ResetPassword action succeeded. +- E_PENDING (0x8000000): The last submitted ResetPassword action is still executing. +- Other: The last submitted ResetPassword action encountered the returned error. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + + + + +## Policies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies +``` + + + + +Root node for LAPS policies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Atomic Required | True | + + + + + + + + + +### Policies/ADEncryptedPasswordHistorySize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize +``` + + + + Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - - If not specified, this setting will default to 0 passwords (disabled). This setting has a minimum allowed value of 0 passwords. This setting has a maximum allowed value of 12 passwords. + + + > [!IMPORTANT] > This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. - + -Data type is integer. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-12]` | +| Default Value | 0 | +| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
    Dependency Allowed Value: `2`
    Dependency Allowed Value Type: `ENUM`
    | + - -### PostAuthenticationResetDelay - -Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below). - + + + - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - + - -If not specified, this setting will default to 24 hours. + +### Policies/AdministratorAccountName -This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -This setting has a maximum allowed value of 24 hours. - + +```Device +./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName +``` + -Data type is integer. + + +Use this setting to configure the name of the managed local administrator account. -Supported operations are Add, Get, Replace, and Delete. - +If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). - -### PostAuthenticationActions - -Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above). - +If specified, the specified account's password will be managed. - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - +**Note** if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created. + - -This setting can have ONE of the following values: + + + -|Value|Name|Action(s) taken upon expiry of the grace period| -|--- |--- |--- | -|1|Reset password|The managed account password will be reset| -|3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated| -|5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.| + +**Description framework properties**: -If not specified, this setting will default to 3. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + +### Policies/ADPasswordEncryptionEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled +``` + + + + +Use this setting to configure whether the password is encrypted before being stored in Active Directory. + +This setting is ignored if the password is currently being stored in Azure. + +This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher. + +- If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory. + +- If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory. + +If not specified, this setting defaults to True. + + + + +> [!IMPORTANT] +> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | True | +| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
    Dependency Allowed Value: `2`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Store the password in clear-text form in Active Directory. | +| true (Default) | Store the password in encrypted form in Active Directory. | + + + + + + + + + +### Policies/ADPasswordEncryptionPrincipal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal +``` + + + + +Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory. + +This setting is ignored if the password is currently being stored in Azure. + +If not specified, the password will be decryptable by the Domain Admins group in the device's domain. + +If specified, the specified user or group will be able to decrypt the password stored in Active Directory. + +If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain. + + + + +> [!IMPORTANT] +> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include: +> +> - `S-1-5-21-2127521184-1604012920-1887927527-35197` +> - `contoso\LAPSAdmins` +> - `lapsadmins@contoso.com` +> +> The principal identified (either by SID or user\group name) must exist and be resolvable by the device. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
    Dependency Allowed Value: `2`
    Dependency Allowed Value Type: `ENUM`
    | + + + + + + + + + +### Policies/BackupDirectory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory +``` + + + + +Use this setting to configure which directory the local admin account password is backed up to. + +The allowable settings are: + +0=Disabled (password will not be backed up) +1=Backup the password to Azure AD only +2=Backup the password to Active Directory only + +If not specified, this setting will default to 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled (password will not be backed up). | +| 1 | Backup the password to Azure AD only. | +| 2 | Backup the password to Active Directory only. | + + + + + + + + + +### Policies/PasswordAgeDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays +``` + + + + +Use this policy to configure the maximum password age of the managed local administrator account. + +If not specified, this setting will default to 30 days + +This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD. + +This setting has a maximum allowed value of 365 days. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-365]` | +| Default Value | 30 | +| Dependency [BackupDirectoryAADMode BackupDirectoryADMode] | Dependency Type: `DependsOn DependsOn`
    Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory Vendor/MSFT/LAPS/Policies/BackupDirectory`
    Dependency Allowed Value: ` `
    Dependency Allowed Value Type: `ENUM ENUM`
    | + + + + + + + + + +### Policies/PasswordComplexity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity +``` + + + + +Use this setting to configure password complexity of the managed local administrator account. + +The allowable settings are: + +1=Large letters +2=Large letters + small letters +3=Large letters + small letters + numbers +4=Large letters + small letters + numbers + special characters + +If not specified, this setting will default to 4. + + + + +> [!IMPORTANT] +> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 4 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Large letters. | +| 2 | Large letters + small letters. | +| 3 | Large letters + small letters + numbers. | +| 4 (Default) | Large letters + small letters + numbers + special characters. | + + + + + + + + + +### Policies/PasswordExpirationProtectionEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled +``` + + + + +Use this setting to configure additional enforcement of maximum password age for the managed local administrator account. + +When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy. + +If not specified, this setting defaults to True. + + + + +> [!IMPORTANT] +> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | True | +| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
    Dependency Allowed Value: `2`
    Dependency Allowed Value Type: `ENUM`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Allow configured password expiriration timestamp to exceed maximum password age. | +| true (Default) | Do not allow configured password expiriration timestamp to exceed maximum password age. | + + + + + + + + + +### Policies/PasswordLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/PasswordLength +``` + + + + +Use this setting to configure the length of the password of the managed local administrator account. + +If not specified, this setting will default to 14 characters. + +This setting has a minimum allowed value of 8 characters. + +This setting has a maximum allowed value of 64 characters. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[8-64]` | +| Default Value | 14 | + + + + + + + + + +### Policies/PostAuthenticationActions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions +``` + + + + +Use this setting to specify the actions to take upon expiration of the configured grace period. + +If not specified, this setting will default to 3 (Reset the password and logoff the managed account). + + + + > [!IMPORTANT] > The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss. > [!IMPORTANT] > From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms. - + -Data type is integer. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + - -## Actions + +**Allowed values**: -Defines the parent interior node for all action-related settings in the LAPS CSP. - +| Value | Description | +|:--|:--| +| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. | +| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. | +| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. | + - -### ResetPassword - -Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc. - + + + - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - + - + +### Policies/PostAuthenticationResetDelay - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -Data type is integer. + +```Device +./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay +``` + -Supported operations are Execute. - + + +Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. - -### ResetPasswordStatus - -Use this setting to query the status of the last submitted ResetPassword action. - +If not specified, this setting will default to 24 hours. - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|Yes| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - +This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). - -The value returned is an HRESULT code. +This setting has a maximum allowed value of 24 hours. + -S_OK (0x0) - the last submitted ResetPassword action succeeded. + + + -E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing. + +**Description framework properties**: -other - the last submitted ResetPassword action encountered the returned error. - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-24]` | +| Default Value | 24 | + -Data type is integer. + + + -Supported operations are Get. - + -### SyncML examples + + +## Settings Applicability -The following examples are provided to show proper format and shouldn't be taken as a recommendation. +The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2. -#### Azure-joined device backing password up to Azure AD +| Setting name | Azure-joined | Hybrid-joined | +|-------------------------------------|--------------|---------------| +| BackupDirectory | Yes | Yes | +| PasswordAgeDays | Yes | Yes | +| PasswordLength | Yes | Yes | +| PasswordComplexity | Yes | Yes | +| PasswordExpirationProtectionEnabled | No | Yes | +| AdministratorAccountName | Yes | Yes | +| ADPasswordEncryptionEnabled | No | Yes | +| ADPasswordEncryptionPrincipal | No | Yes | +| ADEncryptedPasswordHistorySize | No | Yes | +| PostAuthenticationResetDelay | Yes | Yes | +| PostAuthenticationActions | Yes | Yes | +| ResetPassword | Yes | Yes | +| ResetPasswordStatus | Yes | Yes | -This example is configuring an Azure-joined device to back up its password to Azure Active Directory: +## SyncML examples + +The following examples are provided to show the correct format and shouldn't be considered as a recommendation. + +### Azure-joined device backing password up to Azure AD + +This example shows how to configure an Azure-joined device to back up its password to Azure Active Directory: ```xml @@ -605,9 +930,9 @@ This example is configuring an Azure-joined device to back up its password to Az ``` -#### Hybrid-joined device backing password up to Active Directory +### Hybrid-joined device backing password up to Active Directory -This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled: +This example shows how to configure a hybrid device to back up its password to Active Directory with password encryption enabled: ```xml @@ -757,9 +1082,10 @@ This example is configuring a hybrid device to back up its password to Active Di <Final/> ``` + + + ## Related articles -[Configuration service provider reference](index.yml) - -[Windows LAPS](/windows-server/identity/laps/laps) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md index b5ba239a7a..35784361d4 100644 --- a/windows/client-management/mdm/laps-ddf-file.md +++ b/windows/client-management/mdm/laps-ddf-file.md @@ -1,101 +1,88 @@ --- title: LAPS DDF file -description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider. -ms.author: jsimmons -ms.topic: article +description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: jsimmons -ms.localizationpriority: medium -ms.date: 07/04/2022 -ms.reviewer: jsimmons -manager: jsimmons +ms.topic: reference --- -# Local Administrator Password Solution DDF file + -This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider. +# LAPS DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the LAPS configuration service provider. ```xml - - - - - 1.2 - "%windir%\system32\LapsCSP.dll - - {298a6f17-03e7-4bd4-971c-544f359527b7} + +]> + + 1.2 + + + + LAPS + ./Device/Vendor/MSFT + + + + + The root node for the LAPS configuration service provider. + + + + + + + + + + + + + + 99.9.99999 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Policies + + + + + Root node for LAPS policies. + + + + + + + + + + Policies + + + + + - LAPS - ./Device/Vendor/MSFT + BackupDirectory + + + - The root node for the LAPS configuration service provider. - - - - - - - - - - - - - - 99.9.99999 - 1.0 - - - - - - - Policies - - - - - Root node for LAPS policies. - - - - - - - - - - Policies - - - - - - - BackupDirectory - - - - - - - - 0 - Use this setting to configure which directory the local admin account password is backed up to. + 0 + Use this setting to configure which directory the local admin account password is backed up to. The allowable settings are: @@ -104,95 +91,109 @@ The allowable settings are: 2=Backup the password to Active Directory only If not specified, this setting will default to 0. - - - - - - - - - - - text/plain - - - - 0 - Disabled (password will not be backed up) - - - 1 - Backup the password to Azure AD only - - - 2 - Backup the password to Active Directory only - - - - - - PasswordAgeDays - - - - - - - - 30 - Use this policy to configure the maximum password age of the managed local administrator account. + + + + + + + + + + + + + + + 0 + Disabled (password will not be backed up) + + + 1 + Backup the password to Azure AD only + + + 2 + Backup the password to Active Directory only + + + + + + PasswordAgeDays + + + + + + + + 30 + Use this policy to configure the maximum password age of the managed local administrator account. If not specified, this setting will default to 30 days This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD. This setting has a maximum allowed value of 365 days. - - - - - - - - - - - text/plain - - - [1-365] - - - - - [7-365] - - - Vendor/MSFT/LAPS/Policies/BackupDirectory - - - 1 - BackupDirectory configured to Azure AD - - - - - - - - - PasswordComplexity - - - - - - - - 4 - Use this setting to configure password complexity of the managed local administrator account. + + + + + + + + + + + + + + [1-365] + + + + + [7-365] + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 1 + BackupDirectory configured to Azure AD + + + + + + + [1-365] + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + PasswordComplexity + + + + + + + + 4 + Use this setting to configure password complexity of the managed local administrator account. The allowable settings are: @@ -202,165 +203,165 @@ The allowable settings are: 4=Large letters + small letters + numbers + special characters If not specified, this setting will default to 4. - - - - - - - - - - - text/plain - - - - 1 - Large letters - - - 2 - Large letters + small letters - - - 3 - Large letters + small letters + numbers - - - 4 - Large letters + small letters + numbers + special characters - - - - - - PasswordLength - - - - - - - - 14 - Use this setting to configure the length of the password of the managed local administrator account. + + + + + + + + + + + + + + + 1 + Large letters + + + 2 + Large letters + small letters + + + 3 + Large letters + small letters + numbers + + + 4 + Large letters + small letters + numbers + special characters + + + + + + PasswordLength + + + + + + + + 14 + Use this setting to configure the length of the password of the managed local administrator account. If not specified, this setting will default to 14 characters. This setting has a minimum allowed value of 8 characters. This setting has a maximum allowed value of 64 characters. - - - - - - - - - - - text/plain - - - [8-64] - - - - - AdministratorAccountName - - - - - - - - Use this setting to configure the name of the managed local administrator account. + + + + + + + + + + + + + + [8-64] + + + + + AdministratorAccountName + + + + + + + + Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). If specified, the specified account's password will be managed. Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created. - - - - - - - - - - - text/plain - - - - - PasswordExpirationProtectionEnabled - - - - - - - - True - Use this setting to configure additional enforcement of maximum password age for the managed local administrator account. + + + + + + + + + + + + + + + + PasswordExpirationProtectionEnabled + + + + + + + + True + Use this setting to configure additional enforcement of maximum password age for the managed local administrator account. When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy. If not specified, this setting defaults to True. - - - - - - - - - - - text/plain - - - - false - Allow configured password expiriration timestamp to exceed maximum password age - - - true - Do not allow configured password expiriration timestamp to exceed maximum password age - - - - - - Vendor/MSFT/LAPS/Policies/BackupDirectory - - - 2 - BackupDirectory configured to Active Directory - - - - - - - - - ADPasswordEncryptionEnabled - - - - - - - - False - Use this setting to configure whether the password is encrypted before being stored in Active Directory. + + + + + + + + + + + + + + + false + Allow configured password expiriration timestamp to exceed maximum password age + + + true + Do not allow configured password expiriration timestamp to exceed maximum password age + + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + ADPasswordEncryptionEnabled + + + + + + + + True + Use this setting to configure whether the password is encrypted before being stored in Active Directory. This setting is ignored if the password is currently being stored in Azure. @@ -370,54 +371,54 @@ If this setting is enabled, and the Active Directory domain meets the DFL prereq If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory. -If not specified, this setting defaults to False. - - - - - - - - - - - text/plain - - - - false - Store the password in clear-text form in Active Directory - - - true - Store the password in encrypted form in Active Directory - - - - - - Vendor/MSFT/LAPS/Policies/BackupDirectory - - - 2 - BackupDirectory configured to Active Directory - - - - - - - - - ADPasswordEncryptionPrincipal - - - - - - - - Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory. +If not specified, this setting defaults to True. + + + + + + + + + + + + + + + false + Store the password in clear-text form in Active Directory + + + true + Store the password in encrypted form in Active Directory + + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + ADPasswordEncryptionPrincipal + + + + + + + + Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory. This setting is ignored if the password is currently being stored in Azure. @@ -426,229 +427,226 @@ If not specified, the password will be decryptable by the Domain Admins group in If specified, the specified user or group will be able to decrypt the password stored in Active Directory. If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain. - - - - - - - - - - - text/plain - - - - - Vendor/MSFT/LAPS/Policies/BackupDirectory - - - 2 - BackupDirectory configured to Active Directory - - - - - - - - - ADEncryptedPasswordHistorySize - - - - - - - - 0 - Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory. + + + + + + + + + + + + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + ADEncryptedPasswordHistorySize + + + + + + + + 0 + Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory. If not specified, this setting will default to 0 passwords (disabled). This setting has a minimum allowed value of 0 passwords. This setting has a maximum allowed value of 12 passwords. - - - - - - - - - - - text/plain - - - [0-12] - - - - - Vendor/MSFT/LAPS/Policies/BackupDirectory - - - 2 - BackupDirectory configured to Active Directory - - - - - - - - - PostAuthenticationResetDelay - - - - - - - - 24 - Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. + + + + + + + + + + + + + + [0-12] + + + + + Vendor/MSFT/LAPS/Policies/BackupDirectory + + + 2 + BackupDirectory configured to Active Directory + + + + + + + + + PostAuthenticationResetDelay + + + + + + + + 24 + Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If not specified, this setting will default to 24 hours. This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). This setting has a maximum allowed value of 24 hours. - - - - - - - - - - - text/plain - - - [0-24] - - - - - PostAuthenticationActions - - - - - - - - 3 - Use this setting to specify the actions to take upon expiration of the configured grace period. + + + + + + + + + + + + + + [0-24] + + + + + PostAuthenticationActions + + + + + + + + 3 + Use this setting to specify the actions to take upon expiration of the configured grace period. If not specified, this setting will default to 3 (Reset the password and logoff the managed account). - - - - - - - - - - - text/plain - - - - 1 - Reset password: upon expiry of the grace period, the managed account password will be reset. - - - 3 - Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. - - - 5 - Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. - - - - - - - Actions - - - - - - - - - - - - - - Actions - - - - - - ResetPassword - - - - - Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account. - - - - - - - - - - - text/plain - - - - - - ResetPasswordStatus - - - - - 0 - Use this setting to query the status of the last submitted ResetPassword execute action. - - - - - - - - - - ResetPasswordStatus - - text/plain - - - - + + + + + + + + + + + + + + + 1 + Reset password: upon expiry of the grace period, the managed account password will be reset. + + + 3 + Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. + + + 5 + Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. + + + - - - + + + Actions + + + + + + + + + + + + + + Actions + + + + + + ResetPassword + + + + + Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account. + + + + + + + + + + + + + + + + ResetPasswordStatus + + + + + 0 + Use this setting to query the status of the last submitted ResetPassword execute action. + + + + + + + + + + ResetPasswordStatus + + + + + + + + ``` ## Related articles -[LAPS configuration service provider](laps-csp.md) +[LAPS configuration service provider reference](laps-csp.md) diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 4be3316fbb..44b8f2d7ae 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -1,29 +1,23 @@ --- title: NetworkProxy CSP -description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. +description: Learn more about the NetworkProxy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/29/2018 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # NetworkProxy CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703. How the settings work: @@ -32,73 +26,330 @@ How the settings work: - If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script. - If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server. - Otherwise, the system tries to reach the site directly. + -The following shows the NetworkProxy configuration service provider in tree format. + +The following list shows the NetworkProxy configuration service provider nodes: -```console -./Vendor/MSFT -NetworkProxy -----ProxySettingsPerUser -----AutoDetect -----SetupScriptUrl -----ProxyServer ---------ProxyAddress ---------Exceptions ---------UseProxyForLocalAddresses +- ./Vendor/MSFT/NetworkProxy + - [AutoDetect](#autodetect) + - [ProxyServer](#proxyserver) + - [Exceptions](#proxyserverexceptions) + - [ProxyAddress](#proxyserverproxyaddress) + - [UseProxyForLocalAddresses](#proxyserveruseproxyforlocaladdresses) + - [ProxySettingsPerUser](#proxysettingsperuser) + - [SetupScriptUrl](#setupscripturl) + + + +## AutoDetect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/NetworkProxy/AutoDetect ``` + -**./Vendor/MSFT/NetworkProxy** -The root node for the NetworkProxy configuration service provider. - -**ProxySettingsPerUser** -Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide. - -Supported operations are Add, Get, Replace, and Delete. - -> [!Note] -> Per user proxy configuration setting is not supported using a configuration file, only modifying registry settings on a local machine. - -**AutoDetect** + + Automatically detect settings. If enabled, the system tries to find the path to a PAC script. + -Valid values: + + + -- 0 - Disabled -- 1 (default) - Enabled + +**Description framework properties**: -The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Delete, Get, Replace | +| Default Value | 1 | + -**SetupScriptUrl** -Address to the PAC script you want to use. + +**Allowed values**: -The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + -**ProxyServer** + + + + + + + +## ProxyServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/NetworkProxy/ProxyServer +``` + + + + Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. + -Supported operation is Get. + + + -**ProxyAddress** -Address to the proxy server. Specify an address in the format <server>[“:”<port>].  + +**Description framework properties**: -The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**Exceptions** -Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries.  + + + -The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. + -**UseProxyForLocalAddresses** -Specifies whether the proxy server should be used for local (intranet) addresses.  + +### ProxyServer/Exceptions -Valid values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -- 0 (default) - Use proxy server for local addresses -- 1 - Do not use proxy server for local addresses + +```Device +./Vendor/MSFT/NetworkProxy/ProxyServer/Exceptions +``` + -The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. + + +Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. + -## Configuration Example + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + + + + + + +### ProxyServer/ProxyAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/NetworkProxy/ProxyServer/ProxyAddress +``` + + + + +Address to the proxy server. Specify an address in the format ``[":"``]. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Delete, Get, Replace | + + + + + + + + + +### ProxyServer/UseProxyForLocalAddresses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/NetworkProxy/ProxyServer/UseProxyForLocalAddresses +``` + + + + +Specifies whether the proxy server should be used for local (intranet) addresses. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Use proxy server for local addresses. | +| 1 | Do not use proxy server for local addresses. | + + + + + + + + + +## ProxySettingsPerUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/NetworkProxy/ProxySettingsPerUser +``` + + + + +When set to 0, it enables proxy configuration as global, machine wide. + + + + +> [!NOTE] +> Per user proxy configuration setting is not supported using a configuration file, only modifying registry settings on a local machine. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Proxy configuration is global, machine wide. | +| 1 (Default) | Proxy configuration is per user. | + + + + + + + + + +## SetupScriptUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/NetworkProxy/SetupScriptUrl +``` + + + + +Address to the PAC script you want to use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Delete, Get, Replace | + + + + + + + + + + +## Examples These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace. Only enter the portion of code needed in the **Replace** section. @@ -149,3 +400,10 @@ These generic code portions for the options **ProxySettingsPerUser**, **Autodete ``` + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index b83fb6eab6..06042fcea6 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,178 +1,262 @@ --- title: NetworkProxy DDF file -description: AppNetworkProxyLocker DDF file +description: View the XML file containing the device description framework (DDF) for the NetworkProxy configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + # NetworkProxy DDF file -This topic shows the OMA DM device description framework (DDF) for the **NetworkProxy** configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the NetworkProxy configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + NetworkProxy + ./Vendor/MSFT + + + + + The root node for the NetworkProxy configuration service provider. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - NetworkProxy - ./Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/1.0/MDM/NetworkProxy - - - - AutoDetect - - - - - - 1 - - - - - - - - - - - text/plain - - - - - SetupScriptUrl - - - - - - - - - - - - - - - - text/plain - - - - - ProxyServer - - - - - - - - - - - - - - - - - - - ProxyAddress - - - - - - - - - - - - - - - - text/plain - - - - - Exceptions - - - - - - - - - - - - - - - - text/plain - - - - - UseProxyForLocalAddresses - - - - - - 0 - - - - - - - - - - - text/plain - - - - + ProxySettingsPerUser + + + + + + + 1 + When set to 0, it enables proxy configuration as global, machine wide. + + + + + + + + + + + + + + 10.0.17134 + 1.0 + + + + 0 + Proxy configuration is global, machine wide. + + + 1 + Proxy configuration is per user. + + + + + AutoDetect + + + + + + + 1 + Automatically detect settings. If enabled, the system tries to find the path to a PAC script. + + + + + + + + + + + + + + + 0 + Disabled + + + 1 + Enabled + + + + + + SetupScriptUrl + + + + + + + Address to the PAC script you want to use. + + + + + + + + + + + + + + + + + + ProxyServer + + + + + Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. + + + + + + + + + + + + + + + ProxyAddress + + + + + + + [“:”]. ]]> + + + + + + + + + + + + + + + + + + Exceptions + + + + + + + Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. + + + + + + + + + + + + + + + + + + + UseProxyForLocalAddresses + + + + + + + 0 + Specifies whether the proxy server should be used for local (intranet) addresses. Valid values: + + + + + + + + + + + + + + + 0 + Use proxy server for local addresses + + + 1 + Do not use proxy server for local addresses + + + + + + ``` + +## Related articles + +[NetworkProxy configuration service provider reference](networkproxy-csp.md) diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 70a952ccd4..6d224dd68d 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -1,139 +1,381 @@ --- title: NetworkQoSPolicy CSP -description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. +description: Learn more about the NetworkQoSPolicy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/22/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # NetworkQoSPolicy CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. The following conditions are supported: + - Network traffic from a specific application name - Network traffic from specific source or destination ports - Network traffic from a specific IP protocol (TCP, UDP, or both) The following actions are supported: + - Layer 2 tagging using a IEEE 802.1p priority value - Layer 3 tagging using a differentiated services code point (DSCP) value > [!NOTE] > The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices: +> > - Azure AD Hybrid joined devices. > - Devices that use both GPO and CSP at the same time. > > The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703. + -The following example shows the NetworkQoSPolicy configuration service provider in tree format. + +The following list shows the NetworkQoSPolicy configuration service provider nodes: + +- ./Device/Vendor/MSFT/NetworkQoSPolicy + - [{Name}](#name) + - [AppPathNameMatchCondition](#nameapppathnamematchcondition) + - [DestinationPortMatchCondition](#namedestinationportmatchcondition) + - [DSCPAction](#namedscpaction) + - [IPProtocolMatchCondition](#nameipprotocolmatchcondition) + - [PriorityValue8021Action](#namepriorityvalue8021action) + - [SourcePortMatchCondition](#namesourceportmatchcondition) + - [Version](#version) + + + +## {Name} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + + + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/{Name} ``` -./Device/Vendor/MSFT -NetworkQoSPolicy -----Version -----Name ---------IPProtocolMatchCondition ---------AppPathNameMatchCondition ---------SourcePortMatchCondition ---------DestinationPortMatchCondition ---------PriorityValue8021Action ---------DSCPAction + + + + +The value of this node should be a policy name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | UniqueName: The value of this node should be a policy name. | + + + + + + + + + +### {Name}/AppPathNameMatchCondition + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + + + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/AppPathNameMatchCondition ``` -**NetworkQoSPolicy** -

    The root node for the NetworkQoSPolicy configuration service provider.

    + -**Version** -

    Specifies the version information. + + +Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. + -

    The data type is int. + + + -

    The only supported operation is Get. + +**Description framework properties**: -***Name*** -

    Node for the QoS policy name. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -***Name*/IPProtocolMatchCondition** -

    Specifies the IP protocol used to match the network traffic. + + + -

    Valid values are: + -- 0 (default) - Both TCP and UDP -- 1 - TCP -- 2 - UDP + +### {Name}/DestinationPortMatchCondition -

    The data type is int. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + -

    The supported operations are Add, Get, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/DestinationPortMatchCondition +``` + -***Name*/AppPathNameMatchCondition** -

    Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`. + + +Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. + -

    The data type is char. + + + -

    The supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -***Name*/SourcePortMatchCondition** -

    Specifies a single port or a range of ports to be used to match the network traffic source. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -

    Valid values are: + + + -- A range of source ports: _[first port number]_-_[last port number]_ -- A single source port: _[port number]_ + -

    The data type is char. + +### {Name}/DSCPAction -

    The supported operations are Add, Get, Delete, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + -***Name*/DestinationPortMatchCondition** -

    Specifies a single source port or a range of ports to be used to match the network traffic destination. + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/DSCPAction +``` + -

    Valid values are: + + +The differentiated services code point (DSCP) value to apply to matching network traffic. Valid values are 0-63. + -- A range of destination ports: _[first port number]_-_[last port number]_ -- A single destination port: _[port number]_ + + + -

    The data type is char. + +**Description framework properties**: -

    The supported operations are Add, Get, Delete, and Replace. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-63]` | + -***Name*/PriorityValue8021Action** -

    Specifies the IEEE 802.1p priority value to apply to matching network traffic. + + + -

    Valid values are 0-7. + -

    The data type is int. + +### {Name}/IPProtocolMatchCondition -

    The supported operations are Add, Get, Delete, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + -***Name*/DSCPAction** -

    The Differentiated Services Code Point (DSCP) value to apply to matching network traffic. + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/IPProtocolMatchCondition +``` + -

    Valid values are 0-63. + + +Specifies the IP protocol used to match the network traffic. Valid values are 0: Both TCP and UDP (default), 1: TCP, 2: UDP. + -

    The data type is int. + + + -

    The supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -## Related topics + + + -Read more about the XML DDF structure to create this policy by following the links below: + -- [More Information about DDF and structure](networkqospolicy-ddf.md) -- [CSP DDF files download](configuration-service-provider-ddf.md) + +### {Name}/PriorityValue8021Action + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + + + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/PriorityValue8021Action +``` + + + + +The IEEE 802.1p value to apply to matching network traffice. Valid values are 0-7. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-7]` | + + + + + + + + + +### {Name}/SourcePortMatchCondition + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + + + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/{Name}/SourcePortMatchCondition +``` + + + + +Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + + + +```Device +./Device/Vendor/MSFT/NetworkQoSPolicy/Version +``` + + + + +Version information. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index f90310942f..c2846f500d 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -1,285 +1,273 @@ --- -title: NetworkQoSPolicy DDF -description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +title: NetworkQoSPolicy DDF file +description: View the XML file containing the device description framework (DDF) for the NetworkQoSPolicy configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- -# NetworkQoSPolicy DDF + -This topic shows the OMA DM device description framework (DDF) for the **NetworkQoSPolicy** configuration service provider. DDF files are used only with OMA DM provisioning XML. +# NetworkQoSPolicy DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the NetworkQoSPolicy configuration service provider. ```xml -]> +]> 1.2 + + + + NetworkQoSPolicy + ./Device/Vendor/MSFT + + + + + The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004. + + + + + + + + + + + + + + 10.0.19042 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Version + + + + + Version information. + + + + + + + + + + Version + + + + + + + + + + + + + + + + The value of this node should be a policy name. + + + + + + + + + + Name + + + + + The value of this node should be a policy name. + + - NetworkQoSPolicy - ./Device/Vendor/MSFT + IPProtocolMatchCondition + + + + 0 + Specifies the IP protocol used to match the network traffic. Valid values are 0: Both TCP and UDP (default), 1: TCP, 2: UDP. - + - + - + + IPProtocolMatchCondition - com.microsoft/1.0/MDM/NetworkQoSPolicy - + - - Version - - - - - Version information. - - - - - - - - - - Version - - text/plain - - - - - - - - - - - - - The value of this node should be a policy name. - - - - - - - - - - Name - - - - - - PolicyStore - - - - - - - - The location where the QoS policy is stored. - - - - - - - - - - PolicyStore - - text/plain - - - - - IPProtocolMatchCondition - - - - - - - - 0 - Specifies the IP protocol used to match the network traffic. Valid values are 0: Both TCP and UDP (default), 1: TCP, 2: UDP. - - - - - - - - - - IPProtocolMatchCondition - - text/plain - - - - - AppPathNameMatchCondition - - - - - - - - Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. - - - - - - - - - - AppPathNameMatchCondition - - text/plain - - - - - SourcePortMatchCondition - - - - - - - - Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. - - - - - - - - - - SourcePortMatchCondition - - text/plain - - - - - DestinationPortMatchCondition - - - - - - - - Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. - - - - - - - - - - DestinationPortMatchCondition - - text/plain - - - - - PriorityValue8021Action - - - - - - - - The IEEE 802.1p value to apply to matching network traffice. Valid values are 0-7. - - - - - - - - - - PriorityValue8021Action - - text/plain - - - - - DSCPAction - - - - - - - - The differentiated services code point (DSCP) value to apply to matching network traffic. Valid values are 0-63. - - - - - - - - - - DSCPAction - - text/plain - - - - + + AppPathNameMatchCondition + + + + + + + + Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. + + + + + + + + + + AppPathNameMatchCondition + + + + + + + + + SourcePortMatchCondition + + + + + + + + Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. + + + + + + + + + + SourcePortMatchCondition + + + + + + + + + DestinationPortMatchCondition + + + + + + + + Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. + + + + + + + + + + DestinationPortMatchCondition + + + + + + + + + PriorityValue8021Action + + + + + + + + The IEEE 802.1p value to apply to matching network traffice. Valid values are 0-7. + + + + + + + + + + PriorityValue8021Action + + + + + [0-7] + + + + + DSCPAction + + + + + + + + The differentiated services code point (DSCP) value to apply to matching network traffic. Valid values are 0-63. + + + + + + + + + + DSCPAction + + + + + [0-63] + + + + + ``` -  - -  - - - - - +## Related articles +[NetworkQoSPolicy configuration service provider reference](networkqospolicy-csp.md) diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index b7fa0fbc34..e3a206ff86 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -1,29 +1,23 @@ --- title: NodeCache CSP -description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache. -ms.reviewer: +description: Learn more about the NodeCache CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.topic: reference --- + + + # NodeCache CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes. NodeCache supports the comparison of hash values instead of actual node values: @@ -35,90 +29,345 @@ application/x-nodemon-sha256 ``` NodeCache will hash the values and compare with a hash value that was sent down by the server. This process supports checking a parent node and its children recursively. + -The following example shows the NodeCache configuration service provider in tree format. + +The following list shows the NodeCache configuration service provider nodes: + +- ./Device/Vendor/MSFT/NodeCache + - [{ProviderID}](#deviceproviderid) + - [CacheVersion](#deviceprovideridcacheversion) + - [ChangedNodes](#deviceprovideridchangednodes) + - [ChangedNodesData](#deviceprovideridchangednodesdata) + - [Nodes](#deviceprovideridnodes) + - [{NodeID}](#deviceprovideridnodesnodeid) + - [AutoSetExpectedValue](#deviceprovideridnodesnodeidautosetexpectedvalue) + - [ExpectedValue](#deviceprovideridnodesnodeidexpectedvalue) + - [NodeURI](#deviceprovideridnodesnodeidnodeuri) +- ./User/Vendor/MSFT/NodeCache + - [{ProviderID}](#userproviderid) + - [CacheVersion](#userprovideridcacheversion) + - [ChangedNodes](#userprovideridchangednodes) + - [ChangedNodesData](#userprovideridchangednodesdata) + - [Nodes](#userprovideridnodes) + - [{NodeID}](#userprovideridnodesnodeid) + - [AutoSetExpectedValue](#userprovideridnodesnodeidautosetexpectedvalue) + - [ExpectedValue](#userprovideridnodesnodeidexpectedvalue) + - [NodeURI](#userprovideridnodesnodeidnodeuri) + + + +## Device/{ProviderID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID} ``` -./User/Vendor/MSFT -NodeCache -----ProviderID ---------CacheVersion ---------ChangedNodes ---------ChangedNodesData ---------Nodes -------------NodeID -----------------NodeURI -----------------ExpectedValue -----------------AutoSetExpectedValue + + + +Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the [w7 APPLICATION](w7-application-csp.md) configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache. + -./Device/Vendor/MSFT -NodeCache -----ProviderID ---------CacheVersion ---------ChangedNodes ---------ChangedNodesData ---------Nodes -------------NodeID -----------------NodeURI -----------------ExpectedValue -----------------AutoSetExpectedValue + + + + +**Description framework properties**: -./User/Vendor/MSFT -./Device/Vendor/MSFT -NodeCache -----ProviderID ---------CacheVersion ---------ChangedNodes ---------ChangedNodesData ---------Nodes -------------NodeID -----------------NodeURI -----------------ExpectedValue -----------------AutoSetExpectedValue +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. | + + + + + + + + + +### Device/{ProviderID}/CacheVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/CacheVersion ``` -**./Device/Vendor/MSFT and ./User/Vendor/MSFT** -Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax. + -***ProviderID*** -Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic. + + +Character string representing the cache version set by the server. + -Supported operations are Get, Add, and Delete. + + + -***ProviderID*/CacheVersion** -Optional. Character string representing the cache version set by the server. Scope is dynamic. + +**Description framework properties**: -Data type is string. Supported operations are Get, Add, and Replace. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + -***ProviderID*/ChangedNodes** -Optional. List of nodes whose values don't match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic. + + + -Data type is string. Supported operation is Get. + -***ProviderID*/ChangedNodesData** -Added in Windows 10, version 1703. Optional. XML containing nodes whose values don't match their expected values as specified in /NodeID/ExpectedValue. + +### Device/{ProviderID}/ChangedNodes -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -***ProviderID*/Nodes** -Required. Root node for cached nodes. Scope is dynamic. + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodes +``` + -Supported operation is Get. + + +List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue. + -**/Nodes/***NodeID* -Optional. Information about each cached node is stored under *NodeID* as specified by the server. This value must not contain a comma. Scope is dynamic. + + + -Supported operations are Get, Add, and Delete. + +**Description framework properties**: -**/*NodeID*/NodeURI** -Required. This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. Scope is dynamic. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Data type is string. Supported operations are Get, Add, and Delete. + + + -**/*NodeID*/ExpectedValue** -Required. The server expects this value to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent. + -Supported operations are Get, Add, and Delete. + +### Device/{ProviderID}/ChangedNodesData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodesData +``` + + + + +XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Get | + + + + + + + + + +### Device/{ProviderID}/Nodes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes +``` + + + + +Root node for cached nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Device/{ProviderID}/Nodes/{NodeID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID} +``` + + + + +Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +##### Device/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue +``` + + + + +This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/{ProviderID}/Nodes/{NodeID}/ExpectedValue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/ExpectedValue +``` + + + + +This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. + + + + +Supported values are string and x-nodemon-nonexistent. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get | + + + + +**Example**: Here's an example for setting the ExpectedValue to nonexistent. @@ -127,7 +376,7 @@ Here's an example for setting the ExpectedValue to nonexistent. 10 - ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValue + ./Device/Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValue chr @@ -136,60 +385,449 @@ Here's an example for setting the ExpectedValue to nonexistent. ``` + -**/*NodeID*/AutoSetExpectedValue** -Added in Windows 10, version 1703. Required. This parameter's value automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI. + -Supported operations are Add, Get, and Delete. + +##### Device/{ProviderID}/Nodes/{NodeID}/NodeURI + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/NodeURI +``` + + + + +This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get | + + + + + + + + + +## User/{ProviderID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID} +``` + + + + +Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the [w7 APPLICATION](w7-application-csp.md) configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. | + + + + + + + + + +### User/{ProviderID}/CacheVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/CacheVersion +``` + + + + +Character string representing the cache version set by the server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +### User/{ProviderID}/ChangedNodes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodes +``` + + + + +List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### User/{ProviderID}/ChangedNodesData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/ChangedNodesData +``` + + + + +XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Get | + + + + + + + + + +### User/{ProviderID}/Nodes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes +``` + + + + +Root node for cached nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/{ProviderID}/Nodes/{NodeID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID} +``` + + + + +Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +##### User/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/AutoSetExpectedValue +``` + + + + +This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### User/{ProviderID}/Nodes/{NodeID}/ExpectedValue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/ExpectedValue +``` + + + + +This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. + + + + +Supported values are string and x-nodemon-nonexistent. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get | + + + + +**Example**: + +Here's an example for setting the ExpectedValue to nonexistent. + +```xml + + 10 + + + ./User/Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValue + + + chr + application/x-nodemon-nonexistent + + + +``` + + + + + +##### User/{ProviderID}/Nodes/{NodeID}/NodeURI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/NodeCache/{ProviderID}/Nodes/{NodeID}/NodeURI +``` + + + + +This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get | + + + + + + + + + + ## A typical DM session with the NodeCache configuration service provider - -1. The device connects to a DM server. - -2. The server queries the **NodeCache** version by issuing a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/CacheVersion LocURI - -3. If the device **CacheVersion** and the server-side cache differ (due to a device crash or server crash), the server can clear the server-side cache and go to Step 5. - -4. The server updates the server-side cache: - - 1. Sends a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/ChangedNodes LocURI - - 2. Response is a list of changed node IDs. Each ID in the list corresponds to a node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes root - - 3. For each node in the invalid nodes list, the server sends a `GET` command to retrieve the actual value of the node. For example, `GET `, where `NodeURI` is a full device LocURI that corresponds to the invalid cache node. - - 4. Nodes in the server-side cache are updated with the actual values received from the device. - - 5. For each updated node, a `REPLACE` command is sent to the device to update the device-side cache: - - `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/Nodes/NodeID/ExpectedValue => ActualValue` - - 6. A new cache version is created and sent to the device: - - `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/CacheVersion => new_version` - - The `new_version` value is stored by the server. - -5. The management server retrieves the corresponding value from the server-side cache: - - 1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device. - - 2. If a value doesn't exist in the server-side cache, do the following tasks: - - 1. Create a new entry with a unique *NodeID* in the server-side cache. - - 2. Query the device to retrieve the actual value of the URI. - - 3. Create a new node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes with *NodeID* value. - - 4. Set up **NodeURI** and **ExpectedValue** for the ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes/*NodeID* node. - - 5. Update the **CachedNodes** version. +1. The device connects to a DM server. +2. The server queries the **NodeCache** version by issuing a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/CacheVersion LocURI +3. If the device **CacheVersion** and the server-side cache differ (due to a device crash or server crash), the server can clear the server-side cache and go to Step 5. +4. The server updates the server-side cache: + 1. Sends a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/ChangedNodes LocURI + 2. Response is a list of changed node IDs. Each ID in the list corresponds to a node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes root + 3. For each node in the invalid nodes list, the server sends a `GET` command to retrieve the actual value of the node. For example, `GET `, where `NodeURI` is a full device LocURI that corresponds to the invalid cache node. + 4. Nodes in the server-side cache are updated with the actual values received from the device. + 5. For each updated node, a `REPLACE` command is sent to the device to update the device-side cache: + `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/Nodes/NodeID/ExpectedValue => ActualValue` + 6. A new cache version is created and sent to the device: + `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/CacheVersion => new_version` + The `new_version` value is stored by the server. +5. The management server retrieves the corresponding value from the server-side cache: + 1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device. + 2. If a value doesn't exist in the server-side cache, do the following tasks: + 1. Create a new entry with a unique *NodeID* in the server-side cache. + 2. Query the device to retrieve the actual value of the URI. + 3. Create a new node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes with *NodeID* value. + 4. Set up **NodeURI** and **ExpectedValue** for the ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes/*NodeID* node. + 5. Update the **CachedNodes** version. ## OMA DM examples - Creating settings for node caching: ```xml @@ -346,44 +984,45 @@ Replacing the cache version, node URI, and expected value: For AutoSetExpectedValue, a Replace operation with empty data will query the ./DevDetail/Ext/Microsoft/DeviceName. ```xml - - 2001 - - - ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20 - - - node - - - - - 2002 - - - ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/NodeURI - - ./DevDetail/Ext/Microsoft/DeviceName - - - - 2003 - - - ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/AutoSetExpectedValue - - - - + + 2001 + + + ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20 + + + node + + + + + 2002 + + + ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/NodeURI + + ./DevDetail/Ext/Microsoft/DeviceName + + + + 2003 + + + ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/AutoSetExpectedValue + + + + ``` -A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue returns what the Device Name was when the AutoSet was called. +A Get operation on `./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue` returns what the Device Name was when the AutoSet was called. A Get operation on the ChangedNodesData returns an encoded XML. Here's an example: ```xml U09NRU5FV1ZBTFVF ``` + It represents this example: ```xml @@ -397,19 +1036,10 @@ Id is the node ID that was added by the MDM server, and Uri is the path that the If a Uri is not set, the node will always be reported as changed, as in Node ID 10. The value inside of the node tag is the actual value returned by the Uri, which means that for Node ID 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. + + -## Related topics - - -[Configuration service provider reference](index.yml) - - - - - - - - - +## Related articles +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index f5f3d05408..9b143a00d7 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -1,40 +1,160 @@ --- title: NodeCache DDF file -description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the NodeCache configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/21/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # NodeCache DDF file - -This topic shows the OMA DM device description framework (DDF) for the **NodeCache** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the NodeCache configuration service provider. ```xml -]> +]> 1.2 + + + + NodeCache + ./User/Vendor/MSFT + + + + + The root node for the NodeCache object. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + + + + + + + + + Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache. + + + + + + + + + + ProviderID + + + + + It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. + + - NodeCache - ./User/Vendor/MSFT + CacheVersion + + + + + + + Character string representing the cache version set by the server. + + + + + + + + + + + + + + + + + + ChangedNodes - The root node for the NodeCache object. + List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + + + + + + ChangedNodesData + + + + + XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + + Nodes + + + + + Root node for cached nodes @@ -42,110 +162,53 @@ The XML below is the current version for this CSP. - + - com.microsoft/1.2/MDM/NodeCache + - + + - + - Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. + Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. - + - ProviderID + NodeID - + + + + + + - CacheVersion + NodeURI - - + + - Character string representing the cache version set by the server. + This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. - - - - - - - - text/plain - - - - - ChangedNodes - - - - - List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue - - - - - - - - - - - text/plain - - - - - ChangedNodesData - - - - - XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue - - - - - - - - - - - text/plain - - - - - Nodes - - - - - Root node for cached nodes - - - @@ -153,224 +216,24 @@ The XML below is the current version for this CSP. - + + + - - - - - - - - - Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. - - - - - - - - - - NodeID - - - - - - NodeURI - - - - - - - This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. - - - - - - - - - - - text/plain - - - - - ExpectedValue - - - - - - - This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. - - - - - - - - - - - text/plain - - - - - AutoSetExpectedValue - - - - - - - This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. - - - - - - - - - - - text/plain - - - - - - - - NodeCache - ./Device/Vendor/MSFT - - - - - The root node for the NodeCache object. - - - - - - - - - - - com.microsoft/1.2/MDM/NodeCache - - - - - - - - - - - Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. - - - - - - - - - - ProviderID - - - - - CacheVersion + ExpectedValue - - + + - Character string representing the cache version set by the server. + This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. - - - - - - - - text/plain - - - - - ChangedNodes - - - - - List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue - - - - - - - - - - - text/plain - - - - - ChangedNodesData - - - - - XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue - - - - - - - - - - - text/plain - - - - - Nodes - - - - - Root node for cached nodes - - - @@ -378,119 +241,300 @@ The XML below is the current version for this CSP. - + + + + + + + AutoSetExpectedValue + + + + + + + This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + - - - - - - - - - Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. - - - - - - - - - - NodeID - - - - - - NodeURI - - - - - - - This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. - - - - - - - - - - - text/plain - - - - - ExpectedValue - - - - - - - This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. - - - - - - - - - - - text/plain - - - - - AutoSetExpectedValue - - - - - - - This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. - - - - - - - - - - - text/plain - - - - + + + + NodeCache + ./Device/Vendor/MSFT + + + + + The root node for the NodeCache object. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + + + + + + + + + Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache. + + + + + + + + + + ProviderID + + + + + It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. + + + + CacheVersion + + + + + + + Character string representing the cache version set by the server. + + + + + + + + + + + + + + + + + + ChangedNodes + + + + + List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + + + + + + ChangedNodesData + + + + + XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + + Nodes + + + + + Root node for cached nodes + + + + + + + + + + + + + + + + + + + + + + + Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. + + + + + + + + + + NodeID + + + + + + + + + + + NodeURI + + + + + + + This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. + + + + + + + + + + + + + + + + + + ExpectedValue + + + + + + + This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. + + + + + + + + + + + + + + + + + + AutoSetExpectedValue + + + + + + + This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + + + + ``` -## Related topics - - -[NodeCache configuration service provider](nodecache-csp.md) - -  - -  - - - - - +## Related articles +[NodeCache configuration service provider reference](nodecache-csp.md) diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index ce956ea412..525461336f 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -1,102 +1,521 @@ --- title: Office CSP -description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703. +description: Learn more about the Office CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/15/2018 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Office CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365). + -This CSP was added in Windows 10, version 1703. + +The following list shows the Office configuration service provider nodes: -For more information, see [Office DDF](office-ddf.md). +- ./Device/Vendor/MSFT/Office + - [Installation](#deviceinstallation) + - [{id}](#deviceinstallationid) + - [FinalStatus](#deviceinstallationidfinalstatus) + - [Install](#deviceinstallationidinstall) + - [Status](#deviceinstallationidstatus) + - [CurrentStatus](#deviceinstallationcurrentstatus) +- ./User/Vendor/MSFT/Office + - [Installation](#userinstallation) + - [{id}](#userinstallationid) + - [FinalStatus](#userinstallationidfinalstatus) + - [Install](#userinstallationidinstall) + - [Status](#userinstallationidstatus) + - [CurrentStatus](#userinstallationcurrentstatus) + -The following shows the Office configuration service provider in tree format. + +## Device/Installation -```console -./Vendor/MSFT -Office -----Installation ---------id -------------Install -------------Status + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -./Device/Vendor/MSFT -Office -----Installation ---------id -------------Install -------------Status - - -./Vendor/MSFT -./Device/Vendor/MSFT -Office -----Installation ---------id -------------Install -------------Status + +```Device +./Device/Vendor/MSFT/Office/Installation ``` + -**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office** -The root node for the Office configuration service provider.

    + + +Installation options for the office CSP. + -**Installation** -Specifies the options for the Microsoft Office installation. + + + -The supported operations are Add, Delete, and Get. + +**Description framework properties**: -**Installation/_id_** -Specifies a unique identifier that represents the ID of the Microsoft Office product to install. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -The supported operations are Add, Delete, and Get. + + + -**Installation/_id_/Install** -Installs Office by using the XML data specified in the configuration.xml file. + -The supported operations are Get and Execute. + +### Device/Installation/{id} -**Installation/_id_/Status** -The Microsoft Office installation status. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -The only supported operation is Get. + +```Device +./Device/Vendor/MSFT/Office/Installation/{id} +``` + -**Installation/_id_/FinalStatus** -Added in Windows 10, version 1809. Indicates the status of the Final Office 365 installation. + + +A unique identifier which represents the installation instance id. + -The only supported operation is Get. + + + -Behavior: -- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it. -- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values: - - When status = 0: 70 (succeeded) - - When status!= 0: 60 (failed) + +**Description framework properties**: -**Installation/CurrentStatus** -Returns an XML of current Office 365 installation status on the device. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A unique identifier which represents the installation instance id. | + -The only supported operation is Get. + + + + + + +#### Device/Installation/{id}/FinalStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Office/Installation/{id}/FinalStatus +``` + + + + +Final Office 365 installation status. + + + + +- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it. +- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values: + - When status = 0: 70 (succeeded) + - When status != 0: 60 (failed) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/Installation/{id}/Install + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Office/Installation/{id}/Install +``` + + + + +The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + + + + + + + + + +#### Device/Installation/{id}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Office/Installation/{id}/Status +``` + + + + +The installation status of the CSP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Device/Installation/CurrentStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Office/Installation/CurrentStatus +``` + + + + +The current Office 365 installation status on the machine. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/Installation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Office/Installation +``` + + + + +Installation options for the office CSP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/Installation/{id} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Office/Installation/{id} +``` + + + + +A unique identifier which represents the installation instance id. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A unique identifier which represents the installation instance id. | + + + + + + + + + +#### User/Installation/{id}/FinalStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Office/Installation/{id}/FinalStatus +``` + + + + +Final Office 365 installation status. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### User/Installation/{id}/Install + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Office/Installation/{id}/Install +``` + + + + +The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + + + + + + + + + +#### User/Installation/{id}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Office/Installation/{id}/Status +``` + + + + +The installation status of the CSP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### User/Installation/CurrentStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Office/Installation/CurrentStatus +``` + + + + +The current Office 365 installation status on the machine. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + + ## Examples Sample SyncML to install Microsoft 365 Apps for business Retail from current channel. @@ -147,38 +566,45 @@ To get the current status of Office 365 on the device. ```xml -    -      7 -        -          -            ./Vendor/MSFT/Office/Installation/CurrentStatus -          -        -    -    + + + 7 + + + ./Vendor/MSFT/Office/Installation/CurrentStatus + + + + + ``` ## Status code -|Status|Description|Comment| -|--- |--- |--- | -|0|Installation succeeded|OK| -|997|Installation in progress|| -|13|ERROR_INVALID_DATA
    Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure| -|1460|ERROR_TIMEOUT
    Failed to download ODT|Failure| -|1602|ERROR_INSTALL_USEREXIT
    User canceled the installation|Failure| -|1603|ERROR_INSTALL_FAILURE
    Failed any pre-req check.
  • SxS (Tried to install when 2016 MSI is installed)
  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure| -|17000|ERROR_PROCESSPOOL_INITIALIZATION
    Failed to start C2RClient|Failure| -|17001|ERROR_QUEUE_SCENARIO
    Failed to queue installation scenario in C2RClient|Failure| -|17002|ERROR_COMPLETING_SCENARIO
    Failed to complete the process. Possible reasons:
  • Installation canceled by user
  • Installation canceled by another installation
  • Out of disk space during installation
  • Unknown language ID|Failure| -|17003|ERROR_ANOTHER_RUNNING_SCENARIO
    Another scenario is running|Failure| -|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
    Possible reasons:
  • Unknown SKUs
  • Content does't exist on CDN
    • Such as trying to install an unsupported LAP, like zh-sg
    • CDN issue that content is not available
  • Signature check issue, such as failed the signature check for Office content
  • User canceled|Failure| -|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure| -|17006|ERROR_SCENARIO_CANCELLED
    Blocked update by running apps|Failure| -|17007|ERROR_REMOVE_INSTALLATION_NEEDED
    The client is requesting client clean-up in a "Remove Installation" scenario|Failure| -|17100|ERROR_HANDLING_COMMAND_LINE
    C2RClient command-line error|Failure| -|0x80004005|E_FAIL
    ODT cannot be used to install Volume license|Failure| -|0x8000ffff|E_UNEXPECTED
    Tried to uninstall when there is no C2R Office on the machine.|Failure| +| Status | Description | Comment | +|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| +| 0 | Installation succeeded | OK | +| 997 | Installation in progress | | +| 13 | ERROR_INVALID_DATA
    Cannot verify signature of the downloaded Office Deployment Tool (ODT) | Failure | +| 1460 | ERROR_TIMEOUT
    Failed to download ODT | Failure | +| 1602 | ERROR_INSTALL_USEREXIT
    User canceled the installation | Failure | +| 1603 | ERROR_INSTALL_FAILURE
    Failed any pre-req check.
  • SxS (Tried to install when 2016 MSI is installed)
  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.) | Failure | +| 17000 | ERROR_PROCESSPOOL_INITIALIZATION
    Failed to start C2RClient | Failure | +| 17001 | ERROR_QUEUE_SCENARIO
    Failed to queue installation scenario in C2RClient | Failure | +| 17002 | ERROR_COMPLETING_SCENARIO
    Failed to complete the process. Possible reasons:
  • Installation canceled by user
  • Installation canceled by another installation
  • Out of disk space during installation
  • Unknown language ID | Failure | +| 17003 | ERROR_ANOTHER_RUNNING_SCENARIO
    Another scenario is running | Failure | +| 17004 | ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
    Possible reasons:
  • Unknown SKUs
  • Content does't exist on CDN
    • Such as trying to install an unsupported LAP, like zh-sg
    • CDN issue that content is not available
  • Signature check issue, such as failed the signature check for Office content
  • User canceled | Failure | +| 17005 | ERROR_SCENARIO_CANCELLED_AS_PLANNED | Failure | +| 17006 | ERROR_SCENARIO_CANCELLED
    Blocked update by running apps | Failure | +| 17007 | ERROR_REMOVE_INSTALLATION_NEEDED
    The client is requesting client clean-up in a "Remove Installation" scenario | Failure | +| 17100 | ERROR_HANDLING_COMMAND_LINE
    C2RClient command-line error | Failure | +| 0x80004005 | E_FAIL
    ODT cannot be used to install Volume license | Failure | +| 0x8000ffff | E_UNEXPECTED
    Tried to uninstall when there is no C2R Office on the machine. | Failure | + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 9dec2a31e2..85276e8c25 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -1,61 +1,112 @@ --- -title: Office DDF -description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +title: Office DDF file +description: View the XML file containing the device description framework (DDF) for the Office configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/15/2018 +ms.topic: reference --- -# Office DDF + -This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML. +# Office DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1809. +The following XML file contains the device description framework (DDF) for the Office configuration service provider. ```xml -]> +]> 1.2 + + + + Office + ./User/Vendor/MSFT + + + + + Root of the office CSP. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Installation + + + + + Installation options for the office CSP. + + + + + + + + + + + + + - Office - ./User/Vendor/MSFT + + + + - Root of the office CSP. + A unique identifier which represents the installation instance id. - + - + + id - com.microsoft/1.5/MDM/Office + + + A unique identifier which represents the installation instance id. + - Installation + Install + - Installation options for the office CSP. + The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. - + @@ -64,149 +115,21 @@ The XML below is for Windows 10, version 1809. - + + + - - - - - - - - - - A unique identifier which represents the instalation instance id. - - - - - - - - - - id - - - - - - Install - - - - - - The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. - - - - - - - - - - - text/plain - - - - - Status - - - - - The installation status of the CSP. - - - - - - - - - - - text/plain - - - - - FinalStatus - - - - - Final Office 365 installation status. - - - - - - - - - - - text/plain - - - - - - CurrentStatus - - - - - The current Office 365 installation status on the machine - - - - - - - - - - - text/plain - - - - - - Office - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/1.5/MDM/Office - - - Installation + Status + The installation status of the CSP. - + @@ -215,117 +138,237 @@ The XML below is for Windows 10, version 1809. - + - - id - - - - - - - A unique identifier which represents the instalation instance id. - - - - - - - - - - id - - - - - - Install - - - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - FinalStatus - - - - - Final Office 365 installation status. - - - - - - - - - - - text/plain - - - - - - CurrentStatus - - - - - The current Office 365 installation status on the machine - - - - - - - - - - - text/plain - - - + + + FinalStatus + + + + + Final Office 365 installation status. + + + + + + + + + + + + + + 10.0.17763 + 1.5 + + + + CurrentStatus + + + + + The current Office 365 installation status on the machine + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + + + + Office + ./Device/Vendor/MSFT + + + + + Root of the office CSP. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Installation + + + + + Installation options for the office CSP. + + + + + + + + + + + + + + + + + + + + + + + A unique identifier which represents the installation instance id. + + + + + + + + + + id + + + + + A unique identifier which represents the installation instance id. + + + + Install + + + + + + The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. + + + + + + + + + + + + + + + + + + Status + + + + + The installation status of the CSP. + + + + + + + + + + + + + + + + FinalStatus + + + + + Final Office 365 installation status. + + + + + + + + + + + + + + 10.0.17763 + 1.5 + + + + + + CurrentStatus + + + + + The current Office 365 installation status on the machine + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + + ``` + +## Related articles + +[Office configuration service provider reference](office-csp.md) diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 79b9684766..34cd8ae204 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -1,378 +1,2443 @@ --- title: PassportForWork CSP -description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). -ms.reviewer: +description: Learn more about the PassportForWork CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/19/2019 +ms.topic: reference --- + + + # PassportForWork CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. - > [!IMPORTANT] -> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. -  -### User configuration diagram +> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. + -The following example shows the PassportForWork configuration service provider in tree format. + +The following list shows the PassportForWork configuration service provider nodes: -```console -./User/Vendor/MSFT -PassportForWork --------TenantId -----------Policies --------------UsePassportForWork --------------RequireSecurityDevice --------------EnablePinRecovery --------------PINComplexity -----------------MinimumPINLength -----------------MaximumPINLength -----------------UppercaseLetters -----------------LowercaseLetters -----------------SpecialCharecters -----------------Digits -----------------History -----------------Expiration +- ./Device/Vendor/MSFT/PassportForWork + - [{TenantId}](#devicetenantid) + - [Policies](#devicetenantidpolicies) + - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery) + - [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices) + - [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12) + - [PINComplexity](#devicetenantidpoliciespincomplexity) + - [Digits](#devicetenantidpoliciespincomplexitydigits) + - [Expiration](#devicetenantidpoliciespincomplexityexpiration) + - [History](#devicetenantidpoliciespincomplexityhistory) + - [LowercaseLetters](#devicetenantidpoliciespincomplexitylowercaseletters) + - [MaximumPINLength](#devicetenantidpoliciespincomplexitymaximumpinlength) + - [MinimumPINLength](#devicetenantidpoliciespincomplexityminimumpinlength) + - [SpecialCharacters](#devicetenantidpoliciespincomplexityspecialcharacters) + - [UppercaseLetters](#devicetenantidpoliciespincomplexityuppercaseletters) + - [Remote](#devicetenantidpoliciesremote) + - [UseRemotePassport](#devicetenantidpoliciesremoteuseremotepassport) + - [RequireSecurityDevice](#devicetenantidpoliciesrequiresecuritydevice) + - [UseCertificateForOnPremAuth](#devicetenantidpoliciesusecertificateforonpremauth) + - [UseCloudTrustForOnPremAuth](#devicetenantidpoliciesusecloudtrustforonpremauth) + - [UseHelloCertificatesAsSmartCardCertificates](#devicetenantidpoliciesusehellocertificatesassmartcardcertificates) + - [UsePassportForWork](#devicetenantidpoliciesusepassportforwork) + - [Biometrics](#devicebiometrics) + - [EnableESSwithSupportedPeripherals](#devicebiometricsenableesswithsupportedperipherals) + - [FacialFeaturesUseEnhancedAntiSpoofing](#devicebiometricsfacialfeaturesuseenhancedantispoofing) + - [UseBiometrics](#devicebiometricsusebiometrics) + - [DeviceUnlock](#devicedeviceunlock) + - [GroupA](#devicedeviceunlockgroupa) + - [GroupB](#devicedeviceunlockgroupb) + - [Plugins](#devicedeviceunlockplugins) + - [DynamicLock](#devicedynamiclock) + - [DynamicLock](#devicedynamiclockdynamiclock) + - [Plugins](#devicedynamiclockplugins) + - [SecurityKey](#devicesecuritykey) + - [UseSecurityKeyForSignin](#devicesecuritykeyusesecuritykeyforsignin) + - [UseBiometrics](#deviceusebiometrics) +- ./User/Vendor/MSFT/PassportForWork + - [{TenantId}](#usertenantid) + - [Policies](#usertenantidpolicies) + - [EnablePinRecovery](#usertenantidpoliciesenablepinrecovery) + - [PINComplexity](#usertenantidpoliciespincomplexity) + - [Digits](#usertenantidpoliciespincomplexitydigits) + - [Expiration](#usertenantidpoliciespincomplexityexpiration) + - [History](#usertenantidpoliciespincomplexityhistory) + - [LowercaseLetters](#usertenantidpoliciespincomplexitylowercaseletters) + - [MaximumPINLength](#usertenantidpoliciespincomplexitymaximumpinlength) + - [MinimumPINLength](#usertenantidpoliciespincomplexityminimumpinlength) + - [SpecialCharacters](#usertenantidpoliciespincomplexityspecialcharacters) + - [UppercaseLetters](#usertenantidpoliciespincomplexityuppercaseletters) + - [RequireSecurityDevice](#usertenantidpoliciesrequiresecuritydevice) + - [UsePassportForWork](#usertenantidpoliciesusepassportforwork) + + + +## Device/{TenantId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId} ``` + -### Device configuration diagram + + +This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. + -The following example shows the PassportForWork configuration service provider in tree format. + + +To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). + -```console -./Device/Vendor/MSFT -PassportForWork --------TenantId -----------Policies --------------UsePassportForWork --------------RequireSecurityDevice --------------ExcludeSecurityDevices -----------------TPM12 --------------EnablePinRecovery --------------UserCertificateForOnPremAuth --------------PINComplexity -----------------MinimumPINLength -----------------MaximumPINLength -----------------UppercaseLetters -----------------LowercaseLetters -----------------SpecialCharacters -----------------Digits -----------------History -----------------Expiration --------------Remote -----------------UseRemotePassport --------------UseHelloCertificatesAsSmartCardCertificates --------UseBiometrics --------Biometrics -----------UseBiometrics -----------FacialFeaturesUseEnhancedAntiSpoofing -----------EnableESSwithSupportedPeripherals --------DeviceUnlock -----------GroupA -----------GroupB -----------Plugins --------DynamicLock -----------DynamicLock -----------Plugins --------SecurityKey -----------UseSecurityKeyForSignin + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. | + + + + + + + + + +### Device/{TenantId}/Policies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies ``` + -**PassportForWork** -Root node for PassportForWork configuration service provider. + + +Root node for policies. + -***TenantId*** -A globally unique identifier (GUID), without curly braces (`{`, `}`), that's used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). + + + -***TenantId*/Policies** -Node for defining the Windows Hello for Business policy settings. + +**Description framework properties**: -***TenantId*/Policies/UsePassportForWork** -Boolean value that sets Windows Hello for Business as a method for signing into Windows. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + -Default value is true. If you set this policy to false, the user can't provision Windows Hello for Business. + + + -Supported operations are Add, Get, Delete, and Replace. + -***TenantId*/Policies/RequireSecurityDevice** -Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an extra security benefit over software so that data stored in it can't be used on other devices. + +#### Device/{TenantId}/Policies/EnablePinRecovery -Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you don't configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Supported operations are Add, Get, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery +``` + -***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1703. Root node for excluded security devices. -*Not supported on Windows Holographic and Windows Holographic for Business.* + + +If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. -***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). +- If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. -Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. +- If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. + -If you disable or don't configure this policy setting, TPM revision 1.2 modules will be used with Windows Hello for Business. + + + -Supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -***TenantId*/Policies/EnablePinRecovery** -Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service. -This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + -Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. + +**Allowed values**: -If you disable or don't configure this policy setting, the PIN recovery secret won't be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + -Supported operations are Add, Get, Delete, and Replace. + + + -***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT) -Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources. + -If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. + +#### Device/{TenantId}/Policies/ExcludeSecurityDevices -If you disable or don't configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Supported operations are Add, Get, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices +``` + -***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT) + + +Root node for excluded security devices. + + + + +> [!NOTE] +> Not supported on Windows Holographic and Windows Holographic for Business. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/{TenantId}/Policies/ExcludeSecurityDevices/TPM12 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/TPM12 +``` + + + + +Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). + +- If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. + +- If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +#### Device/{TenantId}/Policies/PINComplexity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity +``` + + + + +Root node for PIN policies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/Digits + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Digits +``` + + + + +Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of digits in PIN. | +| 1 | Requires the use of at least one digits in PIN. | +| 2 | Does not allow the use of digits in PIN. | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/Expiration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Expiration +``` + + + + +This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-730]` | +| Default Value | 0 | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/History + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/History +``` + + + + +This policy specifies the number of past PINs that can be stored in the history that can't be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-50]` | +| Default Value | 0 | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/LowercaseLetters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/LowercaseLetters +``` + + + + +Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of lowercase letters in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | +| 2 | Does not allow the use of lowercase letters in PIN. | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/MaximumPINLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MaximumPINLength +``` + + + + +Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + +- If you configure this policy setting, the PIN length must be less than or equal to this number. + +- If you do not configure this policy setting, the PIN length must be less than or equal to 127. + +> [!NOTE] +> If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[4-127]` | +| Default Value | 127 | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/MinimumPINLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MinimumPINLength +``` + + + + +Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +- If you configure this policy setting, the PIN length must be greater than or equal to this number. + +- If you do not configure this policy setting, the PIN length must be greater than or equal to 4. + +> [!NOTE] +> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[4-127]` | +| Default Value | 4 | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/SpecialCharacters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/SpecialCharacters +``` + + + + +Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of special characters in PIN. | +| 1 | Requires the use of at least one special characters in PIN. | +| 2 | Does not allow the use of special characters in PIN. | + + + + + + + + + +##### Device/{TenantId}/Policies/PINComplexity/UppercaseLetters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/UppercaseLetters +``` + + + + +Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of uppercase letters in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | +| 2 | Does not allow the use of uppercase letters in PIN. | + + + + + + + + + +#### Device/{TenantId}/Policies/Remote + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/Remote +``` + + + + +Root node for phone sign-in policies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/{TenantId}/Policies/Remote/UseRemotePassport + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/Remote/UseRemotePassport +``` + + + + +Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. + +Default value is false. + +- If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. +- If you disable this setting, a companion device cannot be used in desktop authentication scenarios. + + + + +> [!NOTE] +> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +#### Device/{TenantId}/Policies/RequireSecurityDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice +``` + + + + +A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. + +- If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. + +- If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +#### Device/{TenantId}/Policies/UseCertificateForOnPremAuth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth +``` + + + + +Windows Hello for Business can use certificates to authenticate to on-premise resources. + +- If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. + +- If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +#### Device/{TenantId}/Policies/UseCloudTrustForOnPremAuth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1566] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth +``` + + + + Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources. -If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain. +- If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain. -If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources. +- If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources. + -Supported operations are Add, Get, Delete, and Replace. + + + -***TenantId*/Policies/PINComplexity** -Node for defining PIN settings. + +**Description framework properties**: -***TenantId*/Policies/PINComplexity/MinimumPINLength** -Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + -If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 4. + +**Allowed values**: -> [!NOTE] -> If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + -  -Value type is int. Supported operations are Add, Get, Delete, and Replace. + + + -***TenantId*/Policies/PINComplexity/MaximumPINLength** -Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + -If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127. + +#### Device/{TenantId}/Policies/UseHelloCertificatesAsSmartCardCertificates -> [!NOTE] -> If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -  -Supported operations are Add, Get, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseHelloCertificatesAsSmartCardCertificates +``` + -***TenantId*/Policies/PINComplexity/UppercaseLetters** -Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. + + -Valid values: +- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. -- 0 - Allows the use of uppercase letters in PIN. -- 1 - Requires the use of at least one uppercase letter in PIN. -- 2 - Doesn't allow the use of uppercase letters in PIN. - -Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. - -Supported operations are Add, Get, Delete, and Replace. - -***TenantId*/Policies/PINComplexity/LowercaseLetters** -Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. - -Valid values: - -- 0 - Allows the use of lowercase letters in PIN. -- 1 - Requires the use of at least one lowercase letter in PIN. -- 2 - Doesn't allow the use of lowercase letters in PIN. - -Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. - -Supported operations are Add, Get, Delete, and Replace. - -***TenantId*/Policies/PINComplexity/SpecialCharacters** -Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ . - -Valid values: - -- 0 - Allows the use of special characters in PIN. -- 1 - Requires the use of at least one special character in PIN. -- 2 - Doesn't allow the use of special characters in PIN. - -Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. - -Supported operations are Add, Get, Delete, and Replace. - -***TenantId*/Policies/PINComplexity/Digits** -Integer value that configures the use of digits in the Windows Hello for Business PIN. - -Valid values: - -- 0 - Allows the use of digits in PIN. -- 1 - Requires the use of at least one digit in PIN. -- 2 - Doesn't allow the use of digits in PIN. - -Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. - -Supported operations are Add, Get, Delete, and Replace. - -***TenantId*/Policies/PINComplexity/History** -Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required. This node was added in Windows 10, version 1511. - -The current PIN of the user is included in the set of PINs associated with the user account. PIN history isn't preserved through a PIN reset. - -Default value is 0. - -Supported operations are Add, Get, Delete, and Replace. - -***TenantId*/Policies/PINComplexity/Expiration** -Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511. - -Default is 0. - -Supported operations are Add, Get, Delete, and Replace. - -***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT) -Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511. -*Not supported on Windows Holographic and Windows Holographic for Business.* - -***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT) -Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511. - -Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled. - -Supported operations are Add, Get, Delete, and Replace. - -*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* - -***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. - -If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. +- If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. + -Value type is bool. Supported operations are Add, Get, Replace, and Delete. + + + -**UseBiometrics** -This node is deprecated. Use **Biometrics/UseBiometrics** node instead. + +**Description framework properties**: -**Biometrics** (only for ./Device/Vendor/MSFT) -Node for defining biometric settings. This node was added in Windows 10, version 1511. -*Not supported on Windows Holographic and Windows Holographic for Business.* +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + -**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) -Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use if there are failures. This node was added in Windows 10, version 1511. + +**Allowed values**: -Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + -Supported operations are Add, Get, Delete, and Replace. + + + -*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* + -**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT) -Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. + +#### Device/{TenantId}/Policies/UsePassportForWork -Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that don't support enhanced anti-spoofing. + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork +``` + -Enhanced anti-spoofing for Windows Hello face authentication isn't required on unmanaged devices. + + +Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. -Supported operations are Add, Get, Delete, and Replace. +- If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. -*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* +- If you disable this policy setting, the device does not provision Windows Hello for Business for any user. + -**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT) + + + -If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected. + +**Description framework properties**: -If you enable this policy it can have the following possible values: +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | True | + -**0 - Enhanced Sign-in Security Disabled** (not recommended) + +**Allowed values**: -Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again. +| Value | Description | +|:--|:--| +| false | Disabled. | +| true (Default) | Enabled. | + -**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security) + + + -Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello. + -If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1. + +## Device/Biometrics -Supported operations are Add, Get, Delete, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -*Supported from Windows 11 version 22H2* + +```Device +./Device/Vendor/MSFT/PassportForWork/Biometrics +``` + -**DeviceUnlock** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1803. Interior node. + + +Root node for biometrics policies. + -**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the first step of authentication. + + + -Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**Description framework properties**: -**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the second step of authentication. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + -**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user presence. + -Value type is string. Supported operations are Add, Get, Replace, and Delete. + +### Device/Biometrics/EnableESSwithSupportedPeripherals -**DynamicLock** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1803. Interior node. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + +```Device +./Device/Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals +``` + -**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1803. Enables the dynamic lock. + + +Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. + -Value type is bool. Supported operations are Add, Get, Replace, and Delete. + + + -**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user absence. + +**Description framework properties**: -Value type is string. Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -**SecurityKey** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1903. Interior node. + +**Allowed values**: -Scope is permanent. Supported operation is Get. +| Value | Description | +|:--|:--| +| 0 | Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended). | +| 1 (Default) | Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security). | + + +**Group policy mapping**: -**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1903. Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation. +| Name | Value | +|:--|:--| +| Name | Enable ESS with Supported Peripherals | +| Path | Passport > AT > WindowsComponents > MSPassportForWorkCategory | + -Scope is dynamic. Supported operations are Add, Get, Replace, and Delete. + + + -Value type is integer. + -Valid values: -- 0 (default) - disabled. -- 1 - enabled. + +### Device/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing +``` + + + + +This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. + +- If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing. + +- If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. + +**Note** that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. + + + + +> [!NOTE] +> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +### Device/Biometrics/UseBiometrics + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/Biometrics/UseBiometrics +``` + + + + +Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. + +- If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures. + +- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures. + +> [!NOTE] +> Disabling this policy prevents the use of biometric gestures on the device for all account types. + + + + +> [!NOTE] +> Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +## Device/DeviceUnlock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/DeviceUnlock +``` + + + + +Device Unlock. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/DeviceUnlock/GroupA + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA +``` + + + + +Contains a list of providers by GUID that are to be considered for the first step of authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + + + + + + + + + +### Device/DeviceUnlock/GroupB + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB +``` + + + + +Contains a list of providers by GUID that are to be considered for the second step of authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | + + + + + + + + + +### Device/DeviceUnlock/Plugins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins +``` + + + + +List of plugins that the passive provider monitors to detect user presence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## Device/DynamicLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/DynamicLock +``` + + + + +Dynamic Lock. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/DynamicLock/DynamicLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock +``` + + + + +Enables/Disables Dyanamic Lock. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +### Device/DynamicLock/Plugins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins +``` + + + + +List of plugins that the passive provider monitors to detect user absence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## Device/SecurityKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/SecurityKey +``` + + + + +Security Key. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/SecurityKey/UseSecurityKeyForSignin + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin +``` + + + + +Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled. + + + + +Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft's implementation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + + +## Device/UseBiometrics + +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/PassportForWork/UseBiometrics +``` + + + + +THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD. + +Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. + +- If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures. + +- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures. + +> [!NOTE] +> Disabling this policy prevents the use of biometric gestures on the device for all account types. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +## User/{TenantId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId} +``` + + + + +This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. + + + + +To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. | + + + + + + + + + +### User/{TenantId}/Policies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies +``` + + + + +Root node for policies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### User/{TenantId}/Policies/EnablePinRecovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnablePinRecovery +``` + + + + +If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. + +- If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. + +- If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +#### User/{TenantId}/Policies/PINComplexity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity +``` + + + + +Root node for PIN policies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/Digits + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Digits +``` + + + + +Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of digits in PIN. | +| 1 | Requires the use of at least one digits in PIN. | +| 2 | Does not allow the use of digits in PIN. | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/Expiration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/Expiration +``` + + + + +This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-730]` | +| Default Value | 0 | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/History + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/History +``` + + + + +This policy specifies the number of past PINs that can be stored in the history that can't be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-50]` | +| Default Value | 0 | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/LowercaseLetters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/LowercaseLetters +``` + + + + +Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of lowercase letters in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | +| 2 | Does not allow the use of lowercase letters in PIN. | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/MaximumPINLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MaximumPINLength +``` + + + + +Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + +- If you configure this policy setting, the PIN length must be less than or equal to this number. + +- If you do not configure this policy setting, the PIN length must be less than or equal to 127. + +> [!NOTE] +> If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[4-127]` | +| Default Value | 127 | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/MinimumPINLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/MinimumPINLength +``` + + + + +Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +- If you configure this policy setting, the PIN length must be greater than or equal to this number. + +- If you do not configure this policy setting, the PIN length must be greater than or equal to 4. + +> [!NOTE] +> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[4-127]` | +| Default Value | 4 | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/SpecialCharacters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/SpecialCharacters +``` + + + + +Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of special characters in PIN. | +| 1 | Requires the use of at least one special characters in PIN. | +| 2 | Does not allow the use of special characters in PIN. | + + + + + + + + + +##### User/{TenantId}/Policies/PINComplexity/UppercaseLetters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/UppercaseLetters +``` + + + + +Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. + +A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. + +- If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows the use of uppercase letters in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | +| 2 | Does not allow the use of uppercase letters in PIN. | + + + + + + + + + +#### User/{TenantId}/Policies/RequireSecurityDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice +``` + + + + +A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. + +- If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. + +- If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disabled. | +| true | Enabled. | + + + + + + + + + +#### User/{TenantId}/Policies/UsePassportForWork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork +``` + + + + +Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. + +- If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. + +- If you disable this policy setting, the device does not provision Windows Hello for Business for any user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | True | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true (Default) | Enabled. | + + + + + + + + + + ## Examples Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM. @@ -604,3 +2669,10 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol ``` + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 9e511239d2..89dbc41c22 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -1,38 +1,90 @@ --- -title: PassportForWork DDF -description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +title: PassportForWork DDF file +description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/24/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/29/2019 +ms.topic: reference --- -# PassportForWork DDF + -This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML. +# PassportForWork DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1903. +The following XML file contains the device description framework (DDF) for the PassportForWork configuration service provider. ```xml -]> +]> 1.2 + + + + PassportForWork + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.2 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + + + + + + + + + This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. + + + + + + + + + + TenantId + + + + + A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. + + - PassportForWork - ./User/Vendor/MSFT + Policies + + + Root node for policies. @@ -40,985 +92,15 @@ The XML below is for Windows 10, version 1903. - + + Policies - com.microsoft/1.6/MDM/PassportForWork + - - - - - - - - This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. - - - - - - - - - - TenantId - - - - - - Policies - - - - - - - Root node for policies. - - - - - - - - - - Policies - - - - - - UsePassportForWork - - - - - - - - True - Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. - -If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. - -If you disable this policy setting, the device does not provision Windows Hello for Business for any user. - - - - - - - - - - - text/plain - - - - - RequireSecurityDevice - - - - - - - - False - A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. - -If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. - -If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. - - - - - - - - - - - text/plain - - - - - EnablePinRecovery - - - - - - - - False - If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. - -If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. - -If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. - - - - - - - - - - - text/plain - - - - - PINComplexity - - - - - - - Root node for PIN policies - - - - - - - - - - - - - - - MinimumPINLength - - - - - - - - 4 - Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. - -If you configure this policy setting, the PIN length must be greater than or equal to this number. - -If you do not configure this policy setting, the PIN length must be greater than or equal to 4. - -NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. - - - - - - - - - - - text/plain - - - - - MaximumPINLength - - - - - - - - 127 - Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. - -If you configure this policy setting, the PIN length must be less than or equal to this number. - -If you do not configure this policy setting, the PIN length must be less than or equal to 127. - -NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. - - - - - - - - - - - text/plain - - - - - UppercaseLetters - - - - - - - - 0 - Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. - -If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. - - - - - - - - - - - text/plain - - - - - LowercaseLetters - - - - - - - - 0 - Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. - -If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. - - - - - - - - - - - text/plain - - - - - SpecialCharacters - - - - - - - - 0 - ? @ [ \ ] ^ _ ` { | } ~ . - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. - -If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]> - - - - - - - - - - - text/plain - - - - - Digits - - - - - - - - 0 - Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. - -If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. - - - - - - - - - - - text/plain - - - - - History - - - - - - - - 0 - This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. - - - - - - - - - - - text/plain - - - - - Expiration - - - - - - - - 0 - This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. - - - - - - - - - - - text/plain - - - - - - - - - PassportForWork - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - - - - - - - - - - - - This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. - - - - - - - - - - TenantId - - - - - - Policies - - - - - - - Root node for policies. - - - - - - - - - - Policies - - - - - - UsePassportForWork - - - - - - - - True - Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. - -If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. - -If you disable this policy setting, the device does not provision Windows Hello for Business for any user. - - - - - - - - - - - text/plain - - - - - RequireSecurityDevice - - - - - - - - False - A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. - -If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. - -If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. - - - - - - - - - - - text/plain - - - - - ExcludeSecurityDevices - - - - - - - Root node for excluded security devices. - - - - - - - - - - ExcludeSecurityDevices - - - - - - TPM12 - - - - - - - - False - Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). - -If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. - -If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. - - - - - - - - - - - text/plain - - - - - - EnablePinRecovery - - - - - - - - False - If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. - -If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. - -If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. - - - - - - - - - - - - text/plain - - - - - UseCertificateForOnPremAuth - - - - - - - - False - Windows Hello for Business can use certificates to authenticate to on-premise resources. - -If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. - -If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. - - - - - - - - - - - text/plain - - - - - PINComplexity - - - - - - - Root node for PIN policies - - - - - - - - - - - - - - - MinimumPINLength - - - - - - - - 4 - Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. - -If you configure this policy setting, the PIN length must be greater than or equal to this number. - -If you do not configure this policy setting, the PIN length must be greater than or equal to 4. - -NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. - - - - - - - - - - - text/plain - - - - - MaximumPINLength - - - - - - - - 127 - Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. - -If you configure this policy setting, the PIN length must be less than or equal to this number. - -If you do not configure this policy setting, the PIN length must be less than or equal to 127. - -NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. - - - - - - - - - - - text/plain - - - - - UppercaseLetters - - - - - - - - 0 - Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. - -If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. - - - - - - - - - - - text/plain - - - - - LowercaseLetters - - - - - - - - 0 - Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. - -If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. - - - - - - - - - - - text/plain - - - - - SpecialCharacters - - - - - - - - 0 - ? @ [ \ ] ^ _ ` { | } ~ . - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. - -If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]> - - - - - - - - - - - text/plain - - - - - Digits - - - - - - - - 0 - Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. - -A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. - -A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. - -If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. - - - - - - - - - - - text/plain - - - - - History - - - - - - - - 0 - This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. - - - - - - - - - - - text/plain - - - - - Expiration - - - - - - - - 0 - This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. - - - - - - - - - - - text/plain - - - - - - Remote - - - - - - - Root node for phone sign-in policies - - - - - - - - - - - - - - - UseRemotePassport - - - - - - - - False - Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. - -Default value is false. If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. If you disable this setting, a companion device cannot be used in desktop authentication scenarios. - - - - - - - - - - - text/plain - - - - - - UseHelloCertificatesAsSmartCardCertificates - - - - - - - - False - If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. - -If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. - -Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. - - - - - - - - - - - text/plain - - - - - - - UseBiometrics + UsePassportForWork @@ -1026,16 +108,12 @@ Windows requires a user to lock and unlock their session after changing this set - False - THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD. + True + Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. -Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. +If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. -If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures. - -If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures. - -NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types. +If you disable this policy setting, the device does not provision Windows Hello for Business for any user. @@ -1046,17 +124,111 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device - text/plain + + + + false + Disabled + + + true + Enabled + + - Biometrics + RequireSecurityDevice + + + + + + False + A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. + +If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. + +If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + EnablePinRecovery + + + + + + + + False + If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. + +If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. + +If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. + + + + + + + + + + + + + + 10.0.15063 + 1.3 + + + + false + Disabled + + + true + Enabled + + + + + + PINComplexity + + + + - Root node for biometrics policies + Root node for PIN policies @@ -1064,14 +236,502 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device - + - + - UseBiometrics + MinimumPINLength + + + + + + + + 4 + Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +If you configure this policy setting, the PIN length must be greater than or equal to this number. + +If you do not configure this policy setting, the PIN length must be greater than or equal to 4. + +NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + + + + [4-127] + + + + + MaximumPINLength + + + + + + + + 127 + Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + +If you configure this policy setting, the PIN length must be less than or equal to this number. + +If you do not configure this policy setting, the PIN length must be less than or equal to 127. + +NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + + + + [4-127] + + + + + UppercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. + + + + + + + + + + + + + + + 0 + Allows the use of uppercase letters in PIN. + + + 1 + Requires the use of at least one uppercase letters in PIN. + + + 2 + Does not allow the use of uppercase letters in PIN. + + + + + + LowercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. + + + + + + + + + + + + + + + 0 + Allows the use of lowercase letters in PIN. + + + 1 + Requires the use of at least one lowercase letters in PIN. + + + 2 + Does not allow the use of lowercase letters in PIN. + + + + + + SpecialCharacters + + + + + + + + 0 + ? @ [ \ ] ^ _ ` { | } ~ . + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]> + + + + + + + + + + + + + + + 0 + Allows the use of special characters in PIN. + + + 1 + Requires the use of at least one special characters in PIN. + + + 2 + Does not allow the use of special characters in PIN. + + + + + + Digits + + + + + + + + 0 + Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. + +If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. + + + + + + + + + + + + + + + 0 + Allows the use of digits in PIN. + + + 1 + Requires the use of at least one digits in PIN. + + + 2 + Does not allow the use of digits in PIN. + + + + + + History + + + + + + + + 0 + This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. + + + + + + + + + + + + + + [0-50] + + + + + Expiration + + + + + + + + 0 + This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. + + + + + + + + + + + + + + [0-730] + + + + + + + + + PassportForWork + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.2 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + + + + + + + + + This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. + + + + + + + + + + TenantId + + + + + A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell. + + + + Policies + + + + + + + Root node for policies. + + + + + + + + + + Policies + + + + + + UsePassportForWork + + + + + + + + True + Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. + +If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. + +If you disable this policy setting, the device does not provision Windows Hello for Business for any user. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + RequireSecurityDevice + + + + + + + + False + A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. + +If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. + +If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + ExcludeSecurityDevices + + + + + + + Root node for excluded security devices. + + + + + + + + + + ExcludeSecurityDevices + + + + + 10.0.15063 + 1.3 + + + + TPM12 @@ -1080,272 +740,1036 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device False - Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. + Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). + +If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. + +If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + + EnablePinRecovery + + + + + + + + False + If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. + +If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. + +If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. + + + + + + + + + + + + + + + 10.0.15063 + 1.3 + + + + false + Disabled + + + true + Enabled + + + + + + UseCertificateForOnPremAuth + + + + + + + + False + Windows Hello for Business can use certificates to authenticate to on-premise resources. + +If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. + +If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + UseCloudTrustForOnPremAuth + + + + + + + + False + Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources. + +If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain. + +If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources. + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.527, 10.0.19044.1566 + 1.6 + + + + false + Disabled + + + true + Enabled + + + + + + PINComplexity + + + + + + + Root node for PIN policies + + + + + + + + + + + + + + + MinimumPINLength + + + + + + + + 4 + Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +If you configure this policy setting, the PIN length must be greater than or equal to this number. + +If you do not configure this policy setting, the PIN length must be greater than or equal to 4. + +NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + + + + [4-127] + + + + + MaximumPINLength + + + + + + + + 127 + Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + +If you configure this policy setting, the PIN length must be less than or equal to this number. + +If you do not configure this policy setting, the PIN length must be less than or equal to 127. + +NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + + + + [4-127] + + + + + UppercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. + + + + + + + + + + + + + + + 0 + Allows the use of uppercase letters in PIN. + + + 1 + Requires the use of at least one uppercase letters in PIN. + + + 2 + Does not allow the use of uppercase letters in PIN. + + + + + + LowercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. + + + + + + + + + + + + + + + 0 + Allows the use of lowercase letters in PIN. + + + 1 + Requires the use of at least one lowercase letters in PIN. + + + 2 + Does not allow the use of lowercase letters in PIN. + + + + + + SpecialCharacters + + + + + + + + 0 + ? @ [ \ ] ^ _ ` { | } ~ . + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]> + + + + + + + + + + + + + + + 0 + Allows the use of special characters in PIN. + + + 1 + Requires the use of at least one special characters in PIN. + + + 2 + Does not allow the use of special characters in PIN. + + + + + + Digits + + + + + + + + 0 + Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. + +If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. + + + + + + + + + + + + + + + 0 + Allows the use of digits in PIN. + + + 1 + Requires the use of at least one digits in PIN. + + + 2 + Does not allow the use of digits in PIN. + + + + + + History + + + + + + + + 0 + This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. + + + + + + + + + + + + + + [0-50] + + + + + Expiration + + + + + + + + 0 + This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. + + + + + + + + + + + + + + [0-730] + + + + + + Remote + + + + + + + Root node for phone sign-in policies + + + + + + + + + + + + + + + UseRemotePassport + + + + + + + + False + Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. + +Default value is false. If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. If you disable this setting, a companion device cannot be used in desktop authentication scenarios. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + + UseHelloCertificatesAsSmartCardCertificates + + + + + + + + False + If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. + +If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. + +Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. + + + + + + + + + + + + + + 10.0.17763 + 1.6 + + + + false + Disabled + + + true + Enabled + + + + + + + + UseBiometrics + + + + + + + + False + THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD. + +Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures. If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures. NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types. - - - - - - - - - - - text/plain - - - - - FacialFeaturesUseEnhancedAntiSpoofing - - - - - - - - False - This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + + Biometrics + + + + + Root node for biometrics policies + + + + + + + + + + + + + + + UseBiometrics + + + + + + + + False + Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. + +If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures. + +If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures. + +NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + FacialFeaturesUseEnhancedAntiSpoofing + + + + + + + + False + This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing. If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. - - - - - - - - - - - text/plain - - - - - - - - - - DeviceUnlock - - - - - Device Unlock - - - - - - - - - - - - - - - GroupA - - - - - - - - Contains a list of providers by GUID that are to be considered for the first step of authentication - - - - - - - - - - - text/plain - - - - - GroupB - - - - - - - - Contains a list of providers by GUID that are to be considered for the second step of authentication - - - - - - - - - - - text/plain - - - - - Plugins - - - - - - - - List of plugins that the passive provider monitors to detect user presence - - - - - - - - - - - text/plain - - - - - - DynamicLock - - - - - Dynamic Lock - - - - - - - - - - - - - - - DynamicLock - - - - - - - - False - Enables/Disables Dyanamic Lock - - - - - - - - - - - text/plain - - - - - Plugins - - - - - - - - List of plugins that the passive provider monitors to detect user absence - - - - - - - - - - - text/plain - - - - - - SecurityKey - - - - - Security Key - - - - - - - - - - - - - - - UseSecurityKeyForSignin - - - - - - - - 0 - Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled. - - - - - - - - - - - text/plain - - - - + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + EnableESSwithSupportedPeripherals + + + + + + + + 1 + Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. + + + + + + + + + + + + + + + + + 10.0.22621 + 1.3 + + + + 0 + Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended) + + + 1 + Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security) + + + + LastWrite + + + + + DeviceUnlock + + + + + Device Unlock + + + + + + + + + + + + + + 10.0.17134 + 1.4 + + + + GroupA + + + + + + + + Contains a list of providers by GUID that are to be considered for the first step of authentication + + + + + + + + + + + + + + {[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + + + + + GroupB + + + + + + + + Contains a list of providers by GUID that are to be considered for the second step of authentication + + + + + + + + + + + + + + {[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} + + + + + Plugins + + + + + + + + List of plugins that the passive provider monitors to detect user presence + + + + + + + + + + + + + + + + + DynamicLock + + + + + Dynamic Lock + + + + + + + + + + + + + + 10.0.17134 + 1.4 + + + + DynamicLock + + + + + + + + False + Enables/Disables Dyanamic Lock + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + Plugins + + + + + + + + List of plugins that the passive provider monitors to detect user absence + + + + + + + + + + + + + + + + + SecurityKey + + + + + Security Key + + + + + + + + + + + + + + 10.0.18362 + 1.6 + + + + UseSecurityKeyForSignin + + + + + + + + 0 + Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled. + + + + + + + + + + + + + + + 0 + disabled + + + 1 + enabled + + + + + + ``` + +## Related articles + +[PassportForWork configuration service provider reference](passportforwork-csp.md) diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md index c64e9f1290..b7227416df 100644 --- a/windows/client-management/mdm/personaldataencryption-csp.md +++ b/windows/client-management/mdm/personaldataencryption-csp.md @@ -1,46 +1,171 @@ --- -title: PersonalDataEncryption CSP -description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. -ms.author: v-nsatapathy -ms.topic: article +title: PDE CSP +description: Learn more about the PDE CSP. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: nimishasatapathy -ms.localizationpriority: medium -ms.date: 09/12/2022 -ms.reviewer: -manager: dansimp +ms.topic: reference --- -# PersonalDataEncryption CSP + -The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2. + +# PDE CSP -The following shows the PersonalDataEncryption configuration service provider in tree format: + + +The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2. + + +The following list shows the PDE configuration service provider nodes: + +- ./User/Vendor/MSFT/PDE + - [EnablePersonalDataEncryption](#enablepersonaldataencryption) + - [Status](#status) + - [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus) + + + +## EnablePersonalDataEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption ``` -./User/Vendor/MSFT/PDE --- EnablePersonalDataEncryption --- Status --------- PersonalDataEncryptionStatus + + + +Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy. + + + + +The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable Personal Data Encryption. | +| 1 | Enable Personal Data Encryption. | + + + + + + + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/PDE/Status ``` + -**EnablePersonalDataEncryption**: -- 0 is default (disabled) -- 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). + + + -The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled. + + +Reports the current status of Personal Data Encryption (PDE) for the user. -**Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1. +- If prerequisites of PDE aren't met, then the status will be 0. +- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1. + -> [!Note] -> The policy is only applicable on Enterprise and Education SKUs. + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Status/PersonalDataEncryptionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/PDE/Status/PersonalDataEncryptionStatus +``` + + + + +This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index 8584167779..9550cce774 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -1,32 +1,29 @@ --- -title: PersonalDataEncryption DDF file -description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider. -ms.author: v-nsatapathy -ms.topic: article +title: PDE DDF file +description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: nimishasatapathy -ms.localizationpriority: medium -ms.date: 09/10/2022 -ms.reviewer: -manager: dansimp +ms.topic: reference --- -# PersonalDataEncryption DDF file + -This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider. +# PDE DDF file -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the PDE configuration service provider. ```xml -]> +]> 1.2 + + PDE ./User/Vendor/MSFT @@ -46,6 +43,11 @@ The XML below is the current version for this CSP. + + 10.0.22621 + 1.0 + 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0xAB;0xAC;0xB4;0xBC;0xBF;0xCD; + EnablePersonalDataEncryption @@ -124,4 +126,8 @@ The XML below is the current version for this CSP. -``` \ No newline at end of file +``` + +## Related articles + +[PDE configuration service provider reference](personaldataencryption-csp.md) diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index ac71d90716..822238c6fa 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,91 +1,195 @@ --- title: Personalization CSP -description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package. +description: Learn more about the Personalization CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/28/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Personalization CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package. + -This CSP was added in Windows 10, version 1703. + +The following list shows the Personalization configuration service provider nodes: -> [!Note] -> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set. +- ./Vendor/MSFT/Personalization + - [DesktopImageStatus](#desktopimagestatus) + - [DesktopImageUrl](#desktopimageurl) + - [LockScreenImageStatus](#lockscreenimagestatus) + - [LockScreenImageUrl](#lockscreenimageurl) + -The following example shows the Personalization configuration service provider in tree format. + +## DesktopImageStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Personalization/DesktopImageStatus ``` -./Vendor/MSFT -Personalization -----DesktopImageUrl -----DesktopImageStatus -----LockScreenImageUrl -----LockScreenImageStatus + + + + +This represents the status of the DesktopImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## DesktopImageUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Personalization/DesktopImageUrl ``` -**./Vendor/MSFT/Personalization** -

    Defines the root node for the Personalization configuration service provider.

    + -**DesktopImageUrl** -

    Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.

    -

    Value type is string. Supported operations are Add, Get, Delete, and Replace.

    + + +A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image. + -**DesktopImageStatus** -

    Represents the status of the desktop image. Valid values:

    -
      -
    • 1 - Successfully downloaded or copied.
      • -
    • 2 - Download or copy in progress.
      • -
    • 3 - Download or copy failed.
      • -
    • 4 - Unknown file type.
      • -
    • 5 - Unsupported URL scheme.
      • -
    • 6 - Max retry failed.
      • -
    • 7 - Blocked, SKU not allowed
      • -
    -

    Supporter operation is Get.

    + + + -> [!Note] -> This setting is only used to query status. To set the image, use the DesktopImageUrl setting. + +**Description framework properties**: -**LockScreenImageUrl** -

    Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.

    -

    Value type is string. Supported operations are Add, Get, Delete, and Replace.

    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + -**LockScreenImageStatus** -

    Represents the status of the lock screen image. Valid values:

    -
      -
    • 1 - Successfully downloaded or copied.
      • -
    • 2 - Download or copy in progress.
      • -
    • 3 - Download or copy failed.
      • -
    • 4 - Unknown file type.
      • -
    • 5 - Unsupported URL scheme.
      • -
    • 6 - Max retry failed.
      • -
    • 7 - Blocked, SKU not allowed
      • -
    -

    Supporter operation is Get.

    + -> [!Note] -> This setting is only used to query status. To set the image, use the LockScreenImageUrl setting. + +## LockScreenImageStatus + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -## Example SyncML + +```Device +./Vendor/MSFT/Personalization/LockScreenImageStatus +``` + + + + +This represents the status of the LockScreenImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## LockScreenImageUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Personalization/LockScreenImageUrl +``` + + + + +A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + +## Example ```xml @@ -124,6 +228,10 @@ Personalization ``` + + +## Related articles +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index c3ec340d14..b2d5a5ded4 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,142 +1,155 @@ --- title: Personalization DDF file -description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). +description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + # Personalization DDF file -This topic shows the OMA DM device description framework (DDF) for the **Personalization** configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the Personalization configuration service provider. ```xml -]> +]> 1.2 - - Personalization - ./Vendor/MSFT - - - - - Configure a PC's personalization settings such as Desktop Image and Lock Screen Image. - - - - - - - - - - - com.microsoft/1.0/MDM/Personalization - - - - DesktopImageUrl - - - - - - - - A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to used as the Desktop Image. - - - - - - - - - - - text/plain - - - - - DesktopImageStatus - - - - - This represents the status of the DesktopImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. - - - - - - - - - - - text/plain - - - - - LockScreenImageUrl - - - - - - - - A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. - - - - - - - - - - - text/plain - - - - - LockScreenImageStatus - - - - - This represents the status of the LockScreenImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. - - - - - - - - - - - text/plain - - - - + + + + Personalization + ./Vendor/MSFT + + + + + + + Configure a PC's personalization settings such as Desktop Image and Lock Screen Image. + + + + + + + + + + + + + + 10.0.16299 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + DesktopImageUrl + + + + + + + + A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image. + + + + + + + + + + + + + + + + + + DesktopImageStatus + + + + + This represents the status of the DesktopImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. + + + + + + + + + + + + + + + + LockScreenImageUrl + + + + + + + + A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. + + + + + + + + + + + + + + + + + + LockScreenImageStatus + + + + + This represents the status of the LockScreenImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. + + + + + + + + + + + + + + + ``` + +## Related articles + +[Personalization configuration service provider reference](personalization-csp.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0224b374cf..c45d67308a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/18/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2927,6 +2927,7 @@ This article lists the ADMX-backed policies in Policy CSP. - [ConfigureRpcListenerPolicy](policy-csp-printers.md) - [ConfigureRpcConnectionPolicy](policy-csp-printers.md) - [ConfigureRpcTcpPort](policy-csp-printers.md) +- [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md) - [ConfigureIppPageCountsPolicy](policy-csp-printers.md) - [ConfigureRedirectionGuardPolicy](policy-csp-printers.md) @@ -2987,6 +2988,7 @@ This article lists the ADMX-backed policies in Policy CSP. ## SettingsSync - [DisableAccessibilitySettingSync](policy-csp-settingssync.md) +- [DisableLanguageSettingSync](policy-csp-settingssync.md) ## Storage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index df5363e3dd..2b636d3e4f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 02/03/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -317,12 +317,14 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md) - [DOCacheHost](policy-csp-deliveryoptimization.md) - [DOCacheHostSource](policy-csp-deliveryoptimization.md) +- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md) - [DOGroupIdSource](policy-csp-deliveryoptimization.md) - [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md) - [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md) - [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md) - [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md) - [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md) +- [DOVpnKeywords](policy-csp-deliveryoptimization.md) ## DeviceGuard @@ -640,6 +642,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [AllowCortanaInAAD](policy-csp-search.md) - [AllowFindMyFiles](policy-csp-search.md) - [AllowSearchHighlights](policy-csp-search.md) +- [ConfigureSearchOnTaskbarMode](policy-csp-search.md) ## Security @@ -811,6 +814,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md) - [SetEDURestart](policy-csp-update.md) - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md) +- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md) - [SetDisableUXWUAccess](policy-csp-update.md) - [SetDisablePauseUXAccess](policy-csp-update.md) - [UpdateNotificationLevel](policy-csp-update.md) @@ -877,6 +881,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [NotifyMalicious](policy-csp-webthreatdefense.md) - [NotifyPasswordReuse](policy-csp-webthreatdefense.md) - [NotifyUnsafeApp](policy-csp-webthreatdefense.md) +- [CaptureThreatWindow](policy-csp-webthreatdefense.md) ## Wifi diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index dccc4df62a..0bdb057669 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -14,50 +14,50 @@ ms.date: 09/17/2019 # Policies in Policy CSP supported by HoloLens (first gen) Commercial Suite -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) -- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#allowspeechmodelupdate) - [System/AllowLocation](policy-csp-system.md#allowlocation) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) +- [Update/AllowAutoUpdate](policy-csp-update.md#allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#allowupdateservice) +- [Update/RequireDeferUpgrade](policy-csp-update.md#requiredeferupgrade) +- [Update/RequireUpdateApproval](policy-csp-update.md#requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#updateserviceurl) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index 78c0ec3a24..d610e84f01 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -14,48 +14,48 @@ ms.date: 07/18/2019 # Policies in Policy CSP supported by HoloLens (first gen) Development Edition -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#allowalltrustedapps) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [Experience/AllowCortana](policy-csp-experience.md#allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#allowspeechmodelupdate) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) - [System/AllowLocation](policy-csp-system.md#allowlocation) -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) -- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) +- [Update/AllowAutoUpdate](policy-csp-update.md#allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#allowupdateservice) +- [Update/RequireUpdateApproval](policy-csp-update.md#requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#updateserviceurl) +- [Update/RequireDeferUpgrade](policy-csp-update.md#requiredeferupgrade) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 082b79a3aa..b34eebfedb 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -9,131 +9,142 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 08/01/2022 +ms.date: 02/03/2023 --- # Policies in Policy CSP supported by HoloLens 2 -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/RequirePrivateStoreOnly](policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) 11 -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) -- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) -- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 -- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) 12 -- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)10 -- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 -- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 -- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) -- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) 12 -- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) 12 -- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 -- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 -- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) -- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 -- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) 12 -- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) 12 -- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) 12 -- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 -- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9 -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) 9 -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) 9 -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) Insider -- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) 8 -- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#privacy-letappsaccessgazeinput) 8 -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps) 8 -- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera) -- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation) -- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone) -- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 -- [RemoteLock/Lock](./remotelock-csp.md) 9 -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) 9 -- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) 9 -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) 12 -- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) 12 -- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) 12 -- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) 12 -- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) 12 +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [ApplicationManagement/RequirePrivateStoreOnly](policy-csp-applicationmanagement.md#requireprivatestoreonly) 11 +- [ApplicationManagement/ScheduleForceRestartForUpdateFailures](policy-csp-applicationmanagement.md#scheduleforcerestartforupdatefailures) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) +- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) 10 +- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) 10 +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackbackground) 10 +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackforeground) 10 +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode) 10 +- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth) 10 +- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth) 10 +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth) 10 +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth) 10 +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth) 10 +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) 10 +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) 10 +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#allowcortana) +- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#allowmanualmdmunenrollment) +- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) 9 +- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#allowcaptiveportalbeforelogon) 12 +- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#allowlaunchuriinsingleappkiosk)10 +- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#autologonuser) 11 +- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#brightnessbuttondisabled) 9 +- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) +- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) 12 +- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) 12 +- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) 9 +- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#headtrackingmode) 9 +- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) +- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) 9 +- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) 12 +- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#skipcalibrationduringsetup) 12 +- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) 12 +- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) 10 +- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9 +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#disableprivacyexperience) Insider +- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_userincontroloftheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#letappsaccessbackgroundspatialperception) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forceallowtheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forcedenytheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera_forceallowtheseapps) 8 +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera_forcedenytheseapps) 8 +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera_userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#letappsaccessgazeinput) 8 +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forceallowtheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation) +- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_userincontroloftheseapps) 8 +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/AllowAddProvisioningPackage](policy-csp-security.md#allowaddprovisioningpackage) 9 +- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#allowremoveprovisioningpackage) 9 +- [Settings/AllowDateTime](policy-csp-settings.md#allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#allowvpn) +- [Settings/PageVisibilityList](./policy-csp-settings.md#pagevisibilitylist) 9 +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#allowspeechmodelupdate) +- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#allowstoragesenseglobal) 12 +- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#allowstoragesensetemporaryfilescleanup) 12 +- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#configstoragesensecloudcontentdehydrationthreshold) 12 +- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) 12 +- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) 12 - [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#allowlocation) - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) -- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) 9 -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) 9 -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) 9 -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9 -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 11 -- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 11 -- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 11 -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 11 -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 11 -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 11 -- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays) -- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds) -- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 11 -- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 11 -- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess) -- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 11 -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8 +- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9 +- [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9 +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9 +- [Update/ActiveHoursStart](./policy-csp-update.md#activehoursstart) 9 +- [Update/AllowAutoUpdate](policy-csp-update.md#allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#allowupdateservice) +- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#autorestartnotificationschedule) 11 +- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#autorestartrequirednotificationdismissal) 11 +- [Update/BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) 11 +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) 11 +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) 11 +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) 11 +- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays) +- [Update/ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds) +- [Update/PauseFeatureUpdates](policy-csp-update.md#pausefeatureupdates) +- [Update/PauseQualityUpdates](policy-csp-update.md#pausequalityupdates) +- [Update/ScheduledInstallDay](policy-csp-update.md#scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime) +- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#scheduleimminentrestartwarning) 11 +- [Update/ScheduleRestartWarning](policy-csp-update.md#schedulerestartwarning) 11 +- [Update/SetDisablePauseUXAccess](policy-csp-update.md#setdisablepauseuxaccess) +- [Update/UpdateNotificationLevel](policy-csp-update.md#updatenotificationlevel) 11 +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) 8 Footnotes: diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index 3e333af7f9..e15af01618 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by Windows 10 IoT Core description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,57 +14,57 @@ ms.date: 09/16/2019 # Policies in Policy CSP supported by Windows 10 IoT Core -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated) -- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) -- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) -- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) -- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode) +- [Camera/AllowCamera](policy-csp-camera.md#allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui) +- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#allowpinlogon) +- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#blockpicturepassword) +- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#allowdirectmemoryaccess) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#disablecompatview) +- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#disablegeolocation) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) +- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#dogroupid) +- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#dogroupidsource) +- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) +- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth) +- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#allowdevicehealthmonitoring) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#configdevicehealthmonitoringscope) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#letappsactivatewithvoiceabovelock) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) +- [Wifi/WLANScanMode](policy-csp-wifi.md#wlanscanmode) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index a1cd81ffcb..ce20ebe3db 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -14,13 +14,13 @@ ms.date: 07/22/2020 # Policies in Policy CSP supported by Microsoft Surface Hub -- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [Accounts/AllowMicrosoftAccountConnection](./policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) +- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [Accounts/AllowMicrosoftAccountConnection](./policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [Camera/AllowCamera](policy-csp-camera.md#allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui) +- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites) - [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning) - [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring) - [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection) @@ -47,53 +47,52 @@ ms.date: 07/22/2020 - [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval) - [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent) - [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) +- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#preventuserredirectionofprofilefolders) +- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#configuregroupmembership) - [System/AllowLocation](policy-csp-system.md#allowlocation) - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) -- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging) -- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess) -- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel) -- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters) -- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters) -- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph) -- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary) -- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc) -- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis) -- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) -- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) -- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting) -- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode) -- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#wifi-allowwifidirect) -- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsadvertisement) -- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery) -- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc) -- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompcoverinfrastructure) -- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) -- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopcoverinfrastructure) -- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) -- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) - +- [TextInput/AllowIMELogging](policy-csp-textinput.md#allowimelogging) +- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#allowimenetworkaccess) +- [TextInput/AllowInputPanel](policy-csp-textinput.md#allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis) +- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#configuretimezone) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) +- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md) (Deprecated) +- [Wifi/WLANScanMode](policy-csp-wifi.md#wlanscanmode) +- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect) +- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement) +- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#allowmdnsdiscovery) +- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#allowprojectionfrompc) +- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectionfrompcoverinfrastructure) +- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#allowprojectiontopc) +- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectiontopcoverinfrastructure) +- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#allowuserinputfromwirelessdisplayreceiver) +- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#requirepinforpairing) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md index ee156ca4b2..3d2e78b195 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md @@ -14,26 +14,26 @@ ms.date: 07/18/2019 # Policies in Policy CSP that can be set using Exchange Active Sync (EAS) -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](policy-csp-connectivity.md#connectivity-allowcellulardataroaming) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) +- [Camera/AllowCamera](policy-csp-camera.md#allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](policy-csp-connectivity.md#allowcellulardataroaming) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [DeviceLock/PreventLockScreenSlideShow](policy-csp-devicelock.md#preventlockscreenslideshow) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#requiredeviceencryption) - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) - [System/TelemetryProxy](policy-csp-system.md#telemetryproxy) -- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) ## Related topics diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 283417da87..1eba8fd662 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,10 +1,10 @@ --- title: Policy CSP -description: Learn more about the Policy CSP +description: Learn more about the Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/22/2022 +ms.date: 02/28/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,33 +49,31 @@ The Policy configuration service provider has the following sub-categories: -The following example shows the Policy configuration service provider in tree format. +The following list shows the Policy configuration service provider nodes: -```text -./Device/Vendor/MSFT/Policy ---- Config ------- {AreaName} ---------- {PolicyName} ---- ConfigOperations ------- ADMXInstall ---------- {AppName} ------------- {SettingsType} ---------------- {AdmxFileId} ------------- Properties ---------------- {SettingsType} ------------------- {AdmxFileId} ---------------------- Version ---- Result ------- {AreaName} ---------- {PolicyName} -./User/Vendor/MSFT/Policy ---- Config ------- {AreaName} ---------- {PolicyName} ---- Result ------- {AreaName} ---------- {PolicyName} -``` +- ./Device/Vendor/MSFT/Policy + - [Config](#deviceconfig) + - [{AreaName}](#deviceconfigareaname) + - [{PolicyName}](#deviceconfigareanamepolicyname) + - [ConfigOperations](#deviceconfigoperations) + - [ADMXInstall](#deviceconfigoperationsadmxinstall) + - [{AppName}](#deviceconfigoperationsadmxinstallappname) + - [{SettingsType}](#deviceconfigoperationsadmxinstallappnamesettingstype) + - [{AdmxFileId}](#deviceconfigoperationsadmxinstallappnamesettingstypeadmxfileid) + - [Properties](#deviceconfigoperationsadmxinstallappnameproperties) + - [{SettingsType}](#deviceconfigoperationsadmxinstallappnamepropertiessettingstype) + - [{AdmxFileId}](#deviceconfigoperationsadmxinstallappnamepropertiessettingstypeadmxfileid) + - [Version](#deviceconfigoperationsadmxinstallappnamepropertiessettingstypeadmxfileidversion) + - [Result](#deviceresult) + - [{AreaName}](#deviceresultareaname) + - [{PolicyName}](#deviceresultareanamepolicyname) +- ./User/Vendor/MSFT/Policy + - [Config](#userconfig) + - [{AreaName}](#userconfigareaname) + - [{PolicyName}](#userconfigareanamepolicyname) + - [Result](#userresult) + - [{AreaName}](#userresultareaname) + - [{PolicyName}](#userresultareanamepolicyname) @@ -94,6 +92,7 @@ The following example shows the Policy configuration service provider in tree fo + Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. @@ -132,7 +131,8 @@ Node for grouping all policies configured by one source. The configuration sourc -The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -171,7 +171,8 @@ The area group that can be configured by a single technology for a single provid -Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -218,6 +219,7 @@ The following list shows some tips to help you when configuring policies: + The root node for grouping different configuration operations. @@ -256,6 +258,7 @@ The root node for grouping different configuration operations. + Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. @@ -298,6 +301,7 @@ Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported + Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. @@ -337,7 +341,8 @@ Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX f -Setting Type of Win32 App. Policy Or Preference + +Setting Type of Win32 App. Policy Or Preference. @@ -376,7 +381,8 @@ Setting Type of Win32 App. Policy Or Preference -Unique ID of ADMX file + +Unique ID of ADMX file. @@ -415,7 +421,8 @@ Unique ID of ADMX file -Properties of Win32 App ADMX Ingestion + +Properties of Win32 App ADMX Ingestion. @@ -453,7 +460,8 @@ Properties of Win32 App ADMX Ingestion -Setting Type of Win32 App. Policy Or Preference + +Setting Type of Win32 App. Policy Or Preference. @@ -492,7 +500,8 @@ Setting Type of Win32 App. Policy Or Preference -Unique ID of ADMX file + +Unique ID of ADMX file. @@ -531,7 +540,8 @@ Unique ID of ADMX file -Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device. + +Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device. @@ -569,6 +579,7 @@ Version of ADMX file. This can be set by the server to keep a record of the ver + Groups the evaluated policies from all providers that can be configured. @@ -607,6 +618,7 @@ Groups the evaluated policies from all providers that can be configured. + The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -646,6 +658,7 @@ The area group that can be configured by a single technology independent of the + Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -685,6 +698,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f + Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. @@ -723,7 +737,8 @@ Node for grouping all policies configured by one source. The configuration sourc -The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -770,7 +785,8 @@ The following list shows some tips to help you when configuring policies: -Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -809,6 +825,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs + Groups the evaluated policies from all providers that can be configured. @@ -847,6 +864,7 @@ Groups the evaluated policies from all providers that can be configured. + The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -886,6 +904,7 @@ The area group that can be configured by a single technology independent of the + Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -1074,7 +1093,6 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [Camera](policy-csp-camera.md) - [Cellular](policy-csp-cellular.md) - [CloudDesktop](policy-csp-clouddesktop.md) -- [CloudPC](policy-csp-cloudpc.md) - [Connectivity](policy-csp-connectivity.md) - [ControlPolicyConflict](policy-csp-controlpolicyconflict.md) - [CredentialProviders](policy-csp-credentialproviders.md) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index d0febc03b7..bdb6a819f1 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,127 +1,199 @@ --- -title: Policy CSP - AboveLock -description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. +title: AboveLock Policy CSP +description: Learn more about the AboveLock Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AboveLock -
    + + + - -## AboveLock policies + +## AllowActionCenterNotifications -
    -
    - AboveLock/AllowCortanaAboveLock -
    -
    - AboveLock/AllowToasts -
    -
    +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AboveLock/AllowActionCenterNotifications +``` + + + +This policy is deprecated + - -**AboveLock/AllowCortanaAboveLock** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. + +## AllowCortanaAboveLock - - -ADMX Info: -- GP Friendly name: *Allow Cortana above lock screen* -- GP name: *AllowCortanaAboveLock* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/AboveLock/AllowCortanaAboveLock +``` + -- 0 - Not allowed. -- 1 (default) - Allowed. + + +This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked. - - +- If you enable or don't configure this setting, the user can interact with Cortana using speech while the system is locked. -
    +- If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. + - -**AboveLock/AllowToasts** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes, starting in Windows 10, version 1607|Yes| -|Enterprise|Yes, starting in Windows 10, version 1607|Yes| -|Education|Yes, starting in Windows 10, version 1607|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | AllowCortanaAboveLock | +| Friendly Name | Allow Cortana above lock screen | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowCortanaAboveLock | +| ADMX File Name | Search.admx | + - - -Specifies whether to allow toast notifications above the device lock screen. + + + -Most restricted value is 0. + - - -The following list shows the supported values: + +## AllowToasts -- 0 - Not allowed. -- 1 (default) - Allowed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AboveLock/AllowToasts +``` + - + + +Specifies whether to allow toast notifications above the device lock screen. Most restricted value is 0. + -## Related topics + + + -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index e2ccc30eb8..44c49be631 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,266 +1,284 @@ --- -title: Policy CSP - Accounts -description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. +title: Accounts Policy CSP +description: Learn more about the Accounts Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Accounts + + + + +## AllowAddingNonMicrosoftAccountsManually -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -## Accounts policies + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/AllowAddingNonMicrosoftAccountsManually +``` + -
    -
    - Accounts/AllowAddingNonMicrosoftAccountsManually -
    -
    - Accounts/AllowMicrosoftAccountConnection -
    -
    - Accounts/AllowMicrosoftAccountSignInAssistant -
    -
    - Accounts/DomainNamesForEmailSync -
    -
    - Accounts/RestrictToEnterpriseDeviceAuthenticationOnly -
    -
    - - -
    - - -**Accounts/AllowAddingNonMicrosoftAccountsManually** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether user is allowed to add email accounts other than Microsoft account. - -Most restricted value is 0. + + +Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0 > [!NOTE] -> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. +> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP. + - - -The following list shows the supported values: + + + -- 0 - Not allowed. -- 1 (default) - Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Accounts/AllowMicrosoftAccountConnection** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowMicrosoftAccountConnection - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/AllowMicrosoftAccountConnection +``` + -
    + + +Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. Most restricted value is 0. + - - -Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 - Not allowed. -- 1 (default) - Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**Accounts/AllowMicrosoftAccountSignInAssistant** + - + +## AllowMicrosoftAccountSignInAssistant -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/AllowMicrosoftAccountSignInAssistant +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. + + +Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service > [!NOTE] -> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). +> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are > [!NOTE] -> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. +> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to "step-up" from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. + - - -The following list shows the supported values: + + + -- 0 - Disabled. -- 1 (default) - Manual start. + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + +**Allowed values**: - -**Accounts/DomainNamesForEmailSync** +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Manual start. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DomainNamesForEmailSync - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/DomainNamesForEmailSync +``` + -
    + + + - - + + + + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + + + -
    + - -**Accounts/RestrictToEnterpriseDeviceAuthenticationOnly** + +## RestrictToEnterpriseDeviceAuthenticationOnly - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/RestrictToEnterpriseDeviceAuthenticationOnly +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 11, version 22H2. This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, we only allow device authentication and block user authentication. + + +This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, only allow device authentication, and block user authentication. + + + Most restricted value is 1. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) - Allow both device and user authentication. -- 1 - Only allow device authentication. Block user authentication. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -
    + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Allow both device and user authentication. Do not block user authentication. | +| 1 | Only allow device authentication. Block user authentication. | + - + +**Group policy mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | MicrosoftAccount_RestrictToDeviceAuthenticationOnly | +| Path | MSAPolicy > AT > WindowsComponents > MicrosoftAccountCategory | + -[Policy CSP](policy-configuration-service-provider.md) + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 02246616a5..6432707d70 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,92 +1,99 @@ --- -title: Policy CSP - ActiveXControls -description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10. +title: ActiveXControls Policy CSP +description: Learn more about the ActiveXControls Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ActiveXControls > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## ApprovedInstallationSites - -## ActiveXControls policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - ActiveXControls/ApprovedInstallationSites -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ActiveXControls/ApprovedInstallationSites +``` + + + +This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. -
    +- If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. - -**ActiveXControls/ApprovedInstallationSites** +- If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. - +> [!NOTE] +> Wild card characters cannot be used when specifying the host URLs. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved ActiveX Install sites specified by host URL. +| Name | Value | +|:--|:--| +| Name | ApprovedActiveXInstallSites | +| Friendly Name | Approved Installation Sites for ActiveX Controls | +| Location | Computer Configuration | +| Path | Windows Components > ActiveX Installer Service | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\AxInstaller | +| Registry Value Name | ApprovedList | +| ADMX File Name | ActiveXInstallService.admx | + -If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. + + + -If you disable or don't configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. + -> [!Note] -> Wild card characters can't be used when specifying the host URLs. + + + - + - -ADMX Info: -- GP Friendly name: *Approved Installation Sites for ActiveX Controls* -- GP name: *ApprovedActiveXInstallSites* -- GP path: *Windows Components/ActiveX Installer Service* -- GP ADMX file name: *ActiveXInstallService.admx* +## Related articles - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index b22227cbb1..ad05a61b1f 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,95 +1,100 @@ --- -title: Policy CSP - ADMX_ActiveXInstallService -description: Learn about the Policy CSP - ADMX_ActiveXInstallService. +title: ADMX_ActiveXInstallService Policy CSP +description: Learn more about the ADMX_ActiveXInstallService Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ActiveXInstallService > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AxISURLZonePolicies - -## ADMX_ActiveXInstallService policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_ActiveXInstallService/AxISURLZonePolicies -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ActiveXInstallService/AxISURLZonePolicies +``` + - -
    - - -**ADMX_ActiveXInstallService/AxISURLZonePolicies** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the installation of ActiveX controls for sites in Trusted zone. -If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. +- If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. -If you disable or don't configure this policy setting, ActiveX controls prompt the user before installation. +- If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. -If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If a trusted site has a certificate error but you want to trust it anyway, you can select the certificate errors that you want to ignore. +If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. > [!NOTE] > This policy setting applies to all sites in Trusted zones. + - + + + - -ADMX Info: -- GP Friendly name: *Establish ActiveX installation policy for sites in Trusted zones* -- GP name: *AxISURLZonePolicies* -- GP path: *Windows Components\ActiveX Installer Service* -- GP ADMX file name: *ActiveXInstallService.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | AxISURLZonePolicies | +| Friendly Name | Establish ActiveX installation policy for sites in Trusted zones | +| Location | Computer Configuration | +| Path | Windows Components > ActiveX Installer Service | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\AxInstaller\AxISURLZonePolicies | +| ADMX File Name | ActiveXInstallService.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index ea465b599b..58e17f5f98 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,702 +1,742 @@ --- -title: Policy CSP - ADMX_AddRemovePrograms -description: Learn about the Policy CSP - ADMX_AddRemovePrograms. +title: ADMX_AddRemovePrograms Policy CSP +description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AddRemovePrograms > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DefaultCategory - -## Policy CSP - ADMX_AddRemovePrograms + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_AddRemovePrograms/DefaultCategory -
    -
    - ADMX_AddRemovePrograms/NoAddFromCDorFloppy -
    -
    - ADMX_AddRemovePrograms/NoAddFromInternet -
    -
    - ADMX_AddRemovePrograms/NoAddFromNetwork -
    -
    - ADMX_AddRemovePrograms/NoAddPage -
    -
    - ADMX_AddRemovePrograms/NoAddRemovePrograms -
    -
    - ADMX_AddRemovePrograms/NoChooseProgramsPage -
    -
    - ADMX_AddRemovePrograms/NoRemovePage -
    -
    - ADMX_AddRemovePrograms/NoServices -
    -
    - ADMX_AddRemovePrograms/NoSupportInfo -
    -
    - ADMX_AddRemovePrograms/NoWindowsSetupPage -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/DefaultCategory +``` + + + +Specifies the category of programs that appears when users open the "Add New Programs" page. -
    - - -**ADMX_AddRemovePrograms/DefaultCategory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +- If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. -If you disable this setting or don't configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they're most likely to need. +- If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. + +You can use this setting to direct users to the programs they are most likely to need. > [!NOTE] > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. + - + + + - -ADMX Info: -- GP Friendly name: *Specify default category for Add New Programs* -- GP name: *DefaultCategory* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | DefaultCategory | +| Friendly Name | Specify default category for Add New Programs | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| ADMX File Name | AddRemovePrograms.admx | + -
    + + + - -**ADMX_AddRemovePrograms/NoAddFromCDorFloppy** + - + +## NoAddFromCDorFloppy -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddFromCDorFloppy +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. -> [!div class = "checklist"] -> * User +- If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. -
    - - - - -This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This feature removal prevents users from using Add or Remove Programs to install programs from removable media. - -If you disable this setting or don't configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting doesn't prevent users from using other tools and methods to add or remove program components. +This setting does not prevent users from using other tools and methods to add or remove program components. > [!NOTE] -> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users can't add programs from removable media, regardless of this setting. +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. + - + + + - -ADMX Info: -- GP Friendly name: *Hide the "Add a program from CD-ROM or floppy disk" option* -- GP name: *NoAddFromCDorFloppy* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoAddFromCDorFloppy | +| Friendly Name | Hide the "Add a program from CD-ROM or floppy disk" option | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddFromCDorFloppy | +| ADMX File Name | AddRemovePrograms.admx | + -
    + + + - -**ADMX_AddRemovePrograms/NoAddFromInternet** + - + +## NoAddFromInternet -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddFromInternet +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. -> [!div class = "checklist"] -> * User +- If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. -
    - - - - -This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. - -If you disable this setting or don't configure it, "Add programs from Microsoft" is available to all users. This setting doesn't prevent users from using other tools and methods to connect to Windows Update. +This setting does not prevent users from using other tools and methods to connect to Windows Update. > [!NOTE] > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide the "Add programs from Microsoft" option* -- GP name: *NoAddFromInternet* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoAddFromInternet | +| Friendly Name | Hide the "Add programs from Microsoft" option | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddFromInternet | +| ADMX File Name | AddRemovePrograms.admx | + - - + + + -
    + - -**ADMX_AddRemovePrograms/NoAddFromNetwork** + +## NoAddFromNetwork - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddFromNetwork +``` + - -
    + + +Prevents users from viewing or installing published programs. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. -> [!div class = "checklist"] -> * User +Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. -
    +- If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. - - - -This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. - -If you enable this setting, users can't tell which programs have been published by the system administrator, and they can't use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. - -If you disable this setting or don't configure it, "Add programs from your network" is available to all users. +- If you disable this setting or do not configure it, "Add programs from your network" is available to all users. > [!NOTE] > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoAddFromNetwork | +| Friendly Name | Hide the "Add programs from your network" option | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddFromNetwork | +| ADMX File Name | AddRemovePrograms.admx | + - + + + + - -ADMX Info: -- GP Friendly name: *Hide the "Add programs from your network" option* -- GP name: *NoAddFromNetwork* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +## NoAddPage - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddPage +``` + - - + + +Removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. + +The Add New Programs button lets users install programs published or assigned by a system administrator. + +- If you disable this setting or do not configure it, the Add New Programs button is available to all users. + +This setting does not prevent users from using other tools and methods to install programs. + + + + + + + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoAddPage | +| Friendly Name | Hide Add New Programs page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddPage | +| ADMX File Name | AddRemovePrograms.admx | + - -**ADMX_AddRemovePrograms/NoAddPage** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## NoAddRemovePrograms - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddRemovePrograms +``` + -> [!div class = "checklist"] -> * User + + +Prevents users from using Add or Remove Programs. -
    +This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. + +Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. + +- If you disable this setting or do not configure it, Add or Remove Programs is available to all users. + +When enabled, this setting takes precedence over the other settings in this folder. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + - - + + + -This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. + +**Description framework properties**: -If you disable this setting or don't configure it, the Add New Programs button is available to all users. This setting doesn't prevent users from using other tools and methods to install programs. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NoAddRemovePrograms | +| Friendly Name | Remove Add or Remove Programs | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddRemovePrograms | +| ADMX File Name | AddRemovePrograms.admx | + - -ADMX Info: -- GP Friendly name: *Hide Add New Programs page* -- GP name: *NoAddPage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + + + - - + - - + +## NoChooseProgramsPage - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoChooseProgramsPage +``` + -
    + + +Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. + +The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. + +- If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. + +This setting does not prevent users from using other tools and methods to change program access or defaults. - -**ADMX_AddRemovePrograms/NoAddRemovePrograms** +This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * User +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | NoChooseProgramsPage | +| Friendly Name | Hide the Set Program Access and Defaults page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoChooseProgramsPage | +| ADMX File Name | AddRemovePrograms.admx | + - - + + + + + + + +## NoRemovePage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoRemovePage +``` + + + + +Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. + +The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. + +- If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. + +This setting does not prevent users from using other tools and methods to delete or uninstall programs. + -This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. + + + -If you disable this setting or don't configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting doesn't prevent users from using other tools and methods to install or uninstall programs. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Remove Add or Remove Programs* -- GP name: *NoAddRemovePrograms* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoRemovePage | +| Friendly Name | Hide Change or Remove Programs page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoRemovePage | +| ADMX File Name | AddRemovePrograms.admx | + - - + + + + + + + +## NoServices + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoServices +``` + - - + + +Prevents users from using Add or Remove Programs to configure installed services. - - - -
    - - -**ADMX_AddRemovePrograms/NoChooseProgramsPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. - -If you disable this setting or don't configure it, the **Set Program Access and Defaults** button is available to all users. This setting doesn't prevent users from using other tools and methods to change program access or defaults. This setting doesn't prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. - - - - - - -ADMX Info: -- GP Friendly name: *Hide the Set Program Access and Defaults page* -- GP name: *NoChooseProgramsPage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* - - - - - - - - - - - - - -
    - - -**ADMX_AddRemovePrograms/NoRemovePage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. - -If you disable this setting or don't configure it, the Change or Remove Programs page is available to all users. This setting doesn't prevent users from using other tools and methods to delete or uninstall programs. - - - - - -ADMX Info: -- GP Friendly name: *Hide Change or Remove Programs page* -- GP name: *NoRemovePage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* - - - - - - - - - - - - - -
    - - -**ADMX_AddRemovePrograms/NoServices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that haven't been configured and offers users easy access to the configuration tools. - -If you disable this setting or don't configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting doesn't prevent users from using other methods to configure services. +This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. + +- If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. +- If you enable this setting, "Set up services" never appears. + +This setting does not prevent users from using other methods to configure services. > [!NOTE] -> When "Set up services" doesn't appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. +> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. - +To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. + + + + - -ADMX Info: -- GP Friendly name: *Go directly to Components Wizard* -- GP name: *NoServices* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoServices | +| Friendly Name | Go directly to Components Wizard | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoServices | +| ADMX File Name | AddRemovePrograms.admx | + -
    + + + - -**ADMX_AddRemovePrograms/NoSupportInfo** + - + +## NoSupportInfo -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoSupportInfo +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Removes links to the Support Info dialog box from programs on the Change or Remove Programs page. -> [!div class = "checklist"] -> * User +Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. -
    - - - - -This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. - -If you disable this setting or don't configure it, the Support Info hyperlink appears. +- If you disable this setting or do not configure it, the Support Info hyperlink appears. > [!NOTE] > Not all programs provide a support information hyperlink. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Support Information* -- GP name: *NoSupportInfo* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoSupportInfo | +| Friendly Name | Remove Support Information | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoSupportInfo | +| ADMX File Name | AddRemovePrograms.admx | + -
    + + + - -**ADMX_AddRemovePrograms/NoWindowsSetupPage** + - + +## NoWindowsSetupPage -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoWindowsSetupPage +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. -> [!div class = "checklist"] -> * User +The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. -
    +- If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. - - +This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. + -This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. + + + -If you disable this setting or don't configure it, the Add/Remove Windows Components button is available to all users. This setting doesn't prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Hide Add/Remove Windows Components page* -- GP name: *NoWindowsSetupPage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoWindowsSetupPage | +| Friendly Name | Hide Add/Remove Windows Components page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoWindowsSetupPage | +| ADMX File Name | AddRemovePrograms.admx | + - - + + + - - + - - + + + + - +## Related articles -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index 10d49435e9..747cb54e0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,234 +1,254 @@ --- -title: Policy CSP - ADMX_AdmPwd -description: Learn about the Policy CSP - ADMX_AdmPwd. +title: ADMX_AdmPwd Policy CSP +description: Learn more about the ADMX_AdmPwd Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AdmPwd > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## POL_AdmPwd - -## ADMX_AdmPwd policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy -
    -
    - ADMX_AdmPwd/POL_AdmPwd_Enabled -
    -
    - ADMX_AdmPwd/POL_AdmPwd_AdminName -
    -
    - ADMX_AdmPwd/POL_AdmPwd -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd +``` + + + + -
    + + +This policy setting enables management of password for local administrator account. +If you enable this setting, local administrator password is managed. +If you disable or not configure this setting, local administrator password is NOT managed. + - -**ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd | +| ADMX File Name | AdmPwd.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## POL_AdmPwd_AdminName + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd_AdminName +``` + + + + + + + + When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. - + - -ADMX Info: -- GP Friendly name: *Do not allow password expiration time longer than required by policy* -- GP name: *POL_AdmPwd_DontAllowPwdExpirationBehindPolicy* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AdmPwd/POL_AdmPwd_Enabled** + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd_AdminName | +| ADMX File Name | AdmPwd.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## POL_AdmPwd_DontAllowPwdExpirationBehindPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy +``` + + + + + + + +When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. + +When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd_DontAllowPwdExpirationBehindPolicy | +| ADMX File Name | AdmPwd.admx | + + + + + + + + + +## POL_AdmPwd_Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd_Enabled +``` + + + + + + + + This policy enables the management of password for local administrator account If you enable this setting, local administrator password is managed. If you disable or not configure this setting, local administrator password is NOT managed. - + - -ADMX Info: -- GP Friendly name: *Enable local admin password management* -- GP name: *POL_AdmPwd_Enabled* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_AdmPwd/POL_AdmPwd_AdminName** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd_Enabled | +| ADMX File Name | AdmPwd.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - - -When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. - -When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. - - - - -ADMX Info: -- GP Friendly name: *Name of administrator account to manage* -- GP name: *POL_AdmPwd_AdminName* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* - - - - - -
    - - -**ADMX_AdmPwd/POL_AdmPwd** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting enables management of password for local administrator account - -If you enable this setting, local administrator password is managed - -If you disable or not configure this setting, local administrator password is NOT managed. - - - - - -ADMX Info: -- GP Friendly name: *Password Settings* -- GP name: *POL_AdmPwd* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* - - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 0bb445f4ed..a0d2e3d901 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -1,533 +1,605 @@ --- -title: Policy CSP - ADMX_AppCompat -description: Policy CSP - ADMX_AppCompat +title: ADMX_AppCompat Policy CSP +description: Learn more about the ADMX_AppCompat Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 08/20/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AppCompat > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## Policy CSP - ADMX_AppCompat + +## AppCompatPrevent16BitMach -
    -
    - ADMX_AppCompat/AppCompatPrevent16BitMach - -
    -
    - ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage - -
    -
    - ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry - -
    -
    - ADMX_AppCompat/AppCompatTurnOffSwitchBack - -
    -
    - ADMX_AppCompat/AppCompatTurnOffEngine - -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 - -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 - -
    -
    - ADMX_AppCompat/AppCompatTurnOffUserActionRecord - -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramInventory - -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatPrevent16BitMach +``` + -
    + + +Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. - -**ADMX_AppCompat/AppCompatPrevent16BitMach** +You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. - -You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. - -If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components can't run. +If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run. If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer. -If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this setting prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run. +If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 and downlevel, the OS will allow 16-bit applications to run. > [!NOTE] -> This setting appears only in Computer Configuration. - +> This setting appears in only Computer Configuration. + + + + - -ADMX Info: -- GP Friendly name: *Prevent access to 16-bit applications* -- GP name: *AppCompatPrevent16BitMach* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AppCompatPrevent16BitMach | +| Friendly Name | Prevent access to 16-bit applications | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | VDMDisallowed | +| ADMX File Name | AppCompat.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AppCompatRemoveProgramCompatPropPage -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage +``` + - - -This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. + + +This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. -The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. +The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface. + -Enabling this policy setting removes the property page from the context-menus, but doesn't affect previous compatibility settings applied to application using this interface. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Remove Program Compatibility Property Page* -- GP name: *AppCompatRemoveProgramCompatPropPage* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | AppCompatRemoveProgramCompatPropPage | +| Friendly Name | Remove Program Compatibility Property Page | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePropPage | +| ADMX File Name | AppCompat.admx | + - -**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AppCompatTurnOffApplicationImpactTelemetry - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -The policy setting controls the state of the Application Telemetry engine in the system. + + +The policy controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. -Turning off Application Telemetry by selecting "enable" will stop the collection of usage data. +Turning Application Telemetry off by selecting "enable" will stop the collection of usage data. If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set. -Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, reboot your machine. +Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Application Telemetry* -- GP name: *AppCompatTurnOffApplicationImpactTelemetry* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_AppCompat/AppCompatTurnOffSwitchBack** +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffApplicationImpactTelemetry | +| Friendly Name | Turn off Application Telemetry | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | AITEnable | +| ADMX File Name | AppCompat.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AppCompatTurnOffEngine - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffEngine +``` + -
    + + +This policy controls the state of the application compatibility engine in the system. - - -The policy setting controls the state of the Switchback compatibility engine in the system. +The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. -Switchback is a mechanism that provides generic compatibility mitigation to older applications by providing older behavior to old applications and new behavior to new applications. +Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old anti-virus application is installed.) -Switchback is on by default. +The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly. -If you enable this policy setting, Switchback will be turned off. Turning off Switchback may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they're using. +This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. -If you disable or don't configure this policy setting, the Switchback will be turned on. +NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes. + -Reboot the system after changing the setting to ensure that your system accurately reflects those changes. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off SwitchBack Compatibility Engine* -- GP name: *AppCompatTurnOffSwitchBack* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_AppCompat/AppCompatTurnOffEngine** +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffEngine | +| Friendly Name | Turn off Application Compatibility Engine | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisableEngine | +| ADMX File Name | AppCompat.admx | + - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AppCompatTurnOffProgramCompatibilityAssistant_1 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 +``` + - - -This policy setting controls the state of the application compatibility engine in the system. + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + -The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a known problem. + + + -Turning off the application compatibility engine will boost system performance. However, this turn-off will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. For example, this prevention of blocking may result in a blue screen if an old anti-virus application is installed. + +**Description framework properties**: -The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations won't be applied to applications and their installers and these applications may fail to install or run properly. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they're using. It's useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!NOTE] -> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffProgramCompatibilityAssistant_1 | +| Friendly Name | Turn off Program Compatibility Assistant | +| Location | User Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePCA | +| ADMX File Name | AppCompat.admx | + + + + - -ADMX Info: -- GP Friendly name: *Turn off Application Compatibility Engine* -- GP name: *AppCompatTurnOffEngine* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* + - - + +## AppCompatTurnOffProgramCompatibilityAssistant_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 +``` + - + + +This policy setting controls the state of the Program Compatibility Assistant (PCA). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. - -
    +- If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Program Compatibility Assistant* -- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* - - - - -
    - - -**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. - -If you enable this policy setting, the PCA will be turned off. The user won't be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. - -If you disable or don't configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +- If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. > [!NOTE] > The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Program Compatibility Assistant* -- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_AppCompat/AppCompatTurnOffUserActionRecord** +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffProgramCompatibilityAssistant_2 | +| Friendly Name | Turn off Program Compatibility Assistant | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePCA | +| ADMX File Name | AppCompat.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AppCompatTurnOffProgramInventory - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramInventory +``` + -
    - - - -This policy setting controls the state of Steps Recorder. - -Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. - -If you enable this policy setting, Steps Recorder will be disabled. - -If you disable or don't configure this policy setting, Steps Recorder will be enabled. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Steps Recorder* -- GP name: *AppCompatTurnOffUserActionRecord* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* - - - - -
    - - -**ADMX_AppCompat/AppCompatTurnOffProgramInventory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. -If you enable this policy setting, the Inventory Collector will be turned off and data won't be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. +- If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. -If you disable or don't configure this policy setting, the Inventory Collector will be turned on. +- If you disable or do not configure this policy setting, the Inventory Collector will be turned on. > [!NOTE] > This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Inventory Collector* -- GP name: *AppCompatTurnOffProgramInventory* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffProgramInventory | +| Friendly Name | Turn off Inventory Collector | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisableInventory | +| ADMX File Name | AppCompat.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + +## AppCompatTurnOffSwitchBack + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffSwitchBack +``` + + + + +The policy controls the state of the Switchback compatibility engine in the system. + +Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. + +Switchback is on by default. + +- If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. + +- If you disable or do not configure this policy setting, the Switchback will be turned on. + +Please reboot the system after changing the setting to ensure that your system accurately reflects those changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffSwitchBack | +| Friendly Name | Turn off SwitchBack Compatibility Engine | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | SbEnable | +| ADMX File Name | AppCompat.admx | + + + + + + + + + +## AppCompatTurnOffUserActionRecord + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffUserActionRecord +``` + + + + +This policy setting controls the state of Steps Recorder. + +Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screen shots. Steps Recorder includes an option to turn on and off data collection. + +- If you enable this policy setting, Steps Recorder will be disabled. + +- If you disable or do not configure this policy setting, Steps Recorder will be enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffUserActionRecord | +| Friendly Name | Turn off Steps Recorder | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisableUAR | +| ADMX File Name | AppCompat.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 5659355a4b..fb99a07c57 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,97 +1,104 @@ --- -title: Policy CSP - ADMX_AppxPackageManager -description: Learn about the Policy CSP - ADMX_AppxPackageManager. +title: ADMX_AppxPackageManager Policy CSP +description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AppxPackageManager - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AppxPackageManager policies + +## AllowDeploymentInSpecialProfiles -
    -
    - ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +``` + -
    + + +This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: - -**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles** +Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies - +Mandatory user profiles and super-mandatory profiles, which are created by an administrator -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Temporary user profiles, which are created when an error prevents the correct profile from loading - -
    +User profiles for the Guest account and members of the Guests group - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. -> [!div class = "checklist"] -> * Device +- If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. + -
    + + + - - -This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. + +**Description framework properties**: -Special profiles are the following user profiles where changes are discarded after the user signs off: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies. -- Mandatory user profiles and super-mandatory profiles, which are created by an administrator. -- Temporary user profiles, which are created when an error prevents the correct profile from loading. -- User profiles for the Guest account and members of the Guests group. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. +**ADMX mapping**: -If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. +| Name | Value | +|:--|:--| +| Name | AllowDeploymentInSpecialProfiles | +| Friendly Name | Allow deployment operations in special profiles | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowDeploymentInSpecialProfiles | +| ADMX File Name | AppxPackageManager.admx | + - + + + + - -ADMX Info: -- GP Friendly name: *Allow deployment operations in special profiles* -- GP name: *AllowDeploymentInSpecialProfiles* -- GP path: *Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + + - - -
    + +## Related articles - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index e021af18bf..b440390a21 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,245 +1,289 @@ --- -title: Policy CSP - ADMX_AppXRuntime -description: Learn about the Policy CSP - ADMX_AppXRuntime. +title: ADMX_AppXRuntime Policy CSP +description: Learn more about the ADMX_AppXRuntime Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/12/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AppXRuntime > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AppXRuntime policies + +## AppxRuntimeApplicationContentUriRules -
    -
    - ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockFileElevation -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +``` + -
    - - -**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. -If you enable this policy setting, you can define more Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. +- If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. -If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. +- If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on dynamic Content URI Rules for Windows store apps* -- GP name: *AppxRuntimeApplicationContentUriRules* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AppxRuntimeApplicationContentUriRules | +| Friendly Name | Turn on dynamic Content URI Rules for Windows store apps | +| Location | Computer Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications | +| Registry Value Name | EnableDynamicContentUriRules | +| ADMX File Name | AppXRuntime.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AppxRuntimeBlockFileElevation -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +``` - - -This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +``` + -If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps. + + +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. -If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. +- If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. - +- If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. + - -ADMX Info: -- GP Friendly name: *Block launching desktop apps associated with a file.* -- GP name: *AppxRuntimeBlockFileElevation* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AppxRuntimeBlockFileElevation | +| Friendly Name | Block launching desktop apps associated with a file. | +| Location | Computer and User Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| Registry Value Name | BlockFileElevation | +| ADMX File Name | AppXRuntime.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AppxRuntimeBlockHostedAppAccessWinRT - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +``` + + + + This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. -If you enable this policy setting, Universal Windows apps that declare Windows Runtime API access in ApplicationContentUriRules section of the manifest can't be launched; Universal Windows apps that haven't declared Windows Runtime API access in the manifest aren't affected. +- If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. -If you disable or don't configure this policy setting, all Universal Windows apps can be launched. +- If you disable or do not configure this policy setting, all Universal Windows apps can be launched. -> [!WARNING] -> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. +This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. + - + + + - -ADMX Info: -- GP Friendly name: *Block launching Universal Windows apps with Windows Runtime API access from hosted content.* -- GP name: *AppxRuntimeBlockHostedAppAccessWinRT* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AppxRuntimeBlockHostedAppAccessWinRT | +| Friendly Name | Block launching Universal Windows apps with Windows Runtime API access from hosted content. | +| Location | Computer Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | BlockHostedAppAccessWinRT | +| ADMX File Name | AppXRuntime.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## AppxRuntimeBlockProtocolElevation -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +``` -If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +``` + -If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. + + +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. + +- If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. + +- If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. > [!NOTE] > Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. + - + + + - -ADMX Info: -- GP Friendly name: *Block launching desktop apps associated with a URI scheme* -- GP name: *AppxRuntimeBlockProtocolElevation* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | AppxRuntimeBlockProtocolElevation | +| Friendly Name | Block launching desktop apps associated with a URI scheme | +| Location | Computer and User Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| Registry Value Name | BlockProtocolElevation | +| ADMX File Name | AppXRuntime.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index f495e736eb..e6f792fa8b 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,302 +1,353 @@ --- -title: Policy CSP - ADMX_AttachmentManager -description: Learn about the Policy CSP - ADMX_AttachmentManager. +title: ADMX_AttachmentManager Policy CSP +description: Learn more about the ADMX_AttachmentManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AttachmentManager > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AttachmentManager policies + +## AM_EstimateFileHandlerRisk -
    -
    - ADMX_AttachmentManager/AM_EstimateFileHandlerRisk -
    -
    - ADMX_AttachmentManager/AM_SetFileRiskLevel -
    -
    - ADMX_AttachmentManager/AM_SetHighRiskInclusion -
    -
    - ADMX_AttachmentManager/AM_SetLowRiskInclusion -
    -
    - ADMX_AttachmentManager/AM_SetModRiskInclusion -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +``` + -
    - - -**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. -Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation that will cause users to see more trust prompts than choosing the other options. +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. -If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. +Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. -If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. +- If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. -If you don't configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. +- If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. - +- If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + - -ADMX Info: -- GP Friendly name: *Trust logic for file attachments* -- GP name: *AM_EstimateFileHandlerRisk* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_AttachmentManager/AM_SetFileRiskLevel** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AM_EstimateFileHandlerRisk | +| Friendly Name | Trust logic for file attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| ADMX File Name | AttachmentManager.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## AM_SetFileRiskLevel - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetFileRiskLevel +``` + + + + This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. -- High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. -- Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. -- Low Risk: If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. +High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. -If you enable this policy setting, you can specify the default risk level for file types. +Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. -If you disable this policy setting, Windows sets the default risk level to moderate. +Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. -If you don't configure this policy setting, Windows sets the default risk level to moderate. +- If you enable this policy setting, you can specify the default risk level for file types. - +- If you disable this policy setting, Windows sets the default risk level to moderate. - -ADMX Info: -- GP Friendly name: *Default risk level for file attachments* -- GP name: *AM_SetFileRiskLevel* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* +- If you do not configure this policy setting, Windows sets the default risk level to moderate. + - - -
    + + + - -**ADMX_AttachmentManager/AM_SetHighRiskInclusion** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | AM_SetFileRiskLevel | +| Friendly Name | Default risk level for file attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## AM_SetHighRiskInclusion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetHighRiskInclusion +``` + + + + This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can create a custom list of high-risk file types. +- If you enable this policy setting, you can create a custom list of high-risk file types. -If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. +- If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. -If you don't configure this policy setting, Windows uses its built-in list of high-risk file types. +- If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. + - + + + - -ADMX Info: -- GP Friendly name: *Inclusion list for high risk file types* -- GP name: *AM_SetHighRiskInclusion* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AttachmentManager/AM_SetLowRiskInclusion** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AM_SetHighRiskInclusion | +| Friendly Name | Inclusion list for high risk file types | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## AM_SetLowRiskInclusion -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetLowRiskInclusion +``` + -If you enable this policy setting, you can specify file types that pose a low risk. + + +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). -If you disable this policy setting, Windows uses its default trust logic. +- If you enable this policy setting, you can specify file types that pose a low risk. -If you don't configure this policy setting, Windows uses its default trust logic. +- If you disable this policy setting, Windows uses its default trust logic. - +- If you do not configure this policy setting, Windows uses its default trust logic. + - -ADMX Info: -- GP Friendly name: *Inclusion list for low file types* -- GP name: *AM_SetLowRiskInclusion* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_AttachmentManager/AM_SetModRiskInclusion** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AM_SetLowRiskInclusion | +| Friendly Name | Inclusion list for low file types | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## AM_SetModRiskInclusion - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetModRiskInclusion +``` + + + + This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can specify file types that pose a moderate risk. +- If you enable this policy setting, you can specify file types which pose a moderate risk. -If you disable this policy setting, Windows uses its default trust logic. +- If you disable this policy setting, Windows uses its default trust logic. -If you don't configure this policy setting, Windows uses its default trust logic. +- If you do not configure this policy setting, Windows uses its default trust logic. + - + + + - -ADMX Info: -- GP Friendly name: *Inclusion list for moderate risk file types* -- GP name: *AM_SetModRiskInclusion* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | AM_SetModRiskInclusion | +| Friendly Name | Inclusion list for moderate risk file types | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index ba2080b6b3..8e82cda5ea 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,94 +1,102 @@ --- -title: Policy CSP - ADMX_AuditSettings -description: Learn about the Policy CSP - ADMX_AuditSettings. +title: ADMX_AuditSettings Policy CSP +description: Learn more about the ADMX_AuditSettings Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - ADMX_AuditSettings. + + + +# Policy CSP - ADMX_AuditSettings > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AuditSettings policies + +## IncludeCmdLine -
    -
    - ADMX_AuditSettings/IncludeCmdLine -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AuditSettings/IncludeCmdLine +``` + -
    + + +This policy setting determines what information is logged in security audit events when a new process has been created. - -**ADMX_AuditSettings/IncludeCmdLine** +This setting only applies when the Audit Process Creation policy is enabled. +- If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. - +- If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. - -If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. - -If you disable or don't configure this policy setting, the process's command line information won't be included in Audit Process Creation events. - -Default is Not configured. +Default: Not configured > [!NOTE] -> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. +> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data. + - + + + - -ADMX Info: -- GP Friendly name: *Include command line in process creation events* -- GP name: *IncludeCmdLine* -- GP path: *System/Audit Process Creation* -- GP ADMX file name: *AuditSettings.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | IncludeCmdLine | +| Friendly Name | Include command line in process creation events | +| Location | Computer Configuration | +| Path | System > Audit Process Creation | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit | +| Registry Value Name | ProcessCreationIncludeCmdLine_Enabled | +| ADMX File Name | AuditSettings.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index d60708eecf..53f320034a 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,785 +1,913 @@ --- -title: Policy CSP - ADMX_Bits -description: Learn about the Policy CSP - ADMX_Bits. +title: ADMX_Bits Policy CSP +description: Learn more about the ADMX_Bits Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/20/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Bits > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Bits policies + +## BITS_DisableBranchCache -
    -
    - ADMX_Bits/BITS_DisableBranchCache -
    -
    - ADMX_Bits/BITS_DisablePeercachingClient -
    -
    - ADMX_Bits/BITS_DisablePeercachingServer -
    -
    - ADMX_Bits/BITS_EnablePeercaching -
    -
    - ADMX_Bits/BITS_MaxBandwidthServedForPeers -
    -
    - ADMX_Bits/BITS_MaxBandwidthV2_Maintenance -
    -
    - ADMX_Bits/BITS_MaxBandwidthV2_Work -
    -
    - ADMX_Bits/BITS_MaxCacheSize -
    -
    - ADMX_Bits/BITS_MaxContentAge -
    -
    - ADMX_Bits/BITS_MaxDownloadTime -
    -
    - ADMX_Bits/BITS_MaxFilesPerJob -
    -
    - ADMX_Bits/BITS_MaxJobsPerMachine -
    -
    - ADMX_Bits/BITS_MaxJobsPerUser -
    -
    - ADMX_Bits/BITS_MaxRangesPerFile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_DisableBranchCache +``` + -
    - - -**ADMX_Bits/BITS_DisableBranchCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. -If you enable this policy setting, the BITS client doesn't use Windows Branch Cache. +- If you enable this policy setting, the BITS client does not use Windows Branch Cache. -If you disable or don't configure this policy setting, the BITS client uses Windows Branch Cache. +- If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. > [!NOTE] -> This policy setting doesn't affect the use of Windows Branch Cache by applications other than BITS. This policy setting doesn't apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. +> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow the BITS client to use Windows Branch Cache* -- GP name: *BITS_DisableBranchCache* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_DisablePeercachingClient** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_DisableBranchCache | +| Friendly Name | Do not allow the BITS client to use Windows Branch Cache | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | DisableBranchCache | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_DisablePeercachingClient -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_DisablePeercachingClient +``` + + + + This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). -If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. +- If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. -If you disable or don't configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. +- If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. > [!NOTE] > This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow the computer to act as a BITS Peercaching client* -- GP name: *BITS_DisablePeercachingClient* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Bits/BITS_DisablePeercachingServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_DisablePeercachingClient | +| Friendly Name | Do not allow the computer to act as a BITS Peercaching client | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | DisablePeerCachingClient | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_DisablePeercachingServer -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_DisablePeercachingServer +``` + - - + + This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). -If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. +- If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. -If you disable or don't configure this policy setting, the computer will offer downloaded and cached files to its peers. +- If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. > [!NOTE] > This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow the computer to act as a BITS Peercaching server* -- GP name: *BITS_DisablePeercachingServer* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Bits/BITS_EnablePeercaching** +| Name | Value | +|:--|:--| +| Name | BITS_DisablePeercachingServer | +| Friendly Name | Do not allow the computer to act as a BITS Peercaching server | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | DisablePeerCachingServer | +| ADMX File Name | Bits.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## BITS_EnablePeercaching - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_EnablePeercaching +``` + -
    - - - + + This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. -If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When a download job is being transferred, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. +If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. -If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it's possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. +- If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. -If you disable or don't configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. +- If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow BITS Peercaching* -- GP name: *BITS_EnablePeercaching* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Bits/BITS_MaxBandwidthServedForPeers** +| Name | Value | +|:--|:--| +| Name | BITS_EnablePeercaching | +| Friendly Name | Allow BITS Peercaching | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | EnablePeercaching | +| ADMX File Name | Bits.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## BITS_MaxBandwidthServedForPeers - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting doesn't affect transfers from the origin server). - -To prevent any negative impact to a computer caused by serving other peers, by default, BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100-Mbps network card and a 56-Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxBandwidthServedForPeers +``` + + + +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. -If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. +- If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. -If you disable this policy setting or don't configure it, the default value of 30 percent of the slowest active network interface will be used. +- If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. > [!NOTE] > This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. + - + + + - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth used for Peercaching* -- GP name: *BITS_MaxBandwidthServedForPeers* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_MaxBandwidthV2_Maintenance** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidthServedForPeers | +| Friendly Name | Limit the maximum network bandwidth used for Peercaching | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_MaxBandwidthV2_Maintenance -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxBandwidthV2_Maintenance +``` + + + + This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. -If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. +- If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. -You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. +You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule. -If you disable or don't configure this policy setting, the limits defined for work or non-work schedules will be used. +- If you disable or do not configure this policy setting, the limits defined for work or nonwork schedules will be used. > [!NOTE] > The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. + - + + + - -ADMX Info: -- GP Friendly name: *Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers* -- GP name: *BITS_MaxBandwidthV2_Maintenance* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Bits/BITS_MaxBandwidthV2_Work** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidthV2_Maintenance | +| Friendly Name | Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\Throttling | +| Registry Value Name | EnableMaintenanceLimits | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxBandwidthV2_Work -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxBandwidthV2_Work +``` + - - -This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that aren't defined in a work schedule are considered non-work hours. + + +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and nonwork days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. -If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. +- If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. -You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours. +You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours. -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. + - + + + - -ADMX Info: -- GP Friendly name: *Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers* -- GP name: *BITS_MaxBandwidthV2_Work* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Bits/BITS_MaxCacheSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidthV2_Work | +| Friendly Name | Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\Throttling | +| Registry Value Name | EnableBandwidthLimits | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxCacheSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxCacheSize +``` + - - + + This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. -If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. +- If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. -If you disable or don't configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. +- If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. > [!NOTE] > This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + - + + + - -ADMX Info: -- GP Friendly name: *Limit the BITS Peercache size* -- GP name: *BITS_MaxCacheSize* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_MaxContentAge** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_MaxCacheSize | +| Friendly Name | Limit the BITS Peercache size | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_MaxContentAge -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default, BITS removes any files in the peer cache that haven't been accessed in the past 90 days. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxContentAge +``` + -If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. + + +This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days. -If you disable or don't configure this policy setting, files that haven't been accessed for the past 90 days will be removed from the peer cache. +- If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. + +- If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. > [!NOTE] > This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. + - + +Available in the latest Windows 10 Insider Preview Build. + - -ADMX Info: -- GP Friendly name: *Limit the age of files in the BITS Peercache* -- GP name: *BITS_MaxContentAge* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_MaxDownloadTime** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_MaxContentAge | +| Friendly Name | Limit the age of files in the BITS Peercache | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_MaxDownloadTime -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxDownloadTime +``` + + + + This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. -By default, BITS uses a maximum download time of 90 days (7,776,000 seconds). +By default BITS uses a maximum download time of 90 days (7,776,000 seconds). -If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. +- If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. -If you disable or don't configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. +- If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum BITS job download time* -- GP name: *BITS_MaxDownloadTime* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Bits/BITS_MaxFilesPerJob** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxDownloadTime | +| Friendly Name | Limit the maximum BITS job download time | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxFilesPerJob -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxFilesPerJob +``` + - - -This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS job can contain. + + +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. -If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. -If you disable or don't configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. +- If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. > [!NOTE] -> BITS Jobs created by services and the local administrator account don't count toward this limit. +> BITS Jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of files allowed in a BITS job* -- GP name: *BITS_MaxFilesPerJob* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Bits/BITS_MaxJobsPerMachine** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxFilesPerJob | +| Friendly Name | Limit the maximum number of files allowed in a BITS job | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxJobsPerMachine -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxJobsPerMachine +``` + - - + + This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. -If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. -If you disable or don't configure this policy setting, BITS will use the default BITS job limit of 300 jobs. +- If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. > [!NOTE] -> BITS jobs created by services and the local administrator account don't count toward this limit. +> BITS jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of BITS jobs for this computer* -- GP name: *BITS_MaxJobsPerMachine* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Bits/BITS_MaxJobsPerUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxJobsPerMachine | +| Friendly Name | Limit the maximum number of BITS jobs for this computer | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxJobsPerUser -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxJobsPerUser +``` + - - + + This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. -If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. -If you disable or don't configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. +- If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. > [!NOTE] -> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account don't count toward this limit. +> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of BITS jobs for each user* -- GP name: *BITS_MaxJobsPerUser* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Bits/BITS_MaxRangesPerFile** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxJobsPerUser | +| Friendly Name | Limit the maximum number of BITS jobs for each user | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxRangesPerFile -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxRangesPerFile +``` + - - + + This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. -If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. -If you disable or don't configure this policy setting, BITS will limit ranges to 500 ranges per file. +- If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. > [!NOTE] -> BITS Jobs created by services and the local administrator account don't count toward this limit. +> BITS Jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of ranges that can be added to the file in a BITS job* -- GP name: *BITS_MaxRangesPerFile* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxRangesPerFile | +| Friendly Name | Limit the maximum number of ranges that can be added to the file in a BITS job | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 8b03be11b7..6c2d52f8d1 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,155 +1,166 @@ --- -title: Policy CSP - ADMX_CipherSuiteOrder -description: Learn about the Policy CSP - ADMX_CipherSuiteOrder. +title: ADMX_CipherSuiteOrder Policy CSP +description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CipherSuiteOrder > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CipherSuiteOrder policies + +## SSLCipherSuiteOrder -
    -
    - ADMX_CipherSuiteOrder/SSLCipherSuiteOrder -
    -
    - ADMX_CipherSuiteOrder/SSLCurveOrder -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CipherSuiteOrder/SSLCipherSuiteOrder +``` + -
    - - -**ADMX_CipherSuiteOrder/SSLCipherSuiteOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). -If you enable this policy setting, SSL cipher suites are prioritized in the order specified. +- If you enable this policy setting, SSL cipher suites are prioritized in the order specified. -If you disable or do not configure this policy setting, default cipher suite order is used. +- If you disable or do not configure this policy setting, default cipher suite order is used. -For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel). +Link for all the cipherSuites: + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *SSL Cipher Suite Order* -- GP name: *SSLCipherSuiteOrder* -- GP path: *Network/SSL Configuration Settings* -- GP ADMX file name: *CipherSuiteOrder.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_CipherSuiteOrder/SSLCurveOrder** +| Name | Value | +|:--|:--| +| Name | SSLCipherSuiteOrder | +| Friendly Name | SSL Cipher Suite Order | +| Location | Computer Configuration | +| Path | Network > SSL Configuration Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 | +| ADMX File Name | CipherSuiteOrder.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SSLCurveOrder - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CipherSuiteOrder/SSLCurveOrder +``` + -
    - - - + + This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. -If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. +- If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) -If you disable or do not configure this policy setting, the default ECC curve order is used. +- If you disable or do not configure this policy setting, the default ECC curve order is used. -The default curve order is as follows: +Default Curve Order + +curve25519 +NistP256 +NistP384 -- curve25519 -- NistP256 -- NistP384 +To See all the curves supported on the system, Use the following command: -To see all the curves supported on the system, enter the following command: - -``` cmd CertUtil.exe -DisplayEccCurve -``` + - + + + - -ADMX Info: -- GP Friendly name: *ECC Curve Order* -- GP name: *SSLCurveOrder* -- GP path: *Network/SSL Configuration Settings* -- GP ADMX file name: *CipherSuiteOrder.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | SSLCurveOrder | +| Friendly Name | ECC Curve Order | +| Location | Computer Configuration | +| Path | Network > SSL Configuration Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 | +| ADMX File Name | CipherSuiteOrder.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index e98e447d36..3ee1a98a1d 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,148 +1,164 @@ --- -title: Policy CSP - ADMX_COM -description: Learn about the Policy CSP - ADMX_COM. +title: ADMX_COM Policy CSP +description: Learn more about the ADMX_COM Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_COM > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_COM policies + +## AppMgmt_COM_SearchForCLSID_1 -
    -
    - ADMX_COM/AppMgmt_COM_SearchForCLSID_1 -
    -
    - ADMX_COM/AppMgmt_COM_SearchForCLSID_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_COM/AppMgmt_COM_SearchForCLSID_1 +``` + -
    - - -**ADMX_COM/AppMgmt_COM_SearchForCLSID_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. -Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components. +Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly. +- If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. -If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. +- If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Download missing COM components* -- GP name: *AppMgmt_COM_SearchForCLSID_1* -- GP path: *System* -- GP ADMX file name: *COM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_COM/AppMgmt_COM_SearchForCLSID_2** +| Name | Value | +|:--|:--| +| Name | AppMgmt_COM_SearchForCLSID_1 | +| Friendly Name | Download missing COM components | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\App Management | +| Registry Value Name | COMClassStore | +| ADMX File Name | COM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AppMgmt_COM_SearchForCLSID_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_COM/AppMgmt_COM_SearchForCLSID_2 +``` + -
    - - - + + This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. -Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components. +Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly. +- If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. -If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. +- If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + - -ADMX Info: -- GP Friendly name: *Download missing COM components* -- GP name: *AppMgmt_COM_SearchForCLSID_2* -- GP path: *System* -- GP ADMX file name: *COM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | AppMgmt_COM_SearchForCLSID_2 | +| Friendly Name | Download missing COM components | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\App Management | +| Registry Value Name | COMClassStore | +| ADMX File Name | COM.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 859b2de089..4a3df26d6e 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,81 +1,52 @@ --- -title: Policy CSP - ADMX_ControlPanel -description: Learn about the Policy CSP - ADMX_ControlPanel. +title: ADMX_ControlPanel Policy CSP +description: Learn more about the ADMX_ControlPanel Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/05/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ControlPanel > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_ControlPanel policies + +## DisallowCpls -
    -
    - ADMX_ControlPanel/DisallowCpls -
    -
    - ADMX_ControlPanel/ForceClassicControlPanel -
    -
    - ADMX_ControlPanel/NoControlPanel -
    -
    - ADMX_ControlPanel/RestrictCpls -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/DisallowCpls +``` + -
    - - -**ADMX_ControlPanel/DisallowCpls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. -If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. +- If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. -To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. +To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization. > [!NOTE] > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". @@ -84,164 +55,201 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > [!NOTE] > The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. -> ->To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. - - - - - -ADMX Info: -- GP Friendly name: *Hide specified Control Panel items* -- GP name: *DisallowCpls* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* - - - -
    - - -**ADMX_ControlPanel/ForceClassicControlPanel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting controls the default Control Panel view, whether by category or icons. - -If this policy setting is enabled, the Control Panel opens to the icon view. - -If this policy setting is disabled, the Control Panel opens to the category view. - -If this policy setting isn't configured, the Control Panel opens to the view used in the last Control Panel session. +> [!NOTE] +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisallowCpls | +| Friendly Name | Hide specified Control Panel items | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisallowCpl | +| ADMX File Name | ControlPanel.admx | + + + + + + + + + +## ForceClassicControlPanel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/ForceClassicControlPanel +``` + + + + +This policy setting controls the default Control Panel view, whether by category or icons. + +- If this policy setting is enabled, the Control Panel opens to the icon view. + +- If this policy setting is disabled, the Control Panel opens to the category view. + +- If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. > [!NOTE] > Icon size is dependent upon what the user has set it to in the previous session. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Always open All Control Panel Items when opening Control Panel* -- GP name: *ForceClassicControlPanel* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ControlPanel/NoControlPanel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForceClassicControlPanel | +| Friendly Name | Always open All Control Panel Items when opening Control Panel | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceClassicControlPanel | +| ADMX File Name | ControlPanel.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoControlPanel -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/NoControlPanel +``` + - - -Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. + + +Disables all Control Panel programs and the PC settings app. -This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users can't start Control Panel or PC settings, or run any of their items. +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. This setting removes Control Panel from: - -- The Start screen -- File Explorer +The Start screen +File Explorer This setting removes PC settings from: - -- The Start screen -- Settings charm -- Account picture -- Search results +The Start screen +Settings charm +Account picture +Search results If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit access to Control Panel and PC settings* -- GP name: *NoControlPanel* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ControlPanel/RestrictCpls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoControlPanel | +| Friendly Name | Prohibit access to Control Panel and PC settings | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoControlPanel | +| ADMX File Name | ControlPanel.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictCpls -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/RestrictCpls +``` + - - -This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those items you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + + +This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. -To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. +To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization. > [!NOTE] > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". @@ -250,24 +258,53 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > [!NOTE] > The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. -> + +> [!NOTE] > To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + - + + + - -ADMX Info: -- GP Friendly name: *Show only specified Control Panel items* -- GP name: *RestrictCpls* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RestrictCpls | +| Friendly Name | Show only specified Control Panel items | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | RestrictCpl | +| ADMX File Name | ControlPanel.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 059b11b086..68499c0c39 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,1275 +1,1534 @@ --- -title: Policy CSP - ADMX_ControlPanelDisplay -description: Learn about the Policy CSP - ADMX_ControlPanelDisplay. +title: ADMX_ControlPanelDisplay Policy CSP +description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/13/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/05/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ControlPanelDisplay > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_ControlPanelDisplay policies + +## CPL_Display_Disable -
    -
    - ADMX_ControlPanelDisplay/CPL_Display_Disable -
    -
    - ADMX_ControlPanelDisplay/CPL_Display_HideSettings -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Display_Disable +``` + -
    + + +Disables the Display Control Panel. - -**ADMX_ControlPanelDisplay/CPL_Display_Disable** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting disables the Display Control Panel. - -If you enable this setting, the Display Control Panel doesn't run. When users try to start Display, a message appears explaining that a setting prevents the action. +- If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable the Display Control Panel* -- GP name: *CPL_Display_Disable* -- GP path: *Control Panel\Display* -- GP ADMX file name: *ControlPanelDisplay.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ControlPanelDisplay/CPL_Display_HideSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CPL_Display_Disable | +| Friendly Name | Disable the Display Control Panel | +| Location | User Configuration | +| Path | Control Panel > Display | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispCPL | +| ADMX File Name | ControlPanelDisplay.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CPL_Display_HideSettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Display_HideSettings +``` + - - -This setting removes the Settings tab from Display in Control Panel. + + +Removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Settings tab* -- GP name: *CPL_Display_HideSettings* -- GP path: *Control Panel\Display* -- GP ADMX file name: *ControlPanelDisplay.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CPL_Display_HideSettings | +| Friendly Name | Hide Settings tab | +| Location | User Configuration | +| Path | Control Panel > Display | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispSettingsPage | +| ADMX File Name | ControlPanelDisplay.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CPL_Personalization_DisableColorSchemeChoice -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +``` + - - + + This setting forces the theme color scheme to be the default color scheme. -If you enable this setting, a user can't change the color scheme of the current desktop theme. +- If you enable this setting, a user cannot change the color scheme of the current desktop theme. -If you disable or don't configure this setting, a user may change the color scheme of the current desktop theme. +- If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. For Windows 7 and later, use the "Prevent changing color and appearance" setting. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing color scheme* -- GP name: *CPL_Personalization_DisableColorSchemeChoice* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_DisableColorSchemeChoice | +| Friendly Name | Prevent changing color scheme | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoColorChoice | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_DisableThemeChange -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +``` + + + + This setting disables the theme gallery in the Personalization Control Panel. -If you enable this setting, users can't change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). +- If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). -If you disable or don't configure this setting, there's no effect. +- If you disable or do not configure this setting, there is no effect. > [!NOTE] -> If you enable this setting but don't specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. +> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing theme* -- GP name: *CPL_Personalization_DisableThemeChange* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_DisableThemeChange | +| Friendly Name | Prevent changing theme | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoThemesTab | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_DisableVisualStyle -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +``` + + + + +Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. -When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. +When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing visual style for windows and buttons* -- GP name: *CPL_Personalization_DisableVisualStyle* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_DisableVisualStyle | +| Friendly Name | Prevent changing visual style for windows and buttons | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoVisualStyleChoice | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_EnableScreenSaver -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting enables desktop screen savers. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +``` + -If you disable this setting, screen savers don't run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users can't change the screen saver options. + + +Enables desktop screen savers. -If you don't configure it, this setting has no effect on the system. +- If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. -If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. +- If you do not configure it, this setting has no effect on the system. + +- If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. Also, see the "Prevent changing Screen Saver" setting. + - + + + - -ADMX Info: -- GP Friendly name: *Enable screen saver* -- GP name: *CPL_Personalization_EnableScreenSaver* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_EnableScreenSaver | +| Friendly Name | Enable screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| Registry Value Name | ScreenSaveActive | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CPL_Personalization_ForceDefaultLockScreen -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting allows you to force a specific default lock screen and sign-in image by entering the path (location) of the image file. The same image will be used for both the lock and sign-in screens. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +``` + -This setting lets you specify the default lock screen and sign-in image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). + + +This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. -To use this setting, type the fully qualified path and name of the file that stores the default lock screen and sign-in image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. +This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). -This setting can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and sign-in image to be shown. +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as \\Server\Share\Corp.jpg. ->[!NOTE] +This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. + +> [!NOTE] > This setting only applies to Enterprise, Education, and Server SKUs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Force a specific default lock screen and logon image* -- GP name: *CPL_Personalization_ForceDefaultLockScreen* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_ForceDefaultLockScreen | +| Friendly Name | Force a specific default lock screen and logon image | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CPL_Personalization_LockFontSize -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +``` + - - -This setting prevents users from changing the size of the font in the windows and buttons displayed on their screens. + + +Prevents users from changing the size of the font in the windows and buttons displayed on their screens. -If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. +- If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. -If you disable or don't configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. +- If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. + - + + + - -ADMX Info: -- GP Friendly name: *Prohibit selection of visual style font size* -- GP name: *CPL_Personalization_LockFontSize* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_LockFontSize | +| Friendly Name | Prohibit selection of visual style font size | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoSizeChoice | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CPL_Personalization_NoChangingLockScreen -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Prevents users from changing the background image shown when the machine is locked or when on the sign-in screen. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +``` + -By default, users can change the background image shown when the machine is locked or displaying the sign-in screen. + + +Prevents users from changing the background image shown when the machine is locked or when on the logon screen. -If you enable this setting, the user won't be able to change their lock screen and sign-in image, and they'll instead see the default image. +By default, users can change the background image shown when the machine is locked or displaying the logon screen. - +- If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. + - -ADMX Info: -- GP Friendly name: *Prevent changing lock screen and logon image* -- GP name: *CPL_Personalization_NoChangingLockScreen* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoChangingLockScreen | +| Friendly Name | Prevent changing lock screen and logon image | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingLockScreen | +| ADMX File Name | ControlPanelDisplay.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## CPL_Personalization_NoChangingStartMenuBackground - - -This setting prevents users from changing the look of their start menu background, such as its color or accent. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +``` + + + + +Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. -If you enable this setting, the user will be assigned the default start menu background and colors and won't be allowed to change them. +- If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing start menu background* -- GP name: *CPL_Personalization_NoChangingStartMenuBackground* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoChangingStartMenuBackground | +| Friendly Name | Prevent changing start menu background | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingStartMenuBackground | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_NoColorAppearanceUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature isn't available. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +``` + -This setting also prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. + + +Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. -If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. +This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. -For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the Display in Control Panel. +- If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. - +For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. + - -ADMX Info: -- GP Friendly name: *Prevent changing color and appearance* -- GP name: *CPL_Personalization_NoColorAppearanceUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoColorAppearanceUI | +| Friendly Name | Prevent changing color and appearance | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispAppearancePage | +| ADMX File Name | ControlPanelDisplay.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## CPL_Personalization_NoDesktopBackgroundUI - - -This setting prevents users from adding or changing the background design of the desktop. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +``` + + + + +Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. -If you enable this setting, none of the Desktop Background settings can be changed by the user. +- If you enable this setting, none of the Desktop Background settings can be changed by the user. To specify wallpaper for a group, use the "Desktop Wallpaper" setting. ->[!NOTE] ->You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. +> [!NOTE] +> You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. Also, see the "Allow only bitmapped wallpaper" setting. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing desktop background* -- GP name: *CPL_Personalization_NoDesktopBackgroundUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoDesktopBackgroundUI | +| Friendly Name | Prevent changing desktop background | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoChangingWallPaper | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_NoDesktopIconsUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting prevents users from changing the desktop icons. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +``` + + + + +Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. -If you enable this setting, none of the desktop icons can be changed by the user. +- If you enable this setting, none of the desktop icons can be changed by the user. For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing desktop icons* -- GP name: *CPL_Personalization_NoDesktopIconsUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoDesktopIconsUI | +| Friendly Name | Prevent changing desktop icons | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispBackgroundPage | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CPL_Personalization_NoLockScreen -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +``` + -If you enable this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + + +This policy setting controls whether the lock screen appears for users. -If you disable or don't configure this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. +- If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. - +- If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. + - -ADMX Info: -- GP Friendly name: *Do not display the lock screen* -- GP name: *CPL_Personalization_NoLockScreen* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoLockScreen | +| Friendly Name | Do not display the lock screen | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoLockScreen | +| ADMX File Name | ControlPanelDisplay.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## CPL_Personalization_NoMousePointersUI - - -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from changing the mouse pointers. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +``` + + + + +Prevents users from changing the mouse pointers. By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. -If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. +- If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing mouse pointers* -- GP name: *CPL_Personalization_NoMousePointersUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoMousePointersUI | +| Friendly Name | Prevent changing mouse pointers | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingMousePointers | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_NoScreenSaverUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +``` + -This setting also prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It doesn't prevent a screen saver from running. + + +Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. - +This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. + - -ADMX Info: -- GP Friendly name: *Prevent changing screen saver* -- GP name: *CPL_Personalization_NoScreenSaverUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoScreenSaverUI | +| Friendly Name | Prevent changing screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispScrSavPage | +| ADMX File Name | ControlPanelDisplay.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## CPL_Personalization_NoSoundSchemeUI - - -This setting prevents users from changing the sound scheme. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +``` + + + + +Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. -If you enable this setting, none of the Sound Scheme settings can be changed by the user. +- If you enable this setting, none of the Sound Scheme settings can be changed by the user. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing sounds* -- GP name: *CPL_Personalization_NoSoundSchemeUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoSoundSchemeUI | +| Friendly Name | Prevent changing sounds | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingSoundScheme | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CPL_Personalization_PersonalColors -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +``` + + + + +Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. -If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users can't change those colors. This setting won't be applied if the specified colors don't meet a contrast ratio of 2:1 with white text. +- If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. + - + + + - -ADMX Info: -- GP Friendly name: *Force a specific background and accent color* -- GP name: *CPL_Personalization_PersonalColors* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_PersonalColors | +| Friendly Name | Force a specific background and accent color | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_ScreenSaverIsSecure -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting determines whether screen savers used on the computer are password protected. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +``` + -If you enable this setting, all screen savers are password protected. If you disable this setting, password protection can't be set on any screen saver. + + +Determines whether screen savers used on the computer are password protected. + +- If you enable this setting, all screen savers are password protected. +- If you disable this setting, password protection cannot be set on any screen saver. This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. -If you don't configure this setting, users can choose whether or not to set password protection on each screen saver. +- If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. > [!NOTE] > To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. + - + + + - -ADMX Info: -- GP Friendly name: *Password protect the screen saver* -- GP name: *CPL_Personalization_ScreenSaverIsSecure* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_ScreenSaverIsSecure | +| Friendly Name | Password protect the screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| Registry Value Name | ScreenSaverIsSecure | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_ScreenSaverTimeOut -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +``` + + + + Specifies how much user idle time must elapse before the screen saver is launched. -When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver won't be started. +When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. This setting has no effect under any of the following circumstances: - The setting is disabled or not configured. + - The wait time is set to zero. + - The "Enable Screen Saver" setting is disabled. -- The "Screen saver executable name" setting and the Screen Saver dialog of the client computer's Personalization or Display Control Panel don't specify a valid existing screen saver program on the client. +- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client. When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. + - + + + - -ADMX Info: -- GP Friendly name: *Screen saver timeout* -- GP name: *CPL_Personalization_ScreenSaverTimeOut* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_ScreenSaverTimeOut | +| Friendly Name | Screen saver timeout | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_SetScreenSaver -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting specifies the screen saver for the user's desktop. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +``` + -If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. + + +Specifies the screen saver for the user's desktop. -If you disable this setting or don't configure it, users can select any screen saver. +- If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. -If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file isn't in the %Systemroot%\System32 directory, type the fully qualified path to the file. +- If you disable this setting or do not configure it, users can select any screen saver. -If the specified screen saver isn't installed on a computer to which this setting applies, the setting is ignored. +- If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. + +If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. > [!NOTE] -> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers don't run. +> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. + - + + + - -ADMX Info: -- GP Friendly name: *Force specific screen saver* -- GP name: *CPL_Personalization_SetScreenSaver* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_SetScreenSaver | +| Friendly Name | Force specific screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_SetTheme -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +``` -If you enable this setting, the theme that you specify will be applied when a new user signs in for the first time. This policy doesn't prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first sign in. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +``` + -If you disable or don't configure this setting, the default theme will be applied at the first sign in. + + +Specifies which theme file is applied to the computer the first time a user logs on. - +- If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. - -ADMX Info: -- GP Friendly name: *Load a specific theme* -- GP name: *CPL_Personalization_SetTheme* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +- If you disable or do not configure this setting, the default theme will be applied at the first logon. + - - -
    + + + - -**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_SetTheme | +| Friendly Name | Load a specific theme | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## CPL_Personalization_SetVisualStyle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +``` + + + + This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. -This file can be a local computer visual style (aero.msstyles) one, or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). +This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). -If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. +- If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. -If you disable or don't configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). +- If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). > [!NOTE] -> If this setting is enabled and the file isn't available at user logon, the default visual style is loaded. -> -> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. -> -> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you can't apply the Windows Classic visual style. +> If this setting is enabled and the file is not available at user logon, the default visual style is loaded. - +> [!NOTE] +> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles - -ADMX Info: -- GP Friendly name: *Force a specific visual style file or force Windows Classic* -- GP name: *CPL_Personalization_SetVisualStyle* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +> [!NOTE] +> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. + - - -
    + + + - -**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_SetVisualStyle | +| Friendly Name | Force a specific visual style file or force Windows Classic | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | ControlPanelDisplay.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## CPL_Personalization_StartBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +``` + + + + Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it. -If this setting is set to a nonzero value, then Start uses the specified background, and users can't change it. If the specified background isn't supported, the default background is used. +If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. + - + + + - -ADMX Info: -- GP Friendly name: *Force a specific Start background* -- GP name: *CPL_Personalization_StartBackground* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_StartBackground | +| Friendly Name | Force a specific Start background | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 481b2ebb18..7f08bf470b 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,92 +1,99 @@ --- -title: Policy CSP - ADMX_Cpls -description: Learn about the Policy CSP - ADMX_Cpls. +title: ADMX_Cpls Policy CSP +description: Learn more about the ADMX_Cpls Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Cpls > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Cpls policies + +## UseDefaultTile -
    -
    - ADMX_Cpls/UseDefaultTile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Cpls/UseDefaultTile +``` + -
    - - -**ADMX_Cpls/UseDefaultTile** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] -> The default account picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg.` The default guest picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg.` If the default pictures do not exist, an empty frame is displayed. +> The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. -If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed. +- If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed. -If you disable or do not configure this policy setting, users will be able to customize their account pictures. +- If you disable or do not configure this policy setting, users will be able to customize their account pictures. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Apply the default account picture to all users* -- GP name: *UseDefaultTile* -- GP path: *Control Panel/User Accounts* -- GP ADMX file name: *Cpls.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | UseDefaultTile | +| Friendly Name | Apply the default account picture to all users | +| Location | Computer Configuration | +| Path | Control Panel > User Accounts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | UseDefaultTile | +| ADMX File Name | Cpls.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index ab23b0a57d..9ded8c68b8 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,200 +1,231 @@ --- -title: Policy CSP - ADMX_CredentialProviders -description: Learn about the Policy CSP - ADMX_CredentialProviders. +title: ADMX_CredentialProviders Policy CSP +description: Learn more about the ADMX_CredentialProviders Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/11/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CredentialProviders > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CredentialProviders policies + +## AllowDomainDelayLock -
    -
    - ADMX_CredentialProviders/AllowDomainDelayLock -
    -
    - ADMX_CredentialProviders/DefaultCredentialProvider -
    -
    - ADMX_CredentialProviders/ExcludedCredentialProviders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock +``` + -
    - - -**ADMX_CredentialProviders/AllowDomainDelayLock** - - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. -If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. +- If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. -If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. +- If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. -If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. +- If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. -If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. +- If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow users to select when a password is required when resuming from connected standby* -- GP name: *AllowDomainDelayLock* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_CredentialProviders/DefaultCredentialProvider** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowDomainDelayLock | +| Friendly Name | Allow users to select when a password is required when resuming from connected standby | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowDomainDelayLock | +| ADMX File Name | CredentialProviders.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DefaultCredentialProvider -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/DefaultCredentialProvider +``` + - - + + This policy setting allows the administrator to assign a specified credential provider as the default credential provider. -If you enable this policy setting, the specified credential provider is selected on other user tile. +- If you enable this policy setting, the specified credential provider is selected on other user tile. -If you disable or don't configure this policy setting, the system picks the default credential provider on other user tile. +- If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. > [!NOTE] > A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. + - + + + - -ADMX Info: -- GP Friendly name: *Assign a default credential provider* -- GP name: *DefaultCredentialProvider* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_CredentialProviders/ExcludedCredentialProviders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DefaultCredentialProvider | +| Friendly Name | Assign a default credential provider | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | CredentialProviders.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExcludedCredentialProviders -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/ExcludedCredentialProviders +``` + - - -This policy setting allows the administrator to exclude the specified credential providers from use during authentication. + + +This policy setting allows the administrator to exclude the specified +credential providers from use during authentication. -> [!NOTE] -> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). +**Note** credential providers are used to process and validate user +credentials during logon or when authentication is required. +Windows Vista provides two default credential providers +Password and Smart Card. An administrator can install additional +credential providers for different sets of credentials +(for example, to support biometric authentication). -If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. +- If you enable this policy, an administrator can specify the CLSIDs +of the credential providers to exclude from the set of installed +credential providers available for authentication purposes. -If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. +- If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. + - + + + - -ADMX Info: -- GP Friendly name: *Exclude credential providers* -- GP name: *ExcludedCredentialProviders* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | ExcludedCredentialProviders | +| Friendly Name | Exclude credential providers | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | CredentialProviders.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index eb460250a1..6af877c393 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,715 +1,824 @@ --- -title: Policy CSP - ADMX_CredSsp -description: Learn about the Policy CSP - ADMX_CredSsp. +title: ADMX_CredSsp Policy CSP +description: Learn more about the ADMX_CredSsp Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CredSsp > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CredSsp policies + +## AllowDefaultCredentials -
    -
    - ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/AllowDefaultCredentials -
    -
    - ADMX_CredSsp/AllowEncryptionOracle -
    -
    - ADMX_CredSsp/AllowFreshCredentials -
    -
    - ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/AllowSavedCredentials -
    -
    - ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/DenyDefaultCredentials -
    -
    - ADMX_CredSsp/DenyFreshCredentials -
    -
    - ADMX_CredSsp/DenySavedCredentials -
    -
    - ADMX_CredSsp/RestrictedRemoteAdministration -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowDefaultCredentials +``` + -
    - - -**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). - -This policy setting applies when server authentication was achieved via NTLM. - -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first signing in to Windows). - -If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any machine. - -> [!NOTE] -> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com - - - - - -ADMX Info: -- GP Friendly name: *Allow delegating default credentials with NTLM-only server authentication* -- GP name: *AllowDefCredentialsWhenNTLMOnly* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* - - - -
    - - -**ADMX_CredSsp/AllowDefaultCredentials** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first logging on to Windows). +- If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). The policy becomes effective the next time the user signs on to a computer running Windows. -If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. FWlink for KB: -https://go.microsoft.com/fwlink/?LinkId=301508 + > [!NOTE] > The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating default credentials* -- GP name: *AllowDefaultCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowEncryptionOracle** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowDefaultCredentials | +| Friendly Name | Allow delegating default credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowDefaultCredentials | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowDefCredentialsWhenNTLMOnly - - -This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly +``` + -If you enable this policy setting, CredSSP version support will be selected based on the following options: + + +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -- Force Updated Clients: Client applications that use CredSSP won't be able to fall back to the insecure versions and services using CredSSP won't accept unpatched clients. +This policy setting applies when server authentication was achieved via NTLM. - > [!NOTE] - > This setting should not be deployed until all remote hosts support the newest version. +- If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). -- Mitigated: Client applications that use CredSSP won't be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. -- Vulnerable: Client applications that use CredSSP will expose the remote servers to attacks by supporting a fallback to the insecure versions and services using CredSSP will accept unpatched clients. +> [!NOTE] +> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + - + + + - -ADMX Info: -- GP Friendly name: *Encryption Oracle Remediation* -- GP name: *AllowEncryptionOracle* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/AllowFreshCredentials** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AllowDefCredentialsWhenNTLMOnly | +| Friendly Name | Allow delegating default credentials with NTLM-only server authentication | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowDefCredentialsWhenNTLMOnly | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowEncryptionOracle -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowEncryptionOracle +``` + + + + +Encryption Oracle Remediation + +This policy setting applies to applications using the CredSSP component (for example Remote Desktop Connection). + +Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. + +- If you enable this policy setting, CredSSP version support will be selected based on the following options + +Force Updated Clients Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. **Note** this setting should not be deployed until all remote hosts support the newest version. + +Mitigated Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. + +Vulnerable Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. + +For more information about the vulnerability and servicing requirements for protection, see + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowEncryptionOracle | +| Friendly Name | Encryption Oracle Remediation | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters | +| ADMX File Name | CredSsp.admx | + + + + + + + + + +## AllowFreshCredentials + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowFreshCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application). +- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine. +- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. > [!NOTE] > The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com - +For Example: +TERMSRV/host.humanresources.fabrikam.com +Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating fresh credentials* -- GP name: *AllowFreshCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowFreshCredentials | +| Friendly Name | Allow delegating fresh credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowFreshCredentials | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowFreshCredentialsWhenNTLMOnly - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application). +- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine. +- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. > [!NOTE] > The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating fresh credentials with NTLM-only server authentication* -- GP name: *AllowFreshCredentialsWhenNTLMOnly* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowSavedCredentials** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowFreshCredentialsWhenNTLMOnly | +| Friendly Name | Allow delegating fresh credentials with NTLM-only server authentication | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowFreshCredentialsWhenNTLMOnly | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowSavedCredentials - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowSavedCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). +- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of saved credentials isn't permitted to any machine. +- If you disable this policy setting, delegation of saved credentials is not permitted to any machine. > [!NOTE] > The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating saved credentials* -- GP name: *AllowSavedCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowSavedCredentials | +| Friendly Name | Allow delegating saved credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowSavedCredentials | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowSavedCredentialsWhenNTLMOnly - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). +- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine isn't a member of any domain. If the client is domain-joined, by default, the delegation of saved credentials isn't permitted to any machine. +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. -If you disable this policy setting, delegation of saved credentials isn't permitted to any machine. +- If you disable this policy setting, delegation of saved credentials is not permitted to any machine. > [!NOTE] > The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating saved credentials with NTLM-only server authentication* -- GP name: *AllowSavedCredentialsWhenNTLMOnly* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/DenyDefaultCredentials** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowSavedCredentialsWhenNTLMOnly | +| Friendly Name | Allow delegating saved credentials with NTLM-only server authentication | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowSavedCredentialsWhenNTLMOnly | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DenyDefaultCredentials - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/DenyDefaultCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's default credentials can't be delegated (default credentials are those credentials that you use when first logging on to Windows). +- If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). -If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. > [!NOTE] -> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. + +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. + - + + + - -ADMX Info: -- GP Friendly name: *Deny delegating default credentials* -- GP name: *DenyDefaultCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/DenyFreshCredentials** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DenyDefaultCredentials | +| Friendly Name | Deny delegating default credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | DenyDefaultCredentials | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DenyFreshCredentials -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/DenyFreshCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can't be delegated (fresh credentials are those credentials that you're prompted for when executing the application). +- If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). -If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. > [!NOTE] -> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. + +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. + - + + + - -ADMX Info: -- GP Friendly name: *Deny delegating fresh credentials* -- GP name: *DenyFreshCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/DenySavedCredentials** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DenyFreshCredentials | +| Friendly Name | Deny delegating fresh credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | DenyFreshCredentials | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DenySavedCredentials -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/DenySavedCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's saved credentials can't be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). +- If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). -If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. > [!NOTE] -> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. + +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. + - + + + - -ADMX Info: -- GP Friendly name: *Deny delegating saved credentials* -- GP name: *DenySavedCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/RestrictedRemoteAdministration** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DenySavedCredentials | +| Friendly Name | Deny delegating saved credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | DenySavedCredentials | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RestrictedRemoteAdministration -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -When the participating applications are running in Restricted Admin or Remote Credential Guard mode, participating applications don't expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials aren't delegated. Remote Credential Guard doesn't limit access to resources because it redirects all requests back to the client device. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration +``` + + + + +When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client -If you enable this policy setting, the following options are supported: +- If you enable this policy setting, the following options are supported: -- Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. -- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. -- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. +Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. -If you disable or don't configure this policy setting, Restricted Admin and Remote Credential Guard mode aren't enforced and participating apps can delegate credentials to remote devices. +Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. + +Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. + +- If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. > [!NOTE] > To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). -> -> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions don't support Remote Credential Guard. - +> [!NOTE] +> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. + - -ADMX Info: -- GP Friendly name: *Restrict delegation of credentials to remote servers* -- GP name: *RestrictedRemoteAdministration* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RestrictedRemoteAdministration | +| Friendly Name | Restrict delegation of credentials to remote servers | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | RestrictedRemoteAdministration | +| ADMX File Name | CredSsp.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index 9aba18f299..dfe52973d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,136 +1,155 @@ --- -title: Policy CSP - ADMX_CredUI -description: Learn about the Policy CSP - ADMX_CredUI. +title: ADMX_CredUI Policy CSP +description: Learn more about the ADMX_CredUI Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CredUI > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CredUI policies + +## EnableSecureCredentialPrompting -
    -
    - ADMX_CredUI/EnableSecureCredentialPrompting -
    -
    - ADMX_CredUI/NoLocalPasswordResetQuestions -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredUI/EnableSecureCredentialPrompting +``` + -
    - - -**ADMX_CredUI/EnableSecureCredentialPrompting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. + + +This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user's Windows credentials. > [!NOTE] -> This policy affects non-logon authentication tasks only. As a security best practice, this policy should be enabled. +> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. -If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop through the trusted path mechanism. +- If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. -If you disable or don't configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. +- If you disable or do not configure this policy setting, users will enter Windows credentials within the user's desktop session, potentially allowing malicious code access to the user's Windows credentials. + - + + + - -ADMX Info: -- GP Friendly name: *Require trusted path for credential entry* -- GP name: *EnableSecureCredentialPrompting* -- GP path: *Windows Components\Credential User Interface* -- GP ADMX file name: *CredUI.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredUI/NoLocalPasswordResetQuestions** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableSecureCredentialPrompting | +| Friendly Name | Require trusted path for credential entry | +| Location | Computer Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\CredUI | +| Registry Value Name | EnableSecureCredentialPrompting | +| ADMX File Name | CredUI.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## NoLocalPasswordResetQuestions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. If you turn on this policy setting, local users won’t be able to set up and use security questions to reset their passwords. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredUI/NoLocalPasswordResetQuestions +``` + - + + +If you turn this policy setting on, local users won't be able to set up and use security questions to reset their passwords. + + + + - -ADMX Info: -- GP Friendly name: *Prevent the use of security questions for local accounts* -- GP name: *NoLocalPasswordResetQuestions* -- GP path: *Windows Components\Credential User Interface* -- GP ADMX file name: *CredUI.admx* + +**Description framework properties**: - - -< - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoLocalPasswordResetQuestions | +| Friendly Name | Prevent the use of security questions for local accounts | +| Location | Computer Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | NoLocalPasswordResetQuestions | +| ADMX File Name | CredUI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 80a8a8f0fd..16b4681320 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,246 +1,285 @@ --- -title: Policy CSP - ADMX_CtrlAltDel -description: Learn about the Policy CSP - ADMX_CtrlAltDel. +title: ADMX_CtrlAltDel Policy CSP +description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CtrlAltDel > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CtrlAltDel policies + +## DisableChangePassword -
    -
    - ADMX_CtrlAltDel/DisableChangePassword -
    -
    - ADMX_CtrlAltDel/DisableLockComputer -
    -
    - ADMX_CtrlAltDel/DisableTaskMgr -
    -
    - ADMX_CtrlAltDel/NoLogoff -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/DisableChangePassword +``` + -
    - - -**ADMX_CtrlAltDel/DisableChangePassword** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prevents users from changing their Windows password on demand. -If you enable this policy setting, the **Change Password** button on the Windows Security dialog box won't appear when you press Ctrl+Alt+Del. +- If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. -However, users will still be able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. +However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Change Password* -- GP name: *DisableChangePassword* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_CtrlAltDel/DisableLockComputer** +| Name | Value | +|:--|:--| +| Name | DisableChangePassword | +| Friendly Name | Remove Change Password | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableChangePassword | +| ADMX File Name | CtrlAltDel.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableLockComputer - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/DisableLockComputer +``` + -
    - - - + + This policy setting prevents users from locking the system. -While locked, the desktop is hidden and the system can't be used. Only the user who locked the system or the system administrator can unlock it. +While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. -If you enable this policy setting, users can't lock the computer from the keyboard using Ctrl+Alt+Del. +- If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del. -If you disable or don't configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. +- If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. > [!TIP] > To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Lock Computer* -- GP name: *DisableLockWorkstation* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CtrlAltDel/DisableTaskMgr** - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableLockComputer | +| Friendly Name | Remove Lock Computer | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableLockWorkstation | +| ADMX File Name | CtrlAltDel.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableTaskMgr - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/DisableTaskMgr +``` + + + + This policy setting prevents users from starting Task Manager. -Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. +Task Manager (taskmgr.exe) lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run. -If you enable this policy setting, users won't be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. +- If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. -If you disable or don't configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. +- If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Task Manager* -- GP name: *DisableTaskMgr* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CtrlAltDel/NoLogoff** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableTaskMgr | +| Friendly Name | Remove Task Manager | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableTaskMgr | +| ADMX File Name | CtrlAltDel.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoLogoff -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/NoLogoff +``` + + + + This policy setting disables or removes all menu items and buttons that log the user off the system. -If you enable this policy setting, users won't see the Logoff menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu. +- If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. Also, see the 'Remove Logoff on the Start Menu' policy setting. -If you disable or don't configure this policy setting, users can see and select the Logoff menu item when they press Ctrl+Alt+Del. +- If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Logoff* -- GP name: *NoLogoff* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | NoLogoff | +| Friendly Name | Remove Logoff | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoLogoff | +| ADMX File Name | CtrlAltDel.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 16739693a2..61fe97ffea 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,168 +1,172 @@ --- -title: Policy CSP - ADMX_DCOM -description: Learn about the Policy CSP - ADMX_DCOM. +title: ADMX_DCOM Policy CSP +description: Learn more about the ADMX_DCOM Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DCOM > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DCOM policies + +## DCOMActivationSecurityCheckAllowLocalList -
    -
    - ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList -
    -
    - ADMX_DCOM/DCOMActivationSecurityCheckExemptionList -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList +``` + -
    + + +Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list. - -**ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList** +- If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the "Define Activation Security Check exemptions" policy (if enabled), DCOM will look for an entry in the locally configured list. - +- If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured. + - -
    + + +**NOTE** This policy setting applies to all sites in Trusted zones. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list. +**ADMX mapping**: -If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list. +| Name | Value | +|:--|:--| +| Name | DCOMActivationSecurityCheckAllowLocalList | +| Friendly Name | Allow local activation security check exemptions | +| Location | Computer Configuration | +| Path | System > Distributed COM > Application Compatibility Settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DCOM\AppCompat | +| Registry Value Name | AllowLocalActivationSecurityCheckExemptionList | +| ADMX File Name | DCOM.admx | + -If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list. + + + -If you don't configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy isn't configured. + -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. + +## DCOMActivationSecurityCheckExemptionList - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Allow local activation security check exemptions* -- GP name: *DCOMActivationSecurityCheckAllowLocalList* -- GP path: *Windows Components\AppCompat!AllowLocalActivationSecurityCheckExemptionList* -- GP ADMX file name: *DCOM.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DCOM/DCOMActivationSecurityCheckExemptionList +``` + - - -
    + + +Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. - -**ADMX_DCOM/DCOMActivationSecurityCheckExemptionList** +DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors. - +- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this policy setting, the appid exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. - -
    +- If you do not configure this policy setting, the appid exemption list defined by local computer administrators is used. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**Note**: -> [!div class = "checklist"] -> * Device +The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. -
    +If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. The proper action in this situation is to re-configure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid. - - -This policy setting allows you to view and change a list of DCOM server application IDs (app IDs), which are exempted from the DCOM Activation security check. -DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. -DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. -DCOM server application IDs added to this policy must be listed in curly brace format. +DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. Also note, exemptions for DCOM Server Appids added to this list will apply to both 32-bit and 64-bit versions of the server if present. + -For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`. -If you enter a non-existent or improperly formatted application, ID DCOM will add it to the list without checking for errors. + + +**NOTE** This policy setting applies to all sites in Trusted zones. + -If you add an application ID to this list and set its value to one, DCOM won't enforce the Activation security check for that DCOM server. -If you add an application ID to this list and set its value to 0, DCOM will always enforce the Activation security check for that DCOM server regardless of local -settings. + +**Description framework properties**: -If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. +**ADMX mapping**: ->[!Note] -> The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. +| Name | Value | +|:--|:--| +| Name | DCOMActivationSecurityCheckExemptionList | +| Friendly Name | Define Activation Security Check exemptions | +| Location | Computer Configuration | +| Path | System > Distributed COM > Application Compatibility Settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DCOM\AppCompat | +| Registry Value Name | ListBox_Support_ActivationSecurityCheckExemptionList | +| ADMX File Name | DCOM.admx | + -This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries, then the object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. + + + -The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid. -DCOM servers added to this exemption list are only exempted if their custom launch permissions don't contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. + -> [!NOTE] -> Exemptions for DCOM Server Application IDs added to this list will apply to both 32-bit and 64-bit versions of the server if present. -> -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. + + + - + - -ADMX Info: -- GP Friendly name: *Allow local activation security check exemptions* -- GP name: *DCOMActivationSecurityCheckExemptionList* -- GP path: *Windows Components\AppCompat!ListBox_Support_ActivationSecurityCheckExemptionList* -- GP ADMX file name: *DCOM.admx* +## Related articles - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 7948964398..69fb32dabf 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,1358 +1,1219 @@ --- -title: Policy CSP - ADMX_Desktop -description: Learn about Policy CSP - ADMX_Desktop. +title: ADMX_Desktop Policy CSP +description: Learn more about the ADMX_Desktop Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Desktop > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Desktop policies + +## AD_EnableFilter -
    -
    - ADMX_Desktop/AD_EnableFilter -
    -
    - ADMX_Desktop/AD_HideDirectoryFolder -
    -
    - ADMX_Desktop/AD_QueryLimit -
    -
    - ADMX_Desktop/ForceActiveDesktopOn -
    -
    - ADMX_Desktop/NoActiveDesktop -
    -
    - ADMX_Desktop/NoActiveDesktopChanges -
    -
    - ADMX_Desktop/NoDesktop -
    -
    - ADMX_Desktop/NoDesktopCleanupWizard -
    -
    - ADMX_Desktop/NoInternetIcon -
    -
    - ADMX_Desktop/NoMyComputerIcon -
    -
    - ADMX_Desktop/NoMyDocumentsIcon -
    -
    - ADMX_Desktop/NoNetHood -
    -
    - ADMX_Desktop/NoPropertiesMyComputer -
    -
    - ADMX_Desktop/NoPropertiesMyDocuments -
    -
    - ADMX_Desktop/NoRecentDocsNetHood -
    -
    - ADMX_Desktop/NoRecycleBinIcon -
    -
    - ADMX_Desktop/NoRecycleBinProperties -
    -
    - ADMX_Desktop/NoSaveSettings -
    -
    - ADMX_Desktop/NoWindowMinimizingShortcuts -
    -
    - ADMX_Desktop/Wallpaper -
    -
    - ADMX_Desktop/sz_ATC_DisableAdd -
    -
    - ADMX_Desktop/sz_ATC_DisableClose -
    -
    - ADMX_Desktop/sz_ATC_DisableDel -
    -
    - ADMX_Desktop/sz_ATC_DisableEdit -
    -
    - ADMX_Desktop/sz_ATC_NoComponents -
    -
    - ADMX_Desktop/sz_AdminComponents_Title -
    -
    - ADMX_Desktop/sz_DB_DragDropClose -
    -
    - ADMX_Desktop/sz_DB_Moving -
    -
    - ADMX_Desktop/sz_DWP_NoHTMLPaper -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/AD_EnableFilter +``` + -
    + + +Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. - -**ADMX_Desktop/AD_EnableFilter** +- If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. - +- If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying more filters to search results. +**ADMX mapping**: -If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. +| Name | Value | +|:--|:--| +| Name | AD_EnableFilter | +| Friendly Name | Enable filter in Find dialog box | +| Location | User Configuration | +| Path | Desktop > Active Directory | +| Registry Key Name | Software\Policies\Microsoft\Windows\Directory UI | +| Registry Value Name | EnableFilter | +| ADMX File Name | Desktop.admx | + -If you disable this setting or don't configure it, the filter bar doesn't appear, but users can display it by selecting "Filter" on the "View" menu. + + + -To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar doesn't appear above the resulting display, on the View menu, click Filter. + - + +## AD_HideDirectoryFolder + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Enable filter in Find dialog box* -- GP name: *AD_EnableFilter* -- GP path: *Desktop\Active Directory* -- GP ADMX file name: *Desktop.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/AD_HideDirectoryFolder +``` + - - -
    - - -**ADMX_Desktop/AD_HideDirectoryFolder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. -If you enable this setting, the Active Directory folder doesn't appear in the Network Locations folder. +- If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. -If you disable this setting or don't configure it, the Active Directory folder appears in the Network Locations folder. +- If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Active Directory folder* -- GP name: *AD_HideDirectoryFolder* -- GP path: *Desktop\Active Directory* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/AD_QueryLimit** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AD_HideDirectoryFolder | +| Friendly Name | Hide Active Directory folder | +| Location | User Configuration | +| Path | Desktop > Active Directory | +| Registry Key Name | Software\Policies\Microsoft\Windows\Directory UI | +| Registry Value Name | HideDirectoryFolder | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AD_QueryLimit -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/AD_QueryLimit +``` + - - -Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those displays in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. + + +Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. -If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. +- If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. -If you disable this setting or don't configure it, the system displays up to 10,000 objects. This screen-display consumes approximately 2 MB of memory or disk space. +- If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. This setting is designed to protect the network and the domain controller from the effect of expansive searches. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Maximum size of Active Directory searches* -- GP name: *AD_QueryLimit* -- GP path: *Desktop\Active Directory* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/ForceActiveDesktopOn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AD_QueryLimit | +| Friendly Name | Maximum size of Active Directory searches | +| Location | User Configuration | +| Path | Desktop > Active Directory | +| Registry Key Name | Software\Policies\Microsoft\Windows\Directory UI | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ForceActiveDesktopOn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/ForceActiveDesktopOn +``` + - - + + Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it. +- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. > [!NOTE] -> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. + - + + + - -ADMX Info: -- GP Friendly name: *Enable Active Desktop* -- GP name: *ForceActiveDesktopOn* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoActiveDesktop** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ForceActiveDesktopOn | +| Friendly Name | Enable Active Desktop | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceActiveDesktopOn | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoActiveDesktop -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoActiveDesktop +``` + + + + Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it. +- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. > [!NOTE] > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable Active Desktop* -- GP name: *NoActiveDesktop* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoActiveDesktopChanges** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoActiveDesktop | +| Friendly Name | Disable Active Desktop | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoActiveDesktop | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoActiveDesktopChanges -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoActiveDesktopChanges +``` + - - + + Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. -This setting is a comprehensive one that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users can't enable or disable Active Desktop. If Active Desktop is already enabled, users can't add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. +This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. + - + + + - -ADMX Info: -- GP Friendly name: *Prohibit changes* -- GP name: *NoActiveDesktopChanges* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoDesktop** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoActiveDesktopChanges | +| Friendly Name | Prohibit changes | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoActiveDesktopChanges | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoDesktop -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop +``` + + + + Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. -Removing icons and shortcuts doesn't prevent the user from using another method to start the programs or opening the items they represent. +Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. -Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. The removal of the Desktop icon will help prevent users from saving data to the Desktop. +Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide and disable all items on the desktop* -- GP name: *NoDesktop* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoDesktopCleanupWizard** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDesktop | +| Friendly Name | Hide and disable all items on the desktop | +| Location | Computer and User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDesktop | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoDesktopCleanupWizard -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktopCleanupWizard +``` + - - + + Prevents users from using the Desktop Cleanup Wizard. -If you enable this setting, the Desktop Cleanup wizard doesn't automatically run on a user's workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. +- If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. -If you disable this setting or don't configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. +- If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. > [!NOTE] -> When this setting isn't enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. +> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove the Desktop Cleanup Wizard* -- GP name: *NoDesktopCleanupWizard* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoInternetIcon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDesktopCleanupWizard | +| Friendly Name | Remove the Desktop Cleanup Wizard | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDesktopCleanupWizard | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoInternetIcon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoInternetIcon +``` + - - + + Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. -This setting doesn't prevent the user from starting Internet Explorer by using other methods. +This setting does not prevent the user from starting Internet Explorer by using other methods. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Internet Explorer icon on desktop* -- GP name: *NoInternetIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoMyComputerIcon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoInternetIcon | +| Friendly Name | Hide Internet Explorer icon on desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInternetIcon | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoMyComputerIcon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoMyComputerIcon +``` + - - + + This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. -If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. +- If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. -If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. +- If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. -If you don't configure this setting, the default is to display Computer as usual. +- If you do not configure this setting, the default is to display Computer as usual. > [!NOTE] -> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents doesn't hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Computer icon on the desktop* -- GP name: *NoMyComputerIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoMyDocumentsIcon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoMyComputerIcon | +| Friendly Name | Remove Computer icon on the desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum | +| Registry Value Name | {20D04FE0-3AEA-1069-A2D8-08002B30309D} | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoMyDocumentsIcon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoMyDocumentsIcon +``` + - - + + Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. -This setting doesn't prevent the user from using other methods to gain access to the contents of the My Documents folder. +This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder. -This setting doesn't remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. +This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. > [!NOTE] > To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. + - + + + - -ADMX Info: -- GP Friendly name: *Remove My Documents icon on the desktop* -- GP name: *NoMyDocumentsIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoNetHood** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoMyDocumentsIcon | +| Friendly Name | Remove My Documents icon on the desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum | +| Registry Value Name | {450D8FBA-AD25-11D0-98A8-0800361B1103} | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoNetHood -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoNetHood +``` + + + + Removes the Network Locations icon from the desktop. -This setting only affects the desktop icon. It doesn't prevent users from connecting to the network or browsing for shared computers on the network. +This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. > [!NOTE] > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Network Locations icon on desktop* -- GP name: *NoNetHood* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoPropertiesMyComputer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoNetHood | +| Friendly Name | Hide Network Locations icon on desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNetHood | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoPropertiesMyComputer -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoPropertiesMyComputer +``` + - - + + This setting hides Properties on the context menu for Computer. -If you enable this setting, the Properties option won't be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. +- If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. -If you disable or don't configure this setting, the Properties option is displayed as usual. +- If you disable or do not configure this setting, the Properties option is displayed as usual. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Properties from the Computer icon context menu* -- GP name: *NoPropertiesMyComputer* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoPropertiesMyDocuments** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoPropertiesMyComputer | +| Friendly Name | Remove Properties from the Computer icon context menu | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPropertiesMyComputer | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoPropertiesMyDocuments -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoPropertiesMyDocuments +``` + - - + + This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. -If you enable this policy setting, the Properties menu command won't be displayed when the user does any of the following tasks: +- If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: -- Right-clicks the My Documents icon. -- Clicks the My Documents icon, and then opens the File menu. -- Clicks the My Documents icon, and then presses ALT+ENTER. +Right-clicks the My Documents icon. +Clicks the My Documents icon, and then opens the File menu. +Clicks the My Documents icon, and then presses ALT+ENTER. -If you disable or don't configure this policy setting, the Properties menu command is displayed. +- If you disable or do not configure this policy setting, the Properties menu command is displayed. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Properties from the Documents icon context menu* -- GP name: *NoPropertiesMyDocuments* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoRecentDocsNetHood** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoPropertiesMyDocuments | +| Friendly Name | Remove Properties from the Documents icon context menu | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPropertiesMyDocuments | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoRecentDocsNetHood -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Remote shared folders aren't added to Network Locations whenever you open a document in the shared folder. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoRecentDocsNetHood +``` + -If you disable this setting or don't configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. + + +Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. -If you enable this setting, shared folders aren't added to Network Locations automatically when you open a document in the shared folder. +- If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. - +- If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. + + + + - -ADMX Info: -- GP Friendly name: *Do not add shares of recently opened documents to Network Locations* -- GP name: *NoRecentDocsNetHood* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoRecycleBinIcon** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoRecentDocsNetHood | +| Friendly Name | Do not add shares of recently opened documents to Network Locations | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRecentDocsNetHood | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoRecycleBinIcon -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoRecycleBinIcon +``` + + + + Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. -This setting doesn't prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. +This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. > [!NOTE] > To make changes to this setting effective, you must log off and then log back on. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Recycle Bin icon from desktop* -- GP name: *NoRecycleBinIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoRecycleBinProperties** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoRecycleBinIcon | +| Friendly Name | Remove Recycle Bin icon from desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum | +| Registry Value Name | {645FF040-5081-101B-9F08-00AA002F954E} | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoRecycleBinProperties -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoRecycleBinProperties +``` + + + + Removes the Properties option from the Recycle Bin context menu. -If you enable this setting, the Properties option won't be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. +- If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. -If you disable or don't configure this setting, the Properties option is displayed as usual. +- If you disable or do not configure this setting, the Properties option is displayed as usual. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Properties from the Recycle Bin context menu* -- GP name: *NoRecycleBinProperties* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoSaveSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRecycleBinProperties | +| Friendly Name | Remove Properties from the Recycle Bin context menu | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPropertiesRecycleBin | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSaveSettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoSaveSettings +``` + - - + + Prevents users from saving certain changes to the desktop. -If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, aren't saved when users sign out. However, shortcuts placed on the desktop are always saved. +- If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Don't save settings at exit* -- GP name: *NoSaveSettings* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/NoWindowMinimizingShortcuts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSaveSettings | +| Friendly Name | Don't save settings at exit | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSaveSettings | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWindowMinimizingShortcuts -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoWindowMinimizingShortcuts +``` + - - + + Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. -If you enable this policy, application windows won't be minimized or restored when the active window is shaken back and forth with the mouse. - -If you disable or don't configure this policy, this window minimizing and restoring gesture will apply. - - - - -ADMX Info: -- GP Friendly name: *Turn off Aero Shake window minimizing mouse gesture* -- GP name: *NoWindowMinimizingShortcuts* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/Wallpaper** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the desktop background ("wallpaper") displayed on all users' desktops. - -This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. - -To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file isn't available when the user logs on, no wallpaper is displayed. Users can't specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users can't change this specification. - -If you disable this setting or don't configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. - -Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. - -> [!NOTE] -> This setting doesn't apply to remote desktop server sessions. - - - - -ADMX Info: -- GP Friendly name: *Desktop Wallpaper* -- GP name: *Wallpaper* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableAdd** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from adding Web content to their Active Desktop. - -This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. This setting doesn't remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. - -Also, see the "Disable all items" setting. - - - - -ADMX Info: -- GP Friendly name: *Prohibit adding items* -- GP name: *sz_ATC_DisableAdd* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableClose** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from removing Web content from their Active Desktop. - -In Active Desktop, you can add items to the desktop but close them so they aren't displayed. - -If you enable this setting, items added to the desktop can't be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. - -> [!NOTE] -> This setting doesn't prevent users from deleting items from their Active Desktop. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit closing items* -- GP name: *sz_ATC_DisableClose* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableDel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from deleting Web content from their Active Desktop. - -This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. - -This setting doesn't prevent users from adding Web content to their Active Desktop. - -Also, see the "Prohibit closing items" and "Disable all items" settings. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit deleting items* -- GP name: *sz_ATC_DisableDel* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableEdit** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from changing the properties of Web content items on their Active Desktop. - -This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users can't change the properties of an item, such as its synchronization schedule, password, or display characteristics. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit editing items* -- GP name: *sz_ATC_DisableEdit* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_NoComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Removes Active Desktop content and prevents users from adding Active Desktop content. - -This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. - -> [!NOTE] -> This setting doesn't disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. - - - - - -ADMX Info: -- GP Friendly name: *Disable all items* -- GP name: *sz_ATC_NoComponents* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_AdminComponents_Title** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - +- If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. + +- If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoWindowMinimizingShortcuts | +| Friendly Name | Turn off Aero Shake window minimizing mouse gesture | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoWindowMinimizingShortcuts | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_AdminComponents_Title + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_AdminComponents_Title +``` + + + + Adds and deletes specified Web content items. You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. @@ -1360,55 +1221,371 @@ You can use the "Add" box in this setting to add particular Web-based items or s You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed. > [!NOTE] -> Removing an item from the "Add" list for this setting isn't the same as deleting it. Items that are removed from the "Add" list aren't removed from the desktop. They are simply not added again. +> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. > [!NOTE] -> For this setting to take effect, you must log off and log on to the system. +> For this setting to take affect, you must log off and log on to the system. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add/Delete items* -- GP name: *sz_AdminComponents_Title* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/sz_DB_DragDropClose** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | sz_AdminComponents_Title | +| Friendly Name | Add/Delete items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## sz_ATC_DisableAdd -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableAdd +``` + - - + + +Prevents users from adding Web content to their Active Desktop. + +This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. + +Also, see the "Disable all items" setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableAdd | +| Friendly Name | Prohibit adding items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoAddingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_DisableClose + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableClose +``` + + + + +Prevents users from removing Web content from their Active Desktop. + +In Active Desktop, you can add items to the desktop but close them so they are not displayed. + +- If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. + +> [!NOTE] +> This setting does not prevent users from deleting items from their Active Desktop. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableClose | +| Friendly Name | Prohibit closing items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoClosingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_DisableDel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableDel +``` + + + + +Prevents users from deleting Web content from their Active Desktop. + +This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. + +This setting does not prevent users from adding Web content to their Active Desktop. + +Also, see the "Prohibit closing items" and "Disable all items" settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableDel | +| Friendly Name | Prohibit deleting items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoDeletingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_DisableEdit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableEdit +``` + + + + +Prevents users from changing the properties of Web content items on their Active Desktop. + +This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableEdit | +| Friendly Name | Prohibit editing items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoEditingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_NoComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_NoComponents +``` + + + + +Removes Active Desktop content and prevents users from adding Active Desktop content. + +This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. + +> [!NOTE] +> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_NoComponents | +| Friendly Name | Disable all items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_DB_DragDropClose + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_DB_DragDropClose +``` + + + + Prevents users from manipulating desktop toolbars. -If you enable this setting, users can't add or remove toolbars from the desktop. Also, users can't drag toolbars onto or off from the docked toolbars. +- If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. > [!NOTE] > If users have added or removed toolbars, this setting prevents them from restoring the default configuration. @@ -1417,118 +1594,237 @@ If you enable this setting, users can't add or remove toolbars from the desktop. > To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." Also, see the "Prohibit adjusting desktop toolbars" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent adding, dragging, dropping and closing the Taskbar's toolbars* -- GP name: *sz_DB_DragDropClose* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/sz_DB_Moving** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | sz_DB_DragDropClose | +| Friendly Name | Prevent adding, dragging, dropping and closing the Taskbar's toolbars | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoCloseDragDropBands | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## sz_DB_Moving -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_DB_Moving +``` + - - -Prevents users from adjusting the length of desktop toolbars. Also, users can't reposition items or toolbars on docked toolbars. + + +Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. -This setting doesn't prevent users from adding or removing toolbars on the desktop. +This setting does not prevent users from adding or removing toolbars on the desktop. > [!NOTE] > If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit adjusting desktop toolbars* -- GP name: *sz_DB_Moving* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Desktop/sz_DWP_NoHTMLPaper** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | sz_DB_Moving | +| Friendly Name | Prohibit adjusting desktop toolbars | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoMovingBands | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## sz_DWP_NoHTMLPaper -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_DWP_NoHTMLPaper +``` + - - -Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper doesn't load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". + + +Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow only bitmapped wallpaper* -- GP name: *sz_DWP_NoHTMLPaper* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | sz_DWP_NoHTMLPaper | +| Friendly Name | Allow only bitmapped wallpaper | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoHTMLWallPaper | +| ADMX File Name | Desktop.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + +## Wallpaper + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/Wallpaper +``` + + + + +Specifies the desktop background ("wallpaper") displayed on all users' desktops. + +This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. + +To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. + +- If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. + +Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. + +> [!NOTE] +> This setting does not apply to remote desktop server sessions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Wallpaper | +| Friendly Name | Desktop Wallpaper | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | Desktop.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index 4391477405..c7ba19f2ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,127 +1,148 @@ --- -title: Policy CSP - ADMX_DeviceCompat -description: Learn about Policy CSP - ADMX_DeviceCompat. +title: ADMX_DeviceCompat Policy CSP +description: Learn more about the ADMX_DeviceCompat Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/09/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceCompat + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DeviceCompat policies + +## DeviceFlags -
    -
    - ADMX_DeviceCompat/DeviceFlags -
    -
    - ADMX_DeviceCompat/DriverShims -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceCompat/DeviceFlags +``` + -
    - - -**ADMX_DeviceCompat/DeviceFlags** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Changes behavior of Microsoft bus drivers to work with specific devices. + - + + + - -ADMX Info: -- GP Friendly name: *Device compatibility settings* -- GP name: *DeviceFlags* -- GP path: *Windows Components\Device and Driver Compatibility* -- GP ADMX file name: *DeviceCompat.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_DeviceCompat/DriverShims** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DeviceFlags | +| Friendly Name | Device compatibility settings | +| Location | Computer Configuration | +| Path | Windows Components > Device and Driver Compatibility | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\Compatibility | +| Registry Value Name | DisableDeviceFlags | +| ADMX File Name | DeviceCompat.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DriverShims -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceCompat/DriverShims +``` + - + + +Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions. + - -ADMX Info: -- GP Friendly name: *Driver compatibility settings* -- GP name: *DriverShims* -- GP path: *Windows Components\Device and Driver Compatibility* -- GP ADMX file name: *DeviceCompat.admx* + + + - - + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DriverShims | +| Friendly Name | Driver compatibility settings | +| Location | Computer Configuration | +| Path | Windows Components > Device and Driver Compatibility | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\Compatibility | +| Registry Value Name | DisableDriverShims | +| ADMX File Name | DeviceCompat.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 07d87543fe..35e1379f3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,99 +1,105 @@ --- -title: Policy CSP - ADMX_DeviceGuard -description: Learn about Policy CSP - ADMX_DeviceGuard. +title: ADMX_DeviceGuard Policy CSP +description: Learn more about the ADMX_DeviceGuard Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceGuard -> [!WARNING] -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + +> [!WARNING] +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + - -## ADMX_DeviceGuard policies + +## ConfigCIPolicy -
    -
    - ADMX_DeviceGuard/ConfigCIPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceGuard/ConfigCIPolicy +``` + -
    + + +Deploy Windows Defender Application Control - -**ADMX_DeviceGuard/ConfigCIPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine. -If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. +If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine must be rebooted. -To enable this policy, the machine must be rebooted. -The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`), -or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`. +The file path must be either a UNC path (for example, \\ServerName\ShareName\SIPolicy.p7b), or a locally valid path (for example, C:\FolderName\SIPolicy.p7b). The local machine account (LOCAL SYSTEM) must have access permission to the policy file. -The local machine account (LOCAL SYSTEM) must have access permission to the policy file. -If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: +If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: -- First update the policy to a non-protected policy and then disable the setting. (or) -- Disable the setting and then remove the policy from each computer, with a physically present user. +1) first update the policy to a non-protected policy and then disable the setting, or +2) disable the setting and then remove the policy from each computer, with a physically present user. + - + + + - -ADMX Info: -- GP Friendly name: *Deploy Windows Defender Application Control* -- GP name: *ConfigCIPolicy* -- GP path: *Windows Components/DeviceGuard!DeployConfigCIPolicy* -- GP ADMX file name: *DeviceGuard.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | ConfigCIPolicy | +| Friendly Name | Deploy Windows Defender Application Control | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| Registry Value Name | DeployConfigCIPolicy | +| ADMX File Name | DeviceGuard.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 4ec0b160fd..1deaa9fc80 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,442 +1,520 @@ --- -title: Policy CSP - ADMX_DeviceInstallation -description: Learn about Policy CSP - ADMX_DeviceInstallation. +title: ADMX_DeviceInstallation Policy CSP +description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceInstallation > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DeviceInstallation policies + +## DeviceInstall_AllowAdminInstall -
    -
    - ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall -
    -
    - ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText -
    -
    - ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText -
    -
    - ADMX_DeviceInstallation/DeviceInstall_InstallTimeout -
    -
    - ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime -
    -
    - ADMX_DeviceInstallation/DeviceInstall_Removable_Deny -
    -
    - ADMX_DeviceInstallation/DeviceInstall_SystemRestore -
    -
    - ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +``` + -
    - - -**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. -If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. +- If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow administrators to override Device Installation Restriction policies* -- GP name: *DeviceInstall_AllowAdminInstall* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_AllowAdminInstall | +| Friendly Name | Allow administrators to override Device Installation Restriction policies | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowAdminInstall | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_DeniedPolicy_DetailText -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +``` + - - + + This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. -If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. +- If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. -If you disable or don't configure this policy setting, Windows displays a default message when a policy setting prevents device installation. +- If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display a custom message when installation is prevented by a policy setting* -- GP name: *DeviceInstall_DeniedPolicy_DetailText* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_DeniedPolicy_DetailText | +| Friendly Name | Display a custom message when installation is prevented by a policy setting | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_DeniedPolicy_SimpleText -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +``` + - - + + This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. -If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. +- If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. -If you disable or don't configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. +- If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display a custom message title when device installation is prevented by a policy setting* -- GP name: *DeviceInstall_DeniedPolicy_SimpleText* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_DeniedPolicy_SimpleText | +| Friendly Name | Display a custom message title when device installation is prevented by a policy setting | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_InstallTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +``` + - - + + This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. -If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. +- If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. -If you disable or don't configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. +- If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure device installation time-out* -- GP name: *DeviceInstall_InstallTimeout* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_InstallTimeout | +| Friendly Name | Configure device installation time-out | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_Policy_RebootTime -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +``` + - - + + This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. -If you enable this policy setting, set the number of seconds you want the system to wait until a reboot. +- If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. -If you disable or don't configure this policy setting, the system doesn't force a reboot. +- If you disable or do not configure this policy setting, the system does not force a reboot. ->[!Note] -> If no reboot is forced, the device installation restriction right won't take effect until the system is restarted. +> [!NOTE] +> If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Time (in seconds) to force reboot when required for policy changes to take effect* -- GP name: *DeviceInstall_Policy_RebootTime* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Policy_RebootTime | +| Friendly Name | Time (in seconds) to force reboot when required for policy changes to take effect | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | ForceReboot | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_Removable_Deny -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +``` + - - -This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + + +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices can't have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. +NOTE: To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. -If you disable or don't configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. - +- If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. +- If you disable or do not configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings. + - -ADMX Info: -- GP Friendly name: *Prevent installation of removable devices* -- GP name: *DeviceInstall_Removable_Deny* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_DeviceInstallation/DeviceInstall_SystemRestore** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Removable_Deny | +| Friendly Name | Prevent installation of removable devices | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyRemovableDevices | +| ADMX File Name | DeviceInstallation.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DeviceInstall_SystemRestore - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_SystemRestore +``` + + + + This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. -If you enable this policy setting, Windows doesn't create a system restore point when one would normally be created. +- If you enable this policy setting, Windows does not create a system restore point when one would normally be created. -If you disable or don't configure this policy setting, Windows creates a system restore point as it normally would. +- If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point* -- GP name: *DeviceInstall_SystemRestore* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_SystemRestore | +| Friendly Name | Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings | +| Registry Value Name | DisableSystemRestore | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DriverInstall_Classes_AllowUser -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +``` + - - -This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. + + +This policy setting specifies a list of device setup class GUIDs describing driver packages that non-administrator members of the built-in Users group may install on the system. -If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. +- If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. -If you disable or don't configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. +- If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new driver packages on the system. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Allow non-administrators to install drivers for these device setup classes* -- GP name: *DriverInstall_Classes_AllowUser* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceInstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DriverInstall_Classes_AllowUser | +| Friendly Name | Allow non-administrators to install drivers for these device setup classes | +| Location | Computer Configuration | +| Path | System > Driver Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DriverInstall\Restrictions | +| Registry Value Name | AllowUserDeviceClasses | +| ADMX File Name | DeviceInstallation.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 75d6ef18bf..658452c874 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,143 +1,159 @@ --- -title: Policy CSP - ADMX_DeviceSetup -description: Learn about Policy CSP - ADMX_DeviceSetup. +title: ADMX_DeviceSetup Policy CSP +description: Learn more about the ADMX_DeviceSetup Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceSetup > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DeviceSetup policies + +## DeviceInstall_BalloonTips -
    -
    - ADMX_DeviceSetup/DeviceInstall_BalloonTips -
    -
    - ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceSetup/DeviceInstall_BalloonTips +``` + -
    - - -**ADMX_DeviceSetup/DeviceInstall_BalloonTips** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn off "Found New Hardware" balloons during device installation. -If you enable this policy setting, "Found New Hardware" balloons don't appear while a device is being installed. +- If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. -If you disable or don't configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. +- If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off "Found New Hardware" balloons during device installation* -- GP name: *DeviceInstall_BalloonTips* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceSetup.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_BalloonTips | +| Friendly Name | Turn off "Found New Hardware" balloons during device installation | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings | +| Registry Value Name | DisableBalloonTips | +| ADMX File Name | DeviceSetup.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DriverSearchPlaces_SearchOrderConfiguration -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +``` + - - + + This policy setting allows you to specify the order in which Windows searches source locations for device drivers. -If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. +- If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. ->[!Note] -> Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. +**Note** that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. -This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching is enabled and only when needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system. +If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. -If you disable or don't configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. +- If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. + - + + + - -ADMX Info: -- GP Friendly name: *Specify search order for device driver source locations* -- GP name: *DriverSearchPlaces_SearchOrderConfiguration* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceSetup.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | DriverSearchPlaces_SearchOrderConfiguration | +| Friendly Name | Specify search order for device driver source locations | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DriverSearching | +| ADMX File Name | DeviceSetup.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index e40ed73aad..a1bfa5be48 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,92 +1,98 @@ --- -title: Policy CSP - ADMX_DFS -description: Learn about Policy CSP - ADMX_DFS. +title: ADMX_DFS Policy CSP +description: Learn more about the ADMX_DFS Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DFS > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_DFS policies + + + -
    -
    - ADMX_DFS/DFSDiscoverDC -
    -
    + +## DFSDiscoverDC + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DFS/DFSDiscoverDC +``` + - -**ADMX_DFS/DFSDiscoverDC** + + +This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes. - +- If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. -By default, a DFS client attempts to discover domain controllers every 15 minutes. - -If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes. - -If you disable or don't configure this policy setting, the default value of 15 minutes applies. +- If you disable or do not configure this policy setting, the default value of 15 minutes applies. > [!NOTE] > The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied. + - + + + - -ADMX Info: -- GP Friendly name: *Configure how often a DFS client discovers domain controllers* -- GP name: *DFSDiscoverDC* -- GP path: *Windows Components\ActiveX Installer Service* -- GP ADMX file name: *DFS.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DFSDiscoverDC | +| Friendly Name | Configure how often a DFS client discovers domain controllers | +| Location | Computer Configuration | +| Path | Network | +| Registry Key Name | Software\Policies\Microsoft\System\DFSClient | +| ADMX File Name | DFS.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 90522018ee..78e62e2a1a 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,143 +1,160 @@ --- -title: Policy CSP - ADMX_DigitalLocker -description: Learn about Policy CSP - ADMX_DigitalLocker. +title: ADMX_DigitalLocker Policy CSP +description: Learn more about the ADMX_DigitalLocker Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/31/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DigitalLocker > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DigitalLocker policies + +## Digitalx_DiableApplication_TitleText_1 -
    -
    - ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1 -
    -
    - ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1 +``` + -
    - - -**ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting specifies whether Digital Locker can run. + + +Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. -If you enable this setting, Digital Locker won't run. +- If you enable this setting, Digital Locker will not run. -If you disable or don't configure this setting, Digital Locker can be run. +- If you disable or do not configure this setting, Digital Locker can be run. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Digital Locker to run* -- GP name: *Digitalx_DiableApplication_TitleText_1* -- GP path: *Windows Components/Digital Locker* -- GP ADMX file name: *DigitalLocker.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Digitalx_DiableApplication_TitleText_1 | +| Friendly Name | Do not allow Digital Locker to run | +| Location | User Configuration | +| Path | Windows Components > Digital Locker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Digital Locker | +| Registry Value Name | DoNotRunDigitalLocker | +| ADMX File Name | DigitalLocker.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Digitalx_DiableApplication_TitleText_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies whether Digital Locker can run. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 +``` + + + + +Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. -If you enable this setting, Digital Locker won't run. +- If you enable this setting, Digital Locker will not run. -If you disable or don't configure this setting, Digital Locker can be run. +- If you disable or do not configure this setting, Digital Locker can be run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow Digital Locker to run* -- GP name: *Digitalx_DiableApplication_TitleText_2* -- GP path: *Windows Components/Digital Locker* -- GP ADMX file name: *DigitalLocker.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Digitalx_DiableApplication_TitleText_2 | +| Friendly Name | Do not allow Digital Locker to run | +| Location | Computer Configuration | +| Path | Windows Components > Digital Locker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Digital Locker | +| Registry Value Name | DoNotRunDigitalLocker | +| ADMX File Name | DigitalLocker.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 9c83d784c0..01ef255643 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,158 +1,174 @@ --- -title: Policy CSP - ADMX_DiskDiagnostic -description: Learn about Policy CSP - ADMX_DiskDiagnostic. +title: ADMX_DiskDiagnostic Policy CSP +description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DiskDiagnostic > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DiskDiagnostic policies + +## DfdAlertPolicy -
    -
    - ADMX_DiskDiagnostic/DfdAlertPolicy -
    -
    - ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskDiagnostic/DfdAlertPolicy +``` + -
    + + +This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault. - -**ADMX_DiskDiagnostic/DfdAlertPolicy** +- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. - +- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. - -If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. - -If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message. - -No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately. - -This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. -The DPS can be configured with the Services snap-in to the Microsoft Management Console. - -> [!NOTE] -> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services. - - - - -ADMX Info: -- GP Friendly name: *Configure custom alert text* -- GP name: *DfdAlertPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* -- GP ADMX file name: *DiskDiagnostic.admx* - - - -
    -
    - - -**ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. - -Self-Monitoring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. - -If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. - -If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. - -If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. - -No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately. - -This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. > [!NOTE] > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + - + + + - -ADMX Info: -- GP Friendly name: *Configure execution level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* -- GP ADMX file name: *DiskDiagnostic.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DfdAlertPolicy | +| Friendly Name | Disk Diagnostic: Configure custom alert text | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Disk Diagnostic | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD} | +| ADMX File Name | DiskDiagnostic.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + +## WdiScenarioExecutionPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy +``` + + + + +This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics. + +Self-Monitoring And Reporting Technology (S. M. A. R. T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur. + +- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss. + +- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken. + +- If you do not configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + +This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + +> [!NOTE] +> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Disk Diagnostic: Configure execution level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Disk Diagnostic | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD} | +| ADMX File Name | DiskDiagnostic.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 679efe6819..04aee2cb1f 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,200 +1,296 @@ --- -title: Policy CSP - ADMX_DiskNVCache -description: Learn about Policy CSP - ADMX_DiskNVCache. +title: ADMX_DiskNVCache Policy CSP +description: Learn more about the ADMX_DiskNVCache Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DiskNVCache - -
    - - -## ADMX_DiskNVCache policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    -
    - ADMX_DiskNVCache/BootResumePolicy -
    -
    - ADMX_DiskNVCache/FeatureOffPolicy -
    -
    - ADMX_DiskNVCache/SolidStatePolicy -
    -
    + +## BootResumePolicy + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/BootResumePolicy +``` + - -**ADMX_DiskNVCache/BootResumePolicy** - + + +This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. - -
    +- If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. -> [!div class = "checklist"] -> * Device +> [!NOTE] +> This policy setting is applicable only if the NV cache feature is on. + -
    + + + - - -This policy setting turns off the boot and resumes optimizations for the hybrid hard disks in the system. + +**Description framework properties**: -If you enable this policy setting, the system doesn't use the non-volatile (NV) cache to optimize boot and resume. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -The system determines the data that will be stored in the NV cache to optimize boot and resume. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -The required data is stored in the NV cache during shutdown and hibernate, respectively. This storage in such a location might cause a slight increase in the time taken for shutdown and hibernate. If you don't configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. +**ADMX mapping**: -This policy setting is applicable only if the NV cache feature is on. +| Name | Value | +|:--|:--| +| Name | BootResumePolicy | +| Friendly Name | Turn off boot and resume optimizations | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | OptimizeBootAndResume | +| ADMX File Name | DiskNVCache.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Turn off boot and resume optimizations* -- GP name: *BootResumePolicy* -- GP path: *System\Disk NV Cache* -- GP ADMX file name: *DiskNVCache.admx* + - - -
    + +## CachePowerModePolicy -**ADMX_DiskNVCache/FeatureOffPolicy** - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/CachePowerModePolicy +``` + - -
    + + +This policy setting turns off power save mode on the hybrid hard disks in the system. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this policy setting, the hard disks are not put into NV cache power save mode and no power savings are achieved. -> [!div class = "checklist"] -> * Device +- If you disable this policy setting, the hard disks are put into an NV cache power saving mode. In this mode, the system tries to save power by aggressively spinning down the disk. -
    +- If you do not configure this policy setting, the default behavior is to allow the hybrid hard disks to be in power save mode. - - -This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. +> [!NOTE] +> This policy setting is applicable only if the NV cache feature is on. + -To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. + + + -If you enable this policy setting, the system won't manage the NV cache and won't enable NV cache power saving mode. + +**Description framework properties**: -If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -This policy setting will take effect on next boot. If you don't configure this policy setting, the default behavior is to turn on support for the NV cache. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Turn off non-volatile cache feature* -- GP name: *FeatureOffPolicy* -- GP path: *System\Disk NV Cache* -- GP ADMX file name: *DiskNVCache.admx* +| Name | Value | +|:--|:--| +| Name | CachePowerModePolicy | +| Friendly Name | Turn off cache power mode | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | EnablePowerModeState | +| ADMX File Name | DiskNVCache.admx | + - - + + + -
    + - -**ADMX_DiskNVCache/SolidStatePolicy** - + +## FeatureOffPolicy -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/FeatureOffPolicy +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. -> [!div class = "checklist"] -> * Device +- If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. -
    +- If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. - - +> [!NOTE] +> This policy setting will take effect on next boot. + +- If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FeatureOffPolicy | +| Friendly Name | Turn off non-volatile cache feature | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | EnableNvCache | +| ADMX File Name | DiskNVCache.admx | + + + + + + + + + +## SolidStatePolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/SolidStatePolicy +``` + + + + This policy setting turns off the solid state mode for the hybrid hard disks. -If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. +- If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. -If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This storage allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. +- If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. **Note** that this can cause increased wear of the NV cache. -This can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. +- If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. ->[!Note] +> [!NOTE] > This policy setting is applicable only if the NV cache feature is on. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off solid state mode* -- GP name: *SolidStatePolicy* -- GP path: *System\Disk NV Cache* -- GP ADMX file name: *DiskNVCache.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SolidStatePolicy | +| Friendly Name | Turn off solid state mode | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | EnableSolidStateMode | +| ADMX File Name | DiskNVCache.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 35d3111b03..a8d0a1bea1 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,365 +1,437 @@ --- -title: Policy CSP - ADMX_DiskQuota -description: Learn about Policy CSP - ADMX_DiskQuota. +title: ADMX_DiskQuota Policy CSP +description: Learn more about the ADMX_DiskQuota Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DiskQuota - -
    - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_DiskQuota policies + + + + +## DQ_Enable -
    -
    - ADMX_DiskQuota/DQ_RemovableMedia -
    -
    - ADMX_DiskQuota/DQ_Enable -
    -
    - ADMX_DiskQuota/DQ_Enforce -
    -
    - ADMX_DiskQuota/DQ_LogEventOverLimit -
    -
    - ADMX_DiskQuota/DQ_LogEventOverThreshold -
    -
    - ADMX_DiskQuota/DQ_Limit -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_Enable +``` + -
    - - -**ADMX_DiskQuota/DQ_RemovableMedia** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media. - -If you disable or don't configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. - -When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. - - - - -ADMX Info: -- GP Friendly name: *Apply policy to removable media* -- GP name: *DQ_RemovableMedia* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* - - - - -
    - - -**ADMX_DiskQuota/DQ_Enable** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. -If you enable this policy setting, disk quota management is turned on, and users can't turn it off. +- If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. -If you disable the policy setting, disk quota management is turned off, and users can't turn it on. When this policy setting isn't configured then the disk quota management is turned off by default, and the administrators can turn it on. +- If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. + +- If this policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. -This policy setting turns on disk quota management but doesn't establish or enforce a particular disk quota limit. +> [!NOTE] +> This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. -To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. +> [!NOTE] +> To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + -To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable disk quotas* -- GP name: *DQ_Enable* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DQ_Enable | +| Friendly Name | Enable disk quotas | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | Enable | +| ADMX File Name | DiskQuota.admx | + - -**ADMX_DiskQuota/DQ_Enforce** - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DQ_Enforce - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_Enforce +``` + -
    - - - + + This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting. -If you enable this policy setting, disk quota limits are enforced. +- If you enable this policy setting, disk quota limits are enforced. +- If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in effect. -If you disable this policy setting, disk quota limits aren't enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators can't make changes while the setting is in effect. +- If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. -If you don't configure this policy setting, the disk quota limit isn't enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. +Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available. -This policy setting overrides user settings that enable or disable quota enforcement on their volumes. +> [!NOTE] +> This policy setting overrides user settings that enable or disable quota enforcement on their volumes. -To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. +> [!NOTE] +> To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + - + + + - -ADMX Info: -- GP Friendly name: *Enforce disk quota limit* -- GP name: *DQ_Enforce* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_DiskQuota/DQ_LogEventOverLimit** - +| Name | Value | +|:--|:--| +| Name | DQ_Enforce | +| Friendly Name | Enforce disk quota limit | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | Enforce | +| ADMX File Name | DiskQuota.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DQ_Limit -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_Limit +``` + - - -This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. - -If you enable this policy setting, the system records an event when the user reaches their limit. - -If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators can't change the setting while a setting is in effect. If you don't configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. - -This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their limit, because their status in the Quota Entries window changes. - -To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. - - - - - -ADMX Info: -- GP Friendly name: *Log event when quota limit is exceeded* -- GP name: *DQ_LogEventOverLimit* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* - - - -
    - - - -**ADMX_DiskQuota/DQ_LogEventOverThreshold** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. - -If you enable this policy setting, the system records an event. - -If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators can't change logging while a policy setting is in effect. - -If you don't configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their warning level because their status in the Quota Entries window changes. - -To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. - - - - -ADMX Info: -- GP Friendly name: *Log event when quota warning level is exceeded* -- GP name: *DQ_LogEventOverThreshold* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* - - - - -
    - - - -**ADMX_DiskQuota/DQ_Limit** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the default disk quota limit and warning level for new users of the volume. + This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit. -This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. -This policy setting applies to all new users as soon as they write to the volume. It doesn't affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). +This setting overrides new users' settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. -If you disable or don't configure this policy setting, the disk space available to users isn't limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it's reasonable for the range of volumes in the group. +This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). -This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas aren't enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. +- If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. - +When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. - -ADMX Info: -- GP Friendly name: *Specify default quota limit and warning level* -- GP name: *DQ_Limit* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* +This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_Limit | +| Friendly Name | Specify default quota limit and warning level | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + +## DQ_LogEventOverLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_LogEventOverLimit +``` + + + + +This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. + +- If you enable this policy setting, the system records an event when the user reaches their limit. +- If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. + +- If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. + +This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. + +Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes. + +> [!NOTE] +> To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_LogEventOverLimit | +| Friendly Name | Log event when quota limit is exceeded | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | LogEventOverLimit | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + +## DQ_LogEventOverThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_LogEventOverThreshold +``` + + + + +This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. + +- If you enable this policy setting, the system records an event. +- If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect. + +- If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. + +This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes. + +> [!NOTE] +> To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_LogEventOverThreshold | +| Friendly Name | Log event when quota warning level is exceeded | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | LogEventOverThreshold | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + +## DQ_RemovableMedia + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_RemovableMedia +``` + + + + +This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media. + +- If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only + +> [!NOTE] +> When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_RemovableMedia | +| Friendly Name | Apply policy to removable media | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | ApplyToRemovableMedia | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 2f3c8c7fb5..60915bf0cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,93 +1,93 @@ --- -title: Policy CSP - ADMX_DistributedLinkTracking -description: Learn about Policy CSP - ADMX_DistributedLinkTracking. +title: ADMX_DistributedLinkTracking Policy CSP +description: Learn more about the ADMX_DistributedLinkTracking Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/22/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DistributedLinkTracking > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DistributedLinkTracking policies + +## DLT_AllowDomainMode -
    -
    - ADMX_DistributedLinkTracking/DLT_AllowDomainMode -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DistributedLinkTracking/DLT_AllowDomainMode +``` + -
    + + +Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless the DLT server is running on all domain controllers in the domain. + - -**ADMX_DistributedLinkTracking/DLT_AllowDomainMode** + + +**Note** This policy setting applies to all sites in Trusted zones. + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Machine +| Name | Value | +|:--|:--| +| Name | DLT_AllowDomainMode | +| Friendly Name | Allow Distributed Link Tracking clients to use domain resources | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DLT_AllowDomainMode | +| ADMX File Name | DistributedLinkTracking.admx | + -
    + + + - - -This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. + -The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. + + + -The DLT client can more reliably track links when allowed to use the DLT server. -This policy shouldn't be set unless the DLT server is running on all domain controllers in the domain. + -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. +## Related articles - - - -ADMX Info: -- GP Friendly name: *Allow Distributed Link Tracking clients to use domain resources* -- GP name: *DLT_AllowDomainMode* -- GP path: *Windows\System!DLT_AllowDomainMode* -- GP ADMX file name: *DistributedLinkTracking.admx* - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 282156487a..c9dacb52a6 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,176 +1,108 @@ --- -title: Policy CSP - ADMX_DnsClient -description: Learn about Policy CSP - ADMX_DnsClient. +title: ADMX_DnsClient Policy CSP +description: Learn more about the ADMX_DnsClient Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DnsClient > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DnsClient policies + +## DNS_AllowFQDNNetBiosQueries -
    -
    - ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries -
    -
    - ADMX_DnsClient/DNS_AppendToMultiLabelName -
    -
    - ADMX_DnsClient/DNS_Domain -
    -
    - ADMX_DnsClient/DNS_DomainNameDevolutionLevel -
    -
    - ADMX_DnsClient/DNS_IdnEncoding -
    -
    - ADMX_DnsClient/DNS_IdnMapping -
    -
    - ADMX_DnsClient/DNS_NameServer -
    -
    - ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns -
    -
    - ADMX_DnsClient/DNS_PrimaryDnsSuffix -
    -
    - ADMX_DnsClient/DNS_RegisterAdapterName -
    -
    - ADMX_DnsClient/DNS_RegisterReverseLookup -
    -
    - ADMX_DnsClient/DNS_RegistrationEnabled -
    -
    - ADMX_DnsClient/DNS_RegistrationOverwritesInConflict -
    -
    - ADMX_DnsClient/DNS_RegistrationRefreshInterval -
    -
    - ADMX_DnsClient/DNS_RegistrationTtl -
    -
    - ADMX_DnsClient/DNS_SearchList -
    -
    - ADMX_DnsClient/DNS_SmartMultiHomedNameResolution -
    -
    - ADMX_DnsClient/DNS_SmartProtocolReorder -
    -
    - ADMX_DnsClient/DNS_UpdateSecurityLevel -
    -
    - ADMX_DnsClient/DNS_UpdateTopLevelDomainZones -
    -
    - ADMX_DnsClient/DNS_UseDomainNameDevolution -
    -
    - ADMX_DnsClient/Turn_Off_Multicast -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries +``` + -
    + + +Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. - -**ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries** - +- If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in addition to single-label names. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully qualified domain names. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +**ADMX mapping**: -If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. +| Name | Value | +|:--|:--| +| Name | DNS_AllowFQDNNetBiosQueries | +| Friendly Name | Allow NetBT queries for fully qualified domain names | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | QueryNetBTFQDN | +| ADMX File Name | DnsClient.admx | + -If you disable this policy setting, or if you don't configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. + + + - + + +## DNS_AppendToMultiLabelName - -ADMX Info: -- GP Friendly name: *Allow NetBT queries for fully qualified domain names* -- GP name: *DNS_AllowFQDNNetBiosQueries* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_AppendToMultiLabelName +``` + - -**ADMX_DnsClient/DNS_AppendToMultiLabelName** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. + + +Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -178,979 +110,136 @@ For example, if attaching suffixes is allowed, an unqualified multi-label name q If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. -If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. +- If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. -If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. +- If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. -If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. +- If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. + - + + + - -ADMX Info: -- GP Friendly name: *Allow DNS suffix appending to unqualified multi-label name queries* -- GP name: *DNS_AppendToMultiLabelName* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DnsClient/DNS_Domain** - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DNS_AppendToMultiLabelName | +| Friendly Name | Allow DNS suffix appending to unqualified multi-label name queries | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | AppendToMultiLabelName | +| ADMX File Name | DnsClient.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DNS_Domain -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_Domain +``` + -If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. + + +Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. -If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. +To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. - +- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. + - -ADMX Info: -- GP Friendly name: *Connection-specific DNS suffix* -- GP name: *DNS_Domain* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_DnsClient/DNS_DomainNameDevolutionLevel** - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DNS_Domain | +| Friendly Name | Connection-specific DNS suffix | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DNS_DomainNameDevolutionLevel - - -This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_DomainNameDevolutionLevel +``` + + + + +Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. -Devolution isn't enabled if a global suffix search list is configured using Group Policy. +Devolution is not enabled if a global suffix search list is configured using Group Policy. -If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: - -- The primary DNS suffix, as specified on the Computer Name tab of the System control panel. -- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. - -For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. - -If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. - -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. - -If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. - -If you disable this policy setting or don't configure it, DNS clients use the default devolution level of two if DNS devolution is enabled. - - - - - -ADMX Info: -- GP Friendly name: *Primary DNS suffix devolution level* -- GP name: *DNS_DomainNameDevolutionLevel* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_IdnEncoding** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. - -If this policy setting is enabled, IDNs aren't converted to Punycode. - -If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. - - - - - -ADMX Info: -- GP Friendly name: *Turn off IDN encoding* -- GP name: *DNS_IdnEncoding* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_IdnMapping** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. - -If this policy setting is enabled, IDNs are converted to the Nameprep form. - -If this policy setting is disabled, or if this policy setting isn't configured, IDNs aren't converted to the Nameprep form. - - - - - -ADMX Info: -- GP Friendly name: *IDN mapping* -- GP name: *DNS_IdnMapping* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_NameServer** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. - -To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. - -If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. - - - - - -ADMX Info: -- GP Friendly name: *DNS servers* -- GP name: *DNS_NameServer* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). - -If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. - -If you disable this policy setting, or if you don't configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. - -> [!NOTE] -> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. - - - - -ADMX Info: -- GP Friendly name: *Prefer link local responses over DNS when received over a network with higher precedence* -- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - - -
    - - -**ADMX_DnsClient/DNS_PrimaryDnsSuffix** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. - -To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. - -> [!IMPORTANT] -> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. - -If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. - -You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. - -If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined. - - - - -ADMX Info: -- GP Friendly name: *Primary DNS suffix* -- GP name: *DNS_PrimaryDnsSuffix* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegisterAdapterName** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. - -By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. - -If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This suffix-update applies to all network connections used by computers that receive this policy setting. - -For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. - ->[!Important] -> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. - -If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix. - - - - -ADMX Info: -- GP Friendly name: *Register DNS records with connection-specific DNS suffix* -- GP name: *DNS_RegisterAdapterName* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegisterReverseLookup** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if DNS client computers will register PTR resource records. - -By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. - -If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. - -To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: - -- Do not register: Computers won't attempt to register PTR resource records -- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful. -- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings. - - - - -ADMX Info: -- GP Friendly name: *Register PTR records* -- GP name: *DNS_RegisterReverseLookup* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationEnabled** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. - -If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. - -If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. - - - - - -ADMX Info: -- GP Friendly name: *Dynamic update* -- GP name: *DNS_RegistrationEnabled* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. - -This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers. - -During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing (A) resource record with an (A) resource record that has the client's current IP address. - -If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting (A) resource records during dynamic update. - -If you disable this policy setting, existing (A) resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer. - - - - - -ADMX Info: -- GP Friendly name: *Replace addresses in conflicts* -- GP name: *DNS_RegistrationOverwritesInConflict* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationRefreshInterval** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. - -Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records. - -> [!WARNING] -> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. - -To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. - -If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. - - - - - -ADMX Info: -- GP Friendly name: *Registration refresh interval* -- GP name: *DNS_RegistrationRefreshInterval* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationTtl** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. - -To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). - -If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). - - - - - -ADMX Info: -- GP Friendly name: *TTL value for A and PTR records* -- GP name: *DNS_RegistrationTtl* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_SearchList** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. - -An unqualified single-label name contains no dots. The name "example" is a single-label name. This name is different from a fully qualified domain name such as "example.microsoft.com." - -Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." - -To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. - -If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. - -If you disable this policy setting, or if you don't configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. - - - - - -ADMX Info: -- GP Friendly name: *DNS suffix search list* -- GP name: *DNS_SearchList* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. If multiple positive responses are received, the network binding order is used to determine which response to accept. - -If you enable this policy setting, the DNS client won't perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. - -If you disable this policy setting, or if you don't configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. - - - - - -ADMX Info: -- GP Friendly name: *Turn off smart multi-homed name resolution* -- GP name: *DNS_SmartMultiHomedNameResolution* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_SmartProtocolReorder** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). - -If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. - -If you disable this policy setting, or if you don't configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. - -> [!NOTE] -> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. - - - - -ADMX Info: -- GP Friendly name: *Turn off smart protocol reordering* -- GP name: *DNS_SmartProtocolReorder* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_UpdateSecurityLevel** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security level for dynamic DNS updates. - -To use this policy setting, click Enabled and then select one of the following values: - -- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. -- Only unsecure - computers send only nonsecure dynamic updates. -- Only secure - computers send only secure dynamic updates. - -If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. - - - - - -ADMX Info: -- GP Friendly name: *Update security level* -- GP name: *DNS_UpdateSecurityLevel* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." - -By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. - -If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. - -If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. - - - - - -ADMX Info: -- GP Friendly name: *Update top level domain zones* -- GP name: *DNS_UpdateTopLevelDomainZones* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_UseDomainNameDevolution** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. - -With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. - -The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. - -Devolution isn't enabled if a global suffix search list is configured using Group Policy. - -If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: The primary DNS suffix, as specified on the Computer Name tab of the System control panel. @@ -1158,78 +247,1211 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. -If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. -If you enable this policy setting, or if you don't configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +- If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. -If you disable this policy setting, DNS clients don't attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +- If this policy setting is disabled, or if this policy setting is not configured, DNS clients use the default devolution level of two provided that DNS devolution is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Primary DNS suffix devolution* -- GP name: *DNS_UseDomainNameDevolution* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_DnsClient/Turn_Off_Multicast** - +| Name | Value | +|:--|:--| +| Name | DNS_DomainNameDevolutionLevel | +| Friendly Name | Primary DNS suffix devolution level | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | EnableDevolutionLevelControl | +| ADMX File Name | DnsClient.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DNS_IdnEncoding -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_IdnEncoding +``` + - - -This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. + + +Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. -LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible. +- If this policy setting is enabled, IDNs are not converted to Punycode. -If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. +- If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. + -If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off multicast name resolution* -- GP name: *Turn_Off_Multicast* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DNS_IdnEncoding | +| Friendly Name | Turn off IDN encoding | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | DisableIdnEncoding | +| ADMX File Name | DnsClient.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + +## DNS_IdnMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_IdnMapping +``` + + + + +Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. + +- If this policy setting is enabled, IDNs are converted to the Nameprep form. + +- If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_IdnMapping | +| Friendly Name | IDN mapping | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | EnableIdnMapping | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_NameServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_NameServer +``` + + + + +Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. + +To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. + +- If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. + +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_NameServer | +| Friendly Name | DNS servers | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_PreferLocalResponsesOverLowerOrderDns + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns +``` + + + + +Specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +- If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. + +- If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_PreferLocalResponsesOverLowerOrderDns | +| Friendly Name | Prefer link local responses over DNS when received over a network with higher precedence | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | PreferLocalOverLowerBindingDNS | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_PrimaryDnsSuffix + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_PrimaryDnsSuffix +``` + + + + +Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. + +To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. + +> [!IMPORTANT] +> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. + +- If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. + +You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. + +- If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_PrimaryDnsSuffix | +| Friendly Name | Primary DNS suffix | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\System\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegisterAdapterName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegisterAdapterName +``` + + + + +Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. + +By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. + +- If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. + +For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. + +> [!IMPORTANT] +> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. + +- If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegisterAdapterName | +| Friendly Name | Register DNS records with connection-specific DNS suffix | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | RegisterAdapterName | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegisterReverseLookup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegisterReverseLookup +``` + + + + +Specifies if DNS client computers will register PTR resource records. + +By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. + +- If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. + +To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: + +Do not register: Computers will not attempt to register PTR resource records. + +Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful. + +Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. + +- If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegisterReverseLookup | +| Friendly Name | Register PTR records | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationEnabled +``` + + + + +Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. + +- If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. + +- If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationEnabled | +| Friendly Name | Dynamic update | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | RegistrationEnabled | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationOverwritesInConflict + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationOverwritesInConflict +``` + + + + +Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. + +This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. + +During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. + +- If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. + +- If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationOverwritesInConflict | +| Friendly Name | Replace addresses in conflicts | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | RegistrationOverwritesInConflict | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationRefreshInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationRefreshInterval +``` + + + + +Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. + +Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. + +> [!WARNING] +> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. + +To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. + +- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. + +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationRefreshInterval | +| Friendly Name | Registration refresh interval | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationTtl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationTtl +``` + + + + +Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. + +To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). + +- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. + +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationTtl | +| Friendly Name | TTL value for A and PTR records | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_SearchList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SearchList +``` + + + + +Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. + +An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." + +Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." + +To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. + +- If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. + +- If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_SearchList | +| Friendly Name | DNS suffix search list | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_SmartMultiHomedNameResolution + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SmartMultiHomedNameResolution +``` + + + + +Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. + +- If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. + +- If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_SmartMultiHomedNameResolution | +| Friendly Name | Turn off smart multi-homed name resolution | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | DisableSmartNameResolution | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_SmartProtocolReorder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SmartProtocolReorder +``` + + + + +Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +- If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. + +- If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_SmartProtocolReorder | +| Friendly Name | Turn off smart protocol reordering | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | DisableSmartProtocolReordering | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_UpdateSecurityLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UpdateSecurityLevel +``` + + + + +Specifies the security level for dynamic DNS updates. + +To use this policy setting, click Enabled and then select one of the following values: + +Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. + +Only unsecure - computers send only nonsecure dynamic updates. + +Only secure - computers send only secure dynamic updates. + +- If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. + +- If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_UpdateSecurityLevel | +| Friendly Name | Update security level | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_UpdateTopLevelDomainZones + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UpdateTopLevelDomainZones +``` + + + + +Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." + +By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. + +- If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. + +- If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_UpdateTopLevelDomainZones | +| Friendly Name | Update top level domain zones | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | UpdateTopLevelDomainZones | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_UseDomainNameDevolution + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UseDomainNameDevolution +``` + + + + +Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +The primary DNS suffix, as specified on the Computer Name tab of the System control panel. + +Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. + +- If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + +- If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_UseDomainNameDevolution | +| Friendly Name | Primary DNS suffix devolution | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | UseDomainNameDevolution | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## Turn_Off_Multicast + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/Turn_Off_Multicast +``` + + + + +Specifies that link local multicast name resolution (LLMNR) is disabled on client computers. + +LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. + +- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. + +- If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Turn_Off_Multicast | +| Friendly Name | Turn off multicast name resolution | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | EnableMulticast | +| ADMX File Name | DnsClient.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index 0d52811a07..eccb350bf2 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,354 +1,412 @@ --- -title: Policy CSP - ADMX_DWM -description: Learn about Policy CSP - ADMX_DWM. +title: ADMX_DWM Policy CSP +description: Learn more about the ADMX_DWM Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/31/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DWM > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DWM policies + +## DwmDefaultColorizationColor_1 -
    -
    - ADMX_DWM/DwmDefaultColorizationColor_1 -
    -
    - ADMX_DWM/DwmDefaultColorizationColor_2 -
    -
    - ADMX_DWM/DwmDisallowAnimations_1 -
    -
    - ADMX_DWM/DwmDisallowAnimations_2 -
    -
    - ADMX_DWM/DwmDisallowColorizationColorChanges_1 -
    -
    - ADMX_DWM/DwmDisallowColorizationColorChanges_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDefaultColorizationColor_1 +``` + -
    + + +This policy setting controls the default color for window frames when the user does not specify a color. - -**ADMX_DWM/DwmDefaultColorizationColor_1** +- If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting controls the default color for window frames when the user doesn't specify a color. - -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color. - -If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color. +- If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. > [!NOTE] > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. + - + + + - -ADMX Info: -- GP Friendly name: *Specify a default color* -- GP name: *DwmDefaultColorizationColor_1* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DWM/DwmDefaultColorizationColor_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDefaultColorizationColor_1 | +| Friendly Name | Specify a default color | +| Location | User Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DefaultColorizationColorState | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DwmDefaultColorizationColor_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDefaultColorizationColor_2 +``` + - - -This policy setting controls the default color for window frames when the user doesn't specify a color. + + +This policy setting controls the default color for window frames when the user does not specify a color. -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color. +- If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. -If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color. +- If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. > [!NOTE] > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify a default color* -- GP name: *DwmDefaultColorizationColor_2* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DWM/DwmDisallowAnimations_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDefaultColorizationColor_2 | +| Friendly Name | Specify a default color | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DefaultColorizationColorState | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DwmDisallowAnimations_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowAnimations_1 +``` + - - + + This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. -If you enable this policy setting, window animations are turned off. +- If you enable this policy setting, window animations are turned off. -If you disable or don't configure this policy setting, window animations are turned on. +- If you disable or do not configure this policy setting, window animations are turned on. -Changing this policy setting requires a sign out for it to be applied. +Changing this policy setting requires a logoff for it to be applied. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow window animations* -- GP name: *DwmDisallowAnimations_1* -- GP path: *Windows Components/Desktop Window Manager* -- GP ADMX file name: *DWM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DWM/DwmDisallowAnimations_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDisallowAnimations_1 | +| Friendly Name | Do not allow window animations | +| Location | User Configuration | +| Path | Windows Components > Desktop Window Manager | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowAnimations | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DwmDisallowAnimations_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowAnimations_2 +``` + - - + + This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. -If you enable this policy setting, window animations are turned off. +- If you enable this policy setting, window animations are turned off. -If you disable or don't configure this policy setting, window animations are turned on. +- If you disable or do not configure this policy setting, window animations are turned on. -Changing this policy setting requires out a sign for it to be applied. +Changing this policy setting requires a logoff for it to be applied. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow window animations* -- GP name: *DwmDisallowAnimations_2* -- GP path: *Windows Components/Desktop Window Manager* -- GP ADMX file name: *DWM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DWM/DwmDisallowColorizationColorChanges_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDisallowAnimations_2 | +| Friendly Name | Do not allow window animations | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowAnimations | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DwmDisallowColorizationColorChanges_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowColorizationColorChanges_1 +``` + - - + + This policy setting controls the ability to change the color of window frames. -If you enable this policy setting, you prevent users from changing the default window frame color. +- If you enable this policy setting, you prevent users from changing the default window frame color. -If you disable or don't configure this policy setting, you allow users to change the default window frame color. +- If you disable or do not configure this policy setting, you allow users to change the default window frame color. > [!NOTE] > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow color changes* -- GP name: *DwmDisallowColorizationColorChanges_1* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_DWM/DwmDisallowColorizationColorChanges_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDisallowColorizationColorChanges_1 | +| Friendly Name | Do not allow color changes | +| Location | User Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowColorizationColorChanges | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DwmDisallowColorizationColorChanges_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowColorizationColorChanges_2 +``` + - - + + This policy setting controls the ability to change the color of window frames. -If you enable this policy setting, you prevent users from changing the default window frame color. +- If you enable this policy setting, you prevent users from changing the default window frame color. -If you disable or don't configure this policy setting, you allow users to change the default window frame color. +- If you disable or do not configure this policy setting, you allow users to change the default window frame color. > [!NOTE] > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow color changes* -- GP name: *DwmDisallowColorizationColorChanges_2* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | DwmDisallowColorizationColorChanges_2 | +| Friendly Name | Do not allow color changes | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowColorizationColorChanges | +| ADMX File Name | DWM.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 4463e3732f..3592fb1a73 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,577 +1,647 @@ --- -title: Policy CSP - ADMX_EAIME -description: Learn about the Policy CSP - ADMX_EAIME. +title: ADMX_EAIME Policy CSP +description: Learn more about the ADMX_EAIME Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EAIME > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EAIME policies + +## L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList -
    -
    - ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList -
    -
    - ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion -
    -
    - ADMX_EAIME/L_TurnOffCustomDictionary -
    -
    - ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput -
    -
    - ADMX_EAIME/L_TurnOffInternetSearchIntegration -
    -
    - ADMX_EAIME/L_TurnOffOpenExtendedDictionary -
    -
    - ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile -
    -
    - ADMX_EAIME/L_TurnOnCloudCandidate -
    -
    - ADMX_EAIME/L_TurnOnCloudCandidateCHS -
    -
    - ADMX_EAIME/L_TurnOnLexiconUpdate -
    -
    - ADMX_EAIME/L_TurnOnLiveStickers -
    -
    - ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList +``` + -
    - - -**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. -If you enable this policy setting, Non-Publishing Standard Glyph isn't included in the candidate list when Publishing Standard Glyph for the word exists. +- If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. -If you disable or don't configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. +- If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. This policy setting applies to Japanese Microsoft IME only. > [!NOTE] > Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not include Non-Publishing Standard Glyph in the candidate list* -- GP name: *L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList | +| Friendly Name | Do not include Non-Publishing Standard Glyph in the candidate list | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| Registry Value Name | ShowOnlyPublishingStandardGlyph | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_RestrictCharacterCodeRangeOfConversion -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion +``` + - - + + This policy setting allows you to restrict character code range of conversion by setting character filter. -If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: +- If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: -- 0x0001 // JIS208 area -- 0x0002 // NEC special char code -- 0x0004 // NEC selected IBM extended code -- 0x0008 // IBM extended code -- 0x0010 // Half width katakana code -- 0x0100 // EUDC(GAIJI) -- 0x0200 // S-JIS unmapped area -- 0x0400 // Unicode char -- 0x0800 // surrogate char -- 0x1000 // IVS char -- 0xFFFF // no definition. +0x0001 // JIS208 area +0x0002 // NEC special char code +0x0004 // NEC selected IBM extended code +0x0008 // IBM extended code +0x0010 // Half width katakana code +0x0100 // EUDC(GAIJI) +0x0200 // S-JIS unmapped area +0x0400 // Unicode char +0x0800 // surrogate char +0x1000 // IVS char +0xFFFF // no definition. -If you disable or don't configure this policy setting, no range of characters are filtered by default. +- If you disable or do not configure this policy setting, no range of characters are filtered by default. This policy setting applies to Japanese Microsoft IME only. > [!NOTE] > Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict character code range of conversion* -- GP name: *L_RestrictCharacterCodeRangeOfConversion* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_TurnOffCustomDictionary** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_RestrictCharacterCodeRangeOfConversion | +| Friendly Name | Restrict character code range of conversion | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffCustomDictionary -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffCustomDictionary +``` + - - + + This policy setting allows you to turn off the ability to use a custom dictionary. -If you enable this policy setting, you can't add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. +- If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. -If you disable or don't configure this policy setting, the custom dictionary can be used by default. +- If you disable or do not configure this policy setting, the custom dictionary can be used by default. -For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary. +[Clear auto-tuning information] removes self-tuned words from the custom dictionary, even if a group policy setting is turned on. To do this, select Settings > Time & Language > Japanese Options > Microsoft IME Options. If compatibility mode is turned on, select Advanced options > Dictionary/Auto-tuning > [Clear auto-tuning information]. + +[Clear input history] removes self-tuned words from the custom dictionary, even if a group policy setting is turned on. To do this, select Settings > Time & Language > Japanese Options > Microsoft IME Options > Learning and Dictionary > [Clear input history]. This policy setting is applied to Japanese Microsoft IME. > [!NOTE] > Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off custom dictionary* -- GP name: *L_TurnOffCustomDictionary* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffCustomDictionary | +| Friendly Name | Turn off custom dictionary | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | UserDict | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffHistorybasedPredictiveInput -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput +``` + - - + + This policy setting allows you to turn off history-based predictive input. -If you enable this policy setting, history-based predictive input is turned off. +- If you enable this policy setting, history-based predictive input is turned off. -If you disable or don't configure this policy setting, history-based predictive input is on by default. +- If you disable or do not configure this policy setting, history-based predictive input is on by default. This policy setting applies to Japanese Microsoft IME only. > [!NOTE] > Changes to this setting will not take effect until the user logs off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off history-based predictive input* -- GP name: *L_TurnOffHistorybasedPredictiveInput* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EAIME/L_TurnOffInternetSearchIntegration** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | L_TurnOffHistorybasedPredictiveInput | +| Friendly Name | Turn off history-based predictive input | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| Registry Value Name | UseHistorybasedPredictiveInput | +| ADMX File Name | EAIME.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## L_TurnOffInternetSearchIntegration -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffInternetSearchIntegration +``` + + + + This policy setting allows you to turn off Internet search integration. -Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. +Search integration includes both using Search Provider (Japanese Microsoft IME) and performing bing search from predictive input for Japanese Microsoft IME. -If you enable this policy setting, you can't use search integration. +- If you enable this policy setting, you cannot use search integration. -If you disable or don't configure this policy setting, the search integration function can be used by default. +- If you disable or do not configure this policy setting, the search integration function can be used by default. This policy setting applies to Japanese Microsoft IME. > [!NOTE] > Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet search integration* -- GP name: *L_TurnOffInternetSearchIntegration* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_TurnOffOpenExtendedDictionary** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffInternetSearchIntegration | +| Friendly Name | Turn off Internet search integration | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | SearchPlugin | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffOpenExtendedDictionary -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffOpenExtendedDictionary +``` + - - + + This policy setting allows you to turn off Open Extended Dictionary. -If you enable this policy setting, Open Extended Dictionary is turned off. You can't add a new Open Extended Dictionary. +- If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. -For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting isn't used for conversion. +For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. -If you disable or don't configure this policy setting, Open Extended Dictionary can be added and used by default. +- If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. This policy setting is applied to Japanese Microsoft IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Open Extended Dictionary* -- GP name: *L_TurnOffOpenExtendedDictionary* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffOpenExtendedDictionary | +| Friendly Name | Turn off Open Extended Dictionary | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | OpenExtendedDict | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffSavingAutoTuningDataToFile -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile +``` + - - + + This policy setting allows you to turn off saving the auto-tuning result to file. -If you enable this policy setting, the auto-tuning data isn't saved to file. +- If you enable this policy setting, the auto-tuning data is not saved to file. -If you disable or don't configure this policy setting, auto-tuning data is saved to file by default. +- If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. This policy setting applies to Japanese Microsoft IME only. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off saving auto-tuning data to file* -- GP name: *L_TurnOffSavingAutoTuningDataToFile* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_TurnOnCloudCandidate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffSavingAutoTuningDataToFile | +| Friendly Name | Turn off saving auto-tuning data to file | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| Registry Value Name | SaveAutoTuneDataToFile | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOnCloudCandidate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnCloudCandidate +``` + - - + + This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. -If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. +- If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. -If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. +- If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. -If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. +- If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on cloud candidate* -- GP name: *L_TurnOnCloudCandidate* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_TurnOnCloudCandidateCHS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOnCloudCandidate | +| Friendly Name | Turn on cloud candidate | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\Shared | +| Registry Value Name | Enable Cloud Candidate | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOnCloudCandidateCHS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnCloudCandidateCHS +``` + - - + + This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. -If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. +- If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. -If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. +- If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. -If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. +- If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. This Policy setting applies only to Microsoft CHS Pinyin IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on cloud candidate for CHS* -- GP name: *L_TurnOnCloudCandidateCHS* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EAIME/L_TurnOnLexiconUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOnCloudCandidateCHS | +| Friendly Name | Turn on cloud candidate for CHS | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\CHS | +| Registry Value Name | Enable Cloud Candidate | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOnLexiconUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnLexiconUpdate +``` + - - + + + + + + This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. @@ -581,48 +651,57 @@ If you disable this policy setting, the functionality associated with this featu If you don't configure this policy setting, it will be turned on by default, and the user can turn on and turn off the lexicon update feature. This Policy setting applies only to Microsoft CHS Pinyin IME. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn on lexicon update* -- GP name: *L_TurnOnLexiconUpdate* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_EAIME/L_TurnOnLiveStickers** +| Name | Value | +|:--|:--| +| Name | L_TurnOnLexiconUpdate | +| ADMX File Name | EAIME.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## L_TurnOnLiveStickers - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnLiveStickers +``` + -
    + + + - - + + This policy setting controls the live sticker feature, which uses an online service to provide stickers online. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. @@ -632,72 +711,104 @@ If you disable this policy setting, the functionality associated with this featu If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the live sticker feature. This Policy setting applies only to Microsoft CHS Pinyin IME. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn on Live Sticker* -- GP name: *L_TurnOnLiveStickers* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport** +| Name | Value | +|:--|:--| +| Name | L_TurnOnLiveStickers | +| ADMX File Name | EAIME.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## L_TurnOnMisconversionLoggingForMisconversionReport - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport +``` + -
    - - - + + This policy setting allows you to turn on logging of misconversion for the misconversion report. -If you enable this policy setting, misconversion logging is turned on. +- If you enable this policy setting, misconversion logging is turned on. -If you disable or don't configure this policy setting, misconversion logging is turned off. +- If you disable or do not configure this policy setting, misconversion logging is turned off. This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on misconversion logging for misconversion report* -- GP name: *L_TurnOnMisconversionLoggingForMisconversionReport* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | L_TurnOnMisconversionLoggingForMisconversionReport | +| Friendly Name | Turn on misconversion logging for misconversion report | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | misconvlogging | +| ADMX File Name | EAIME.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index 3e68fe88f8..0c9580b962 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,92 +1,98 @@ --- -title: Policy CSP - ADMX_EncryptFilesonMove -description: Learn about the Policy CSP - ADMX_EncryptFilesonMove. +title: ADMX_EncryptFilesonMove Policy CSP +description: Learn more about the ADMX_EncryptFilesonMove Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EncryptFilesonMove > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EncryptFilesonMove policies + +## NoEncryptOnMove -
    -
    - ADMX_EncryptFilesonMove/NoEncryptOnMove -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EncryptFilesonMove/NoEncryptOnMove +``` + -
    - - -**ADMX_EncryptFilesonMove/NoEncryptOnMove** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. -If you enable this policy setting, File Explorer won't automatically encrypt files that are moved to an encrypted folder. +- If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. -If you disable or don't configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. +- If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not automatically encrypt files moved to encrypted folders* -- GP name: *NoEncryptOnMove* -- GP path: *System* -- GP ADMX file name: *EncryptFilesonMove.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoEncryptOnMove | +| Friendly Name | Do not automatically encrypt files moved to encrypted folders | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoEncryptOnMove | +| ADMX File Name | EncryptFilesonMove.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index c8a720e1e6..72b2d0f856 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,336 +1,398 @@ --- -title: Policy CSP - ADMX_EnhancedStorage -description: Learn about the Policy CSP - ADMX_EnhancedStorage. +title: ADMX_EnhancedStorage Policy CSP +description: Learn more about the ADMX_EnhancedStorage Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EnhancedStorage > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EnhancedStorage policies + +## ApprovedEnStorDevices -
    -
    - ADMX_EnhancedStorage/ApprovedEnStorDevices -
    -
    - ADMX_EnhancedStorage/ApprovedSilos -
    -
    - ADMX_EnhancedStorage/DisablePasswordAuthentication -
    -
    - ADMX_EnhancedStorage/DisallowLegacyDiskDevices -
    -
    - ADMX_EnhancedStorage/LockDeviceOnMachineLock -
    -
    - ADMX_EnhancedStorage/RootHubConnectedEnStorDevices -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/ApprovedEnStorDevices +``` + -
    + + +This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. - -**ADMX_EnhancedStorage/ApprovedEnStorDevices** +- If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. - +- If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy setting allows you to configure a list of Enhanced Storage devices that contain a manufacturer and product ID that are usable on your computer. +| Name | Value | +|:--|:--| +| Name | ApprovedEnStorDevices | +| Friendly Name | Configure list of Enhanced Storage devices usable on your computer | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedEnStorDevices | +| Registry Value Name | PolicyEnabled | +| ADMX File Name | EnhancedStorage.admx | + -If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. + + + -If you disable or don't configure this policy setting, all Enhanced Storage devices are usable on your computer. + - + +## ApprovedSilos - -ADMX Info: -- GP Friendly name: *Configure list of Enhanced Storage devices usable on your computer* -- GP name: *ApprovedEnStorDevices* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/ApprovedSilos +``` + - -**ADMX_EnhancedStorage/ApprovedSilos** + + +This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. - +- If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that is usable on your computer. +**ADMX mapping**: -If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. +| Name | Value | +|:--|:--| +| Name | ApprovedSilos | +| Friendly Name | Configure list of IEEE 1667 silos usable on your computer | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedSilos | +| Registry Value Name | SiloAllowListPolicy | +| ADMX File Name | EnhancedStorage.admx | + -If you disable or don't configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. + + + - + - -ADMX Info: -- GP Friendly name: *Configure list of IEEE 1667 silos usable on your computer* -- GP name: *ApprovedSilos* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +## DisablePasswordAuthentication - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_EnhancedStorage/DisablePasswordAuthentication** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/DisablePasswordAuthentication +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. -If you enable this policy setting, a password can't be used to unlock an Enhanced Storage device. +- If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. -If you disable or don't configure this policy setting, a password can be used to unlock an Enhanced Storage device. +- If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow password authentication of Enhanced Storage devices* -- GP name: *DisablePasswordAuthentication* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/DisallowLegacyDiskDevices** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisablePasswordAuthentication | +| Friendly Name | Do not allow password authentication of Enhanced Storage devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | DisablePasswordAuthentication | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisallowLegacyDiskDevices -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/DisallowLegacyDiskDevices +``` + + + + This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. -If you enable this policy setting, non-Enhanced Storage removable devices aren't allowed on your computer. +- If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. -If you disable or don't configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. +- If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow non-Enhanced Storage removable devices* -- GP name: *DisallowLegacyDiskDevices* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/LockDeviceOnMachineLock** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisallowLegacyDiskDevices | +| Friendly Name | Do not allow non-Enhanced Storage removable devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | DisallowLegacyDiskDevices | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LockDeviceOnMachineLock -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/LockDeviceOnMachineLock +``` + + + + This policy setting locks Enhanced Storage devices when the computer is locked. ->[!Note] ->This policy setting is supported in Windows Server SKUs only. +This policy setting is supported in Windows Server SKUs only. -If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. +- If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. -If you disable or don't configure this policy setting, the Enhanced Storage device state isn't changed when the computer is locked. +- If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. + - + + + - -ADMX Info: -- GP Friendly name: *Lock Enhanced Storage when the computer is locked* -- GP name: *LockDeviceOnMachineLock* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LockDeviceOnMachineLock | +| Friendly Name | Lock Enhanced Storage when the computer is locked | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | LockDeviceOnMachineLock | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RootHubConnectedEnStorDevices -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/RootHubConnectedEnStorDevices +``` + + + + This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. -If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. +- If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. -If you disable or don't configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. +- If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. + - + + + - -ADMX Info: -- GP Friendly name: *Allow only USB root hub connected Enhanced Storage devices* -- GP name: *RootHubConnectedEnStorDevices* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RootHubConnectedEnStorDevices | +| Friendly Name | Allow only USB root hub connected Enhanced Storage devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | RootHubConnectedEnStorDevices | +| ADMX File Name | EnhancedStorage.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 3eb7a233ee..600645f1cf 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,1519 +1,1840 @@ --- -title: Policy CSP - ADMX_ErrorReporting -description: Learn about the Policy CSP - ADMX_ErrorReporting. +title: ADMX_ErrorReporting Policy CSP +description: Learn more about the ADMX_ErrorReporting Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ErrorReporting -
    - - -## ADMX_ErrorReporting policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneDef -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneEx -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneInc -
    -
    - ADMX_ErrorReporting/PCH_ConfigureReport -
    -
    - ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults -
    -
    - ADMX_ErrorReporting/WerArchive_1 -
    -
    - ADMX_ErrorReporting/WerArchive_2 -
    -
    - ADMX_ErrorReporting/WerAutoApproveOSDumps_1 -
    -
    - ADMX_ErrorReporting/WerAutoApproveOSDumps_2 -
    -
    - ADMX_ErrorReporting/WerBypassDataThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassDataThrottling_2 -
    -
    - ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 -
    -
    - ADMX_ErrorReporting/WerBypassPowerThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassPowerThrottling_2 -
    -
    - ADMX_ErrorReporting/WerCER -
    -
    - ADMX_ErrorReporting/WerConsentCustomize_1 -
    -
    - ADMX_ErrorReporting/WerConsentOverride_1 -
    -
    - ADMX_ErrorReporting/WerConsentOverride_2 -
    -
    - ADMX_ErrorReporting/WerDefaultConsent_1 -
    -
    - ADMX_ErrorReporting/WerDefaultConsent_2 -
    -
    - ADMX_ErrorReporting/WerDisable_1 -
    -
    - ADMX_ErrorReporting/WerExlusion_1 -
    -
    - ADMX_ErrorReporting/WerExlusion_2 -
    -
    - ADMX_ErrorReporting/WerNoLogging_1 -
    -
    - ADMX_ErrorReporting/WerNoLogging_2 -
    -
    - ADMX_ErrorReporting/WerNoSecondLevelData_1 -
    -
    - ADMX_ErrorReporting/WerQueue_1 -
    -
    - ADMX_ErrorReporting/WerQueue_2 -
    -
    + + + + +## PCH_AllOrNoneDef -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_ErrorReporting/PCH_AllOrNoneDef** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_AllOrNoneDef +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. -If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. +- If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications. -If you disable or don't configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. +- If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured. For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. + - + + + - -ADMX Info: -- GP Friendly name: *Default application reporting settings* -- GP name: *PCH_AllOrNoneDef* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/PCH_AllOrNoneEx** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PCH_AllOrNoneDef | +| Friendly Name | Default application reporting settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PCH_AllOrNoneEx -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_AllOrNoneEx +``` + + + + This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. +- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. -If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. +- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. -If you disable or don't configure this policy setting, the Default application reporting settings policy setting takes precedence. +- If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *List of applications to never report errors for* -- GP name: *PCH_AllOrNoneEx* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/PCH_AllOrNoneInc** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PCH_AllOrNoneEx | +| Friendly Name | List of applications to never report errors for | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PCH_AllOrNoneInc -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_AllOrNoneInc +``` + + + + This policy setting specifies applications for which Windows Error Reporting should always report errors. -To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. +To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. -If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. +- If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. -If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. +If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) ->[!Note] ->The Microsoft applications category includes the Windows components category. +- If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. -If you disable this policy setting or don't configure it, the Default application reporting settings policy setting takes precedence. - -Also, see the "Default Application Reporting" and "Application Exclusion List" policies. +Also see the "Default Application Reporting" and "Application Exclusion List" policies. This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *List of applications to always report errors for* -- GP name: *PCH_AllOrNoneInc* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ErrorReporting/PCH_ConfigureReport** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PCH_AllOrNoneInc | +| Friendly Name | List of applications to always report errors for | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PCH_ConfigureReport -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_ConfigureReport +``` + - - + + This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. -This policy setting doesn't enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. +This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. > [!IMPORTANT] -> If the Turn off Windows Error Reporting policy setting isn't configured, then Control Panel settings for Windows Error Reporting override this policy setting. +> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. -If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that aren't configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: +- If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). +- If you enable this policy setting, you can configure the following settings in the policy setting: -- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you don't want error dialog boxes to display links to Microsoft websites. -- "Do not collect additional files": Select this option if you don't want extra files to be collected and included in error reports. -- "Do not collect additional computer data": Select this option if you don't want additional information about the computer to be collected and included in error reports. -- "Force queue mode for application errors": Select this option if you don't want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to sign in to the computer can send the error reports to Microsoft. -- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to sign in to the computer can send the error reports to Microsoft. -- "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. +- "Do not display links to any Microsoft 'More information' websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites. -If you don't configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. +- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports. -If you disable this policy setting, configuration settings in the policy setting are left blank. +- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports. -See related policy settings Display Error Notification (same folder as this policy setting), and turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. +- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. - +- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. - -ADMX Info: -- GP Friendly name: *Configure Error Reporting* -- GP name: *PCH_ConfigureReport* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* +- "Replace instances of the word 'Microsoft' with": You can specify text with which to customize your error report dialog boxes. The word "Microsoft" is replaced with the specified text. - - -
    +- If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. - -**ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults** +- If you disable this policy setting, configuration settings in the policy setting are left blank. - +See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | PCH_ConfigureReport | +| Friendly Name | Configure Error Reporting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## PCH_ReportOperatingSystemFaults + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults +``` + + + + This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. -If you enable this policy setting, Windows Error Reporting includes operating system errors. +- If you enable this policy setting, Windows Error Reporting includes operating system errors. -If you disable this policy setting, operating system errors aren't included in error reports. +- If you disable this policy setting, operating system errors are not included in error reports. -If you don't configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. +- If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. See also the Configure Error Reporting policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Report operating system errors* -- GP name: *PCH_ReportOperatingSystemFaults* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerArchive_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PCH_ReportOperatingSystemFaults | +| Friendly Name | Report operating system errors | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| Registry Value Name | IncludeKernelFaults | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerArchive_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerArchive_1 +``` + + + + This policy setting controls the behavior of the Windows Error Reporting archive. -If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. +- If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. -If you disable or don't configure this policy setting, no Windows Error Reporting information is stored. +- If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Report Archive* -- GP name: *WerArchive_1* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerArchive_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|No|No| +| Name | Value | +|:--|:--| +| Name | WerArchive_1 | +| Friendly Name | Configure Report Archive | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableArchive | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerArchive_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerArchive_2 +``` + + + + This policy setting controls the behavior of the Windows Error Reporting archive. -If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. +- If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. -If you disable or don't configure this policy setting, no Windows Error Reporting information is stored. +- If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Report Archive* -- GP name: *WerArchive_2* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerAutoApproveOSDumps_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerArchive_2 | +| Friendly Name | Configure Report Archive | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableArchive | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerAutoApproveOSDumps_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerAutoApproveOSDumps_1 +``` + -If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + + +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. -If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. +- If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. - +- If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + - -ADMX Info: -- GP Friendly name: *Automatically send memory dumps for OS-generated error reports* -- GP name: *WerAutoApproveOSDumps_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ErrorReporting/WerAutoApproveOSDumps_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|No|No| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WerAutoApproveOSDumps_1 | +| Friendly Name | Automatically send memory dumps for OS-generated error reports | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | AutoApproveOSDumps | +| ADMX File Name | ErrorReporting.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## WerAutoApproveOSDumps_2 - - -This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerAutoApproveOSDumps_2 +``` + -If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. - -ADMX Info: -- GP Friendly name: *Automatically send memory dumps for OS-generated error reports* -- GP name: *WerAutoApproveOSDumps_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* +- If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. - - -
    +- If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + - -**ADMX_ErrorReporting/WerBypassDataThrottling_1** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | WerAutoApproveOSDumps_2 | +| Friendly Name | Automatically send memory dumps for OS-generated error reports | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | AutoApproveOSDumps | +| ADMX File Name | ErrorReporting.admx | + -
    + + + - - -This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server. + -If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report. + +## WerBypassDataThrottling_1 -If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassDataThrottling_1 +``` + - -ADMX Info: -- GP Friendly name: *Do not throttle additional data* -- GP name: *WerBypassDataThrottling_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + + +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. - - -
    +- If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. - -**ADMX_ErrorReporting/WerBypassDataThrottling_2** +- If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | WerBypassDataThrottling_1 | +| Friendly Name | Do not throttle additional data | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassDataThrottling | +| ADMX File Name | ErrorReporting.admx | + - - -This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server. + + + -If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report. + -If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types. + +## WerBypassDataThrottling_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Do not throttle additional data* -- GP name: *WerBypassDataThrottling_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassDataThrottling_2 +``` + - - -
    + + +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. - -**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1** +- If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. - +- If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * User + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | WerBypassDataThrottling_2 | +| Friendly Name | Do not throttle additional data | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassDataThrottling | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerBypassNetworkCostThrottling_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 +``` + + + + This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. -If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted. +- If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. -If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed. +- If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + - + + + - -ADMX Info: -- GP Friendly name: *Send data when on connected to a restricted/costed network* -- GP name: *WerBypassNetworkCostThrottling_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerBypassNetworkCostThrottling_1 | +| Friendly Name | Send data when on connected to a restricted/costed network | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassNetworkCostThrottling | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerBypassNetworkCostThrottling_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 +``` + + + + This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. -If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted. +- If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. -If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed. +- If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + - + + + - -ADMX Info: -- GP Friendly name: *Send data when on connected to a restricted/costed network* -- GP name: *WerBypassNetworkCostThrottling_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerBypassPowerThrottling_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerBypassNetworkCostThrottling_2 | +| Friendly Name | Send data when on connected to a restricted/costed network | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassNetworkCostThrottling | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerBypassPowerThrottling_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassPowerThrottling_1 +``` + -If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + + +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. -If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source. +- If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. - +- If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + - -ADMX Info: -- GP Friendly name: *Send additional data when on battery power* -- GP name: *WerBypassPowerThrottling_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ErrorReporting/WerBypassPowerThrottling_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WerBypassPowerThrottling_1 | +| Friendly Name | Send additional data when on battery power | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassPowerThrottling | +| ADMX File Name | ErrorReporting.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## WerBypassPowerThrottling_2 - - -This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassPowerThrottling_2 +``` + -If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source. + + +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. - +- If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. - -ADMX Info: -- GP Friendly name: *Send additional data when on battery power* -- GP name: *WerBypassPowerThrottling_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* +- If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + - - -
    + + + - -**ADMX_ErrorReporting/WerCER** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | WerBypassPowerThrottling_2 | +| Friendly Name | Send additional data when on battery power | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassPowerThrottling | +| ADMX File Name | ErrorReporting.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you don't want to send error reports to Microsoft). + +## WerCER -If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable or don't configure this policy setting, Windows Error Reporting sends error reports to Microsoft. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerCER +``` + - + + +This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). - -ADMX Info: -- GP Friendly name: *Configure Corporate Windows Error Reporting* -- GP name: *WerCER* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* +- If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization's network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. - - -
    +- If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. + - -**ADMX_ErrorReporting/WerConsentCustomize_1** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | WerCER | +| Friendly Name | Configure Corporate Windows Error Reporting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| ADMX File Name | ErrorReporting.admx | + -
    + + + - - + + + +## WerConsentCustomize_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentCustomize_1 +``` + + + + This policy setting determines the consent behavior of Windows Error Reporting for specific event types. -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those types meant for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. +- If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. + - 1 (Always ask before sending data): Windows prompts the user for consent to send reports. -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send more data requested by Microsoft. -- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send more data requested by Microsoft. + +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. + +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. + - 4 (Send all data): Any data requested by Microsoft is sent automatically. -If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting. +- If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Customize consent settings* -- GP name: *WerConsentCustomize_1* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerConsentOverride_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|No|No| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerConsentCustomize_1 | +| Friendly Name | Customize consent settings | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerConsentOverride_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentOverride_1 +``` + + + + This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. -If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. +- If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. -If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. +- If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + - + + + - -ADMX Info: -- GP Friendly name: *Ignore custom consent settings* -- GP name: *WerConsentOverride_1* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerConsentOverride_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerConsentOverride_1 | +| Friendly Name | Ignore custom consent settings | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| Registry Value Name | DefaultOverrideBehavior | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerConsentOverride_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentOverride_2 +``` + + + + This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. -If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. +- If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. -If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. +- If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + - + + + - -ADMX Info: -- GP Friendly name: *Ignore custom consent settings* -- GP name: *WerConsentOverride_2* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerDefaultConsent_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerConsentOverride_2 | +| Friendly Name | Ignore custom consent settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| Registry Value Name | DefaultOverrideBehavior | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerDefaultConsent_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDefaultConsent_1 +``` + + + + This policy setting determines the default consent behavior of Windows Error Reporting. -If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: +- If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: -- **Always ask before sending data**: Windows prompts users for consent to send reports. -- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. -- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. -- **Send all data**: any error reporting data requested by Microsoft is sent automatically. +- Always ask before sending data: Windows prompts users for consent to send reports. -If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. - +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. - -ADMX Info: -- GP Friendly name: *Configure Default consent* -- GP name: *WerDefaultConsent_1* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* +- Send all data: any error reporting data requested by Microsoft is sent automatically. - - -
    +- If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + - -**ADMX_ErrorReporting/WerDefaultConsent_2** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | WerDefaultConsent_1 | +| Friendly Name | Configure Default consent | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + -
    + + + - - + + + +## WerDefaultConsent_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDefaultConsent_2 +``` + + + + This policy setting determines the default consent behavior of Windows Error Reporting. -If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: +- If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: -- **Always ask before sending data**: Windows prompts users for consent to send reports. -- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. -- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. -- **Send all data**: any error reporting data requested by Microsoft is sent automatically. +- Always ask before sending data: Windows prompts users for consent to send reports. -If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. - +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. - -ADMX Info: -- GP Friendly name: *Configure Default consent* -- GP name: *WerDefaultConsent_2* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* +- Send all data: any error reporting data requested by Microsoft is sent automatically. - - -
    +- If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + - -**ADMX_ErrorReporting/WerDisable_1** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | WerDefaultConsent_2 | +| Friendly Name | Configure Default consent | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + -
    + + + - - -This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. + -If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel. + +## WerDisable_1 -If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDisable_1 +``` + - -ADMX Info: -- GP Friendly name: *Disable Windows Error Reporting* -- GP name: *WerDisable_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + + +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. - - -
    +- If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. - -**ADMX_ErrorReporting/WerExlusion_1** +- If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * User +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | WerDisable_1 | +| Friendly Name | Disable Windows Error Reporting | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | Disabled | +| ADMX File Name | ErrorReporting.admx | + - - + + + + + + + +## WerExlusion_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerExlusion_1 +``` + + + + This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. +- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. +- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. -If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default. +- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *List of applications to be excluded* -- GP name: *WerExlusion_1* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ErrorReporting/WerExlusion_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerExlusion_1 | +| Friendly Name | List of applications to be excluded | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WerExlusion_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerExlusion_2 +``` + - - + + This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. +- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. +- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. -If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default. +- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + - + + + - -ADMX Info: -- GP Friendly name: *List of applications to be excluded* -- GP name: *WerExlusion_2* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerNoLogging_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerExlusion_2 | +| Friendly Name | List of applications to be excluded | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerNoLogging_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoLogging_1 +``` + + + + This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. -If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log. +- If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. -If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. +- If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + - + + + - -ADMX Info: -- GP Friendly name: *Disable logging* -- GP name: *WerNoLogging_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerNoLogging_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerNoLogging_1 | +| Friendly Name | Disable logging | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | LoggingDisabled | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerNoLogging_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoLogging_2 +``` + + + + This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. -If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log. +- If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. -If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. +- If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + - + + + - -ADMX Info: -- GP Friendly name: *Disable logging* -- GP name: *WerNoLogging_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerNoSecondLevelData_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerNoLogging_2 | +| Friendly Name | Disable logging | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | LoggingDisabled | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerNoSecondLevelData_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting controls whether more data in support of error reports can be sent to Microsoft automatically. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoSecondLevelData_1 +``` + -If you enable this policy setting, any extra-data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. + + +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. -If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. +- If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. - +- If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + - -ADMX Info: -- GP Friendly name: *Do not send additional data* -- GP name: *WerNoSecondLevelData_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ErrorReporting/WerQueue_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WerNoSecondLevelData_1 | +| Friendly Name | Do not send additional data | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DontSendAdditionalData | +| ADMX File Name | ErrorReporting.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## WerQueue_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerQueue_1 +``` + + + + This policy setting determines the behavior of the Windows Error Reporting report queue. -If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. +- If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. -If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs. +- If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Report Queue* -- GP name: *WerQueue_1* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerQueue_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerQueue_1 | +| Friendly Name | Configure Report Queue | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableQueue | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerQueue_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerQueue_2 +``` + + + + This policy setting determines the behavior of the Windows Error Reporting report queue. -If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. +- If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. -If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs. +- If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Report Queue* -- GP name: *WerQueue_2* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | WerQueue_2 | +| Friendly Name | Configure Report Queue | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableQueue | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index 227a9dfb49..4a0513e2d2 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,153 +1,159 @@ --- -title: Policy CSP - ADMX_EventForwarding -description: Learn about the Policy CSP - ADMX_EventForwarding. +title: ADMX_EventForwarding Policy CSP +description: Learn more about the ADMX_EventForwarding Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventForwarding - -
    - - -## ADMX_EventForwarding policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_EventForwarding/ForwarderResourceUsage -
    -
    - ADMX_EventForwarding/SubscriptionManager -
    -
    + + + + +## ForwarderResourceUsage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_EventForwarding/ForwarderResourceUsage** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventForwarding/ForwarderResourceUsage +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. -If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This volume-control may be required in high-volume environments. +- If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. -If you disable or don't configure this policy setting, forwarder resource usage isn't specified. +- If you disable or do not configure this policy setting, forwarder resource usage is not specified. This setting applies across all subscriptions for the forwarder (source computer). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure forwarder resource usage* -- GP name: *ForwarderResourceUsage* -- GP path: *Windows Components/Event Forwarding* -- GP ADMX file name: *EventForwarding.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_EventForwarding/SubscriptionManager** +| Name | Value | +|:--|:--| +| Name | ForwarderResourceUsage | +| Friendly Name | Configure forwarder resource usage | +| Location | Computer Configuration | +| Path | Windows Components > Event Forwarding | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\EventForwarding | +| ADMX File Name | EventForwarding.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SubscriptionManager - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventForwarding/SubscriptionManager +``` + -
    - - - + + This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. -If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. +- If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. Use the following syntax when using the HTTPS protocol: +Server=https://``:5986/wsman/SubscriptionManager/WEC,Refresh=``,IssuerCA=``. When using the HTTP protocol, use port 5985. -``` syntax -Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=. -``` +- If you disable or do not configure this policy setting, the Event Collector computer will not be specified. + ->[!Note] -> When using the HTTP protocol, use port 5985. + + + -If you disable or don't configure this policy setting, the Event Collector computer won't be specified. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure target Subscription Manager* -- GP name: *SubscriptionManager* -- GP path: *Windows Components/Event Forwarding* -- GP ADMX file name: *EventForwarding.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SubscriptionManager | +| Friendly Name | Configure target Subscription Manager | +| Location | Computer Configuration | +| Path | Windows Components > Event Forwarding | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\EventForwarding | +| ADMX File Name | EventForwarding.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index c16f154c2f..e1e98092d9 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,1109 +1,1320 @@ --- -title: Policy CSP - ADMX_EventLog -description: Learn about the Policy CSP - ADMX_EventLog. +title: ADMX_EventLog Policy CSP +description: Learn more about the ADMX_EventLog Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventLog -
    - - -## ADMX_EventLog policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_EventLog/Channel_LogEnabled -
    -
    - ADMX_EventLog/Channel_LogFilePath_1 -
    -
    - ADMX_EventLog/Channel_LogFilePath_2 -
    -
    - ADMX_EventLog/Channel_LogFilePath_3 -
    -
    - ADMX_EventLog/Channel_LogFilePath_4 -
    -
    - ADMX_EventLog/Channel_LogMaxSize_3 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_1 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_2 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_3 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_4 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_1 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_2 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_3 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_4 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_5 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_6 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_7 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_8 -
    -
    - ADMX_EventLog/Channel_Log_Retention_2 -
    -
    - ADMX_EventLog/Channel_Log_Retention_3 -
    -
    - ADMX_EventLog/Channel_Log_Retention_4 -
    -
    + + + + +## Channel_Log_AutoBackup_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_EventLog/Channel_LogEnabled** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_1 +``` + - + + +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. - -
    +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup_1 | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_AutoBackup_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_2 +``` + + + + +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup_2 | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_AutoBackup_3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_3 +``` + + + + +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup_3 | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_AutoBackup_4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_4 +``` + + + + +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup_4 | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_1 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +- If you enable this policy setting, only those users matching the security descriptor can access the log. + +- If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_1 | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_2 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +- If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +- If you disable or do not configure this policy setting, only system software and administrators can read or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_2 | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_3 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +- If you enable this policy setting, only those users matching the security descriptor can access the log. + +- If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_3 | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_4 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +- If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +- If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_4 | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_5 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_5 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +- If you enable this policy setting, only those users matching the security descriptor can access the log. + +- If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_5 | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\Application | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_6 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_6 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. + +- If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +- If you disable this policy setting, only system software and administrators can read or clear this log. + +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_6 | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\Security | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_7 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_7 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +- If you enable this policy setting, only those users matching the security descriptor can access the log. + +- If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_7 | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\Setup | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_FileLogAccess_8 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_8 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +- If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +- If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_8 | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\System | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_Retention_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_2 +``` + + + + +This policy setting controls Event Log behavior when the log file reaches its maximum size. + +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention_2 | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_Retention_3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_3 +``` + + + + +This policy setting controls Event Log behavior when the log file reaches its maximum size. + +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention_3 | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_Log_Retention_4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_4 +``` + + + + +This policy setting controls Event Log behavior when the log file reaches its maximum size. + +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention_4 | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_LogEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogEnabled +``` + + + + This policy setting turns on logging. -If you enable or don't configure this policy setting, then events can be written to this log. +- If you enable or do not configure this policy setting, then events can be written to this log. -If the policy setting is disabled, then no new events can be logged. +If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. + ->[!Note] -> Events can always be read from the log, regardless of this policy setting. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on logging* -- GP name: *Channel_LogEnabled* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_EventLog/Channel_LogFilePath_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Channel_LogEnabled | +| Friendly Name | Turn on logging | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| Registry Value Name | Enabled | +| ADMX File Name | EventLog.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Channel_LogFilePath_1 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_1 +``` + - - + + This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + - + + + - -ADMX Info: -- GP Friendly name: *Control the location of the log file* -- GP name: *Channel_LogFilePath_1* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_LogFilePath_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath_1 | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_LogFilePath_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_2 +``` + + + + This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + - + + + - -ADMX Info: -- GP Friendly name: *Control the location of the log file* -- GP name: *Channel_LogFilePath_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_LogFilePath_3** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath_2 | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_LogFilePath_3 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_3 +``` + + + + This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + - + + + - -ADMX Info: -- GP Friendly name: *Control the location of the log file* -- GP name: *Channel_LogFilePath_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_LogFilePath_4** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath_3 | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_LogFilePath_4 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_4 +``` + + + + This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on logging* -- GP name: *Channel_LogFilePath_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_LogMaxSize_3** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath_4 | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_LogMaxSize_3 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogMaxSize_3 +``` + + + + This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes), in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_AutoBackup_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize_3 | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +## Related articles -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. - -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. - -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. - - - - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_1* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_AutoBackup_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. - -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. - -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. - -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. - - - - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_AutoBackup_3** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. - -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. - -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. - -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. - - - - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_AutoBackup_4** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. - -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. - -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. - -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. - - - - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. - -If you enable this policy setting, only those users matching the security descriptor can access the log. - -If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log. - -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. - - - - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_1* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. - -If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. - -If you disable or don't configure this policy setting, only system software and administrators can read or clear this log. - -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. - - - - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_3** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. - -If you enable this policy setting, only those users matching the security descriptor can access the log. - -If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log. - -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. - - - - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_4** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. - -If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. - -If you disable or don't configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. - -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. - - - - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_5** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. - -If you enable this policy setting, only those users matching the security descriptor can access the log. - -If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. - -If you don't configure this policy setting, the previous policy setting configuration remains in effect. - - - - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_5* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_6** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log. - -If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. - -If you disable this policy setting, only system software and administrators can read or clear this log. - -If you don't configure this policy setting, the previous policy setting configuration remains in effect. - - - - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_6* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_7** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. - -If you enable this policy setting, only those users matching the security descriptor can access the log. - -If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. - -If you don't configure this policy setting, the previous policy setting configuration remains in effect. - - - - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_7* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_FileLogAccess_8** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. - -If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. - -If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. - -If you don't configure this policy setting, the previous policy setting configuration remains in effect. - - - - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_8* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_Retention_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|No|No| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls Event Log behavior when the log file reaches its maximum size. - -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. - -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. - ->[!Note] -> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - - - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_Retention_3** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls Event Log behavior when the log file reaches its maximum size. - -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. - -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. - ->[!Note] -> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - - - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_Retention_4** - - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls Event Log behavior when the log file reaches its maximum size. - -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. - -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. - ->[!Note] -> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - - - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* - - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index f4391621bc..b49b9259de 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,91 +1,96 @@ --- -title: Policy CSP - ADMX_EventLogging -description: Learn about the Policy CSP - ADMX_EventLogging. +title: ADMX_EventLogging Policy CSP +description: Learn more about the ADMX_EventLogging Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/12/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventLogging > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EventLogging policies + +## EnableProtectedEventLogging -
    -
    - ADMX_EventLogging/EnableProtectedEventLogging -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLogging/EnableProtectedEventLogging +``` + -
    - - -**ADMX_EventLogging/EnableProtectedEventLogging** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you configure Protected Event Logging. -If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. +- If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, provided that you have access to the private key corresponding to the public key that they were encrypted with. -You can use the `Unprotect-CmsMessage` PowerShell cmdlet to decrypt these encrypted messages, if you have access to the private key corresponding to the public key that they were encrypted with. +- If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log. + -If you disable or don't configure this policy setting, components won't encrypt event log messages before writing them to the event log. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Protected Event Logging* -- GP name: *EnableProtectedEventLogging* -- GP path: *Windows Components\Event Logging* -- GP ADMX file name: *EventLogging.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableProtectedEventLogging | +| Friendly Name | Enable Protected Event Logging | +| Location | Computer Configuration | +| Path | Windows Components > Event Logging | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging | +| Registry Value Name | EnableProtectedEventLogging | +| ADMX File Name | EventLogging.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index 813b284d14..c0b5223b4c 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,178 +1,201 @@ --- -title: Policy CSP - ADMX_EventViewer -description: Learn about the Policy CSP - ADMX_EventViewer. +title: ADMX_EventViewer Policy CSP +description: Learn more about the ADMX_EventViewer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/13/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventViewer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EventViewer policies + +## EventViewer_RedirectionProgram -
    -
    - ADMX_EventViewer/EventViewer_RedirectionProgram -
    -
    - ADMX_EventViewer_RedirectionProgramCommandLineParameters -
    -
    - ADMX_EventViewer/EventViewer_RedirectionURL -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventViewer/EventViewer_RedirectionProgram +``` + -
    + + +This is the program that will be invoked when the user clicks the events.asp link. + - -**ADMX_EventViewer/EventViewer_RedirectionProgram** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | EventViewer_RedirectionProgram | +| Friendly Name | Events.asp program | +| Location | Computer Configuration | +| Path | Windows Components > Event Viewer | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| ADMX File Name | EventViewer.admx | + -
    + + + - - -This program is the one that will be invoked when the user clicks the `events.asp` link. + - + +## EventViewer_RedirectionProgramCommandLineParameters + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Events.asp program* -- GP name: *EventViewer_RedirectionProgram* -- GP path: *Windows Components\Event Viewer* -- GP ADMX file name: *EventViewer.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters +``` + - - -
    + + +This specifies the command line parameters that will be passed to the events.asp program + - -**ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | EventViewer_RedirectionProgramCommandLineParameters | +| Friendly Name | Events.asp program command line parameters | +| Location | Computer Configuration | +| Path | Windows Components > Event Viewer | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| ADMX File Name | EventViewer.admx | + -
    + + + - - -This program specifies the command line parameters that will be passed to the `events.asp` program. + - + +## EventViewer_RedirectionURL - -ADMX Info: -- GP Friendly name: *Events.asp program command line parameters* -- GP name: *EventViewer_RedirectionProgramCommandLineParameters* -- GP path: *Windows Components\Event Viewer* -- GP ADMX file name: *EventViewer.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventViewer/EventViewer_RedirectionURL +``` + - -**ADMX_EventViewer/EventViewer_RedirectionURL** + + +This is the URL that will be passed to the Description area in the Event Properties dialog box. Change this value if you want to use a different Web server to handle event information requests. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | EventViewer_RedirectionURL | +| Friendly Name | Events.asp URL | +| Location | Computer Configuration | +| Path | Windows Components > Event Viewer | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| ADMX File Name | EventViewer.admx | + - - -This URL is the one that will be passed to the Description area in the Event Properties dialog box. + + + -Change this value if you want to use a different Web server to handle event information requests. + - + + + - -ADMX Info: -- GP Friendly name: *Events.asp URL* -- GP name: *EventViewer_RedirectionURL* -- GP path: *Windows Components\Event Viewer* -- GP ADMX file name: *EventViewer.admx* + - - -
    +## Related articles - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index c4a13d5154..1d565c61b0 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,283 +1,334 @@ --- -title: Policy CSP - ADMX_Explorer -description: Learn about the Policy CSP - ADMX_Explorer. +title: ADMX_Explorer Policy CSP +description: Learn more about the ADMX_Explorer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Explorer -
    - - -## ADMX_Explorer policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_Explorer/AdminInfoUrl -
    -
    - ADMX_Explorer/AlwaysShowClassicMenu -
    -
    - ADMX_Explorer/DisableRoamedProfileInit -
    -
    - ADMX_Explorer/PreventItemCreationInUsersFilesFolder -
    -
    - ADMX_Explorer/TurnOffSPIAnimations -
    -
    + + + + +## AdminInfoUrl -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_Explorer/AdminInfoUrl** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Explorer/AdminInfoUrl +``` + - + + +Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy setting sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. +| Name | Value | +|:--|:--| +| Name | AdminInfoUrl | +| Friendly Name | Set a support web page link | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | Explorer.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Set a support web page link* -- GP name: *AdminInfoUrl* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* + - - -
    + +## AlwaysShowClassicMenu - -**ADMX_Explorer/AlwaysShowClassicMenu** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Explorer/AlwaysShowClassicMenu +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Available in the latest Windows 10 Insider Preview Build. This policy setting configures File Explorer to always display the menu bar. + + +This policy setting configures File Explorer to always display the menu bar. > [!NOTE] > By default, the menu bar is not displayed in File Explorer. -If you enable this policy setting, the menu bar will be displayed in File Explorer. +- If you enable this policy setting, the menu bar will be displayed in File Explorer. -If you disable or don't configure this policy setting, the menu bar won't be displayed in File Explorer. +- If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer. > [!NOTE] > When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. + - -ADMX Info: -- GP Friendly name: *Display the menu bar in File Explorer* -- GP name: *AlwaysShowClassicMenu* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Explorer/DisableRoamedProfileInit** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AlwaysShowClassicMenu | +| Friendly Name | Display the menu bar in File Explorer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | AlwaysShowClassicMenu | +| ADMX File Name | Explorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DisableRoamedProfileInit - - -This policy setting allows administrators who have configured roaming profile with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer won't reinitialize default program associations and other settings to default values. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting on a machine that doesn't contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Explorer/DisableRoamedProfileInit +``` + - + + +This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. - -ADMX Info: -- GP Friendly name: *Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time* -- GP name: *DisableRoamedProfileInit* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* +- If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. + - - -
    + + + - -**ADMX_Explorer/PreventItemCreationInUsersFilesFolder** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | DisableRoamedProfileInit | +| Friendly Name | Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableRoamedProfileInit | +| ADMX File Name | Explorer.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - -This policy setting allows administrators to prevent users from adding new items, such as files or folders to the root of their Users Files folder in File Explorer. + +## PreventItemCreationInUsersFilesFolder -If you enable this policy setting, users will no longer be able to add new items, such as files or folders to the root of their Users Files folder in File Explorer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable or don't configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Explorer/PreventItemCreationInUsersFilesFolder +``` + + + + +This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. + +- If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. + +- If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. > [!NOTE] -> Enabling this policy setting doesn't prevent the user from being able to add new items, such as files and folders to their actual file system profile folder at %userprofile%. +> Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent users from adding files to the root of their Users Files folder.* -- GP name: *PreventItemCreationInUsersFilesFolder* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Explorer/TurnOffSPIAnimations** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PreventItemCreationInUsersFilesFolder | +| Friendly Name | Prevent users from adding files to the root of their Users Files folder. | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PreventItemCreationInUsersFilesFolder | +| ADMX File Name | Explorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TurnOffSPIAnimations -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy is similar to settings directly available to computer users. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Explorer/TurnOffSPIAnimations +``` + -Disabling animations can improve usability for users with some visual disabilities, and also improve performance and battery life in some scenarios. + + +This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off common control and window animations* -- GP name: *TurnOffSPIAnimations* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | TurnOffSPIAnimations | +| Friendly Name | Turn off common control and window animations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TurnOffSPIAnimations | +| ADMX File Name | Explorer.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index e86fe56c4b..de3e5d8181 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,193 +1,218 @@ --- -title: Policy CSP - ADMX_ExternalBoot -description: Learn about the Policy CSP - ADMX_ExternalBoot. +title: ADMX_ExternalBoot Policy CSP +description: Learn more about the ADMX_ExternalBoot Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/13/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ExternalBoot > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## Policy CSP - ADMX_ExternalBoot + +## PortableOperatingSystem_Hibernate -
    -
    - ADMX_ExternalBoot/PortableOperatingSystem_Hibernate - -
    -
    - ADMX_ExternalBoot/PortableOperatingSystem_Sleep - -
    -
    - ADMX_ExternalBoot/PortableOperatingSystem_Launcher - -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ExternalBoot/PortableOperatingSystem_Hibernate +``` + - -**ADMX_ExternalBoot/PortableOperatingSystem_Hibernate** + + +Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. - +- If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can't hibernate the PC. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. +**ADMX mapping**: -If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. +| Name | Value | +|:--|:--| +| Name | PortableOperatingSystem_Hibernate | +| Friendly Name | Allow hibernate (S4) when starting from a Windows To Go workspace | +| Location | Computer Configuration | +| Path | Windows Components > Portable Operating System | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem | +| Registry Value Name | Hibernate | +| ADMX File Name | ExternalBoot.admx | + -If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, and can't hibernate the PC. + + + + - + +## PortableOperatingSystem_Launcher + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Allow hibernate (S4) when starting from a Windows To Go workspace* -- GP name: *PortableOperatingSystem_Hibernate* -- GP path: *Windows Components\Portable Operating System* -- GP ADMX file name: *ExternalBoot.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ExternalBoot/PortableOperatingSystem_Launcher +``` + - - - -
    - - -**ADMX_ExternalBoot/PortableOperatingSystem_Sleep** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace. - -If you enable this setting, Windows, when started from a Windows To Go workspace, can't use standby states to make the PC sleep. - -If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can use standby states to make the PC sleep. - - - - -ADMX Info: -- GP Friendly name: *Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace* -- GP name: *PortableOperatingSystem_Sleep* -- GP path: *Windows Components\Portable Operating System* -- GP ADMX file name: *ExternalBoot.admx* - - - - -
    - - -**ADMX_ExternalBoot/PortableOperatingSystem_Launcher** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. -If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users won't be able to make changes using the Windows To Go Startup Options Control Panel item. +- If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel item. -If you disable this setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the BIOS or other boot order configuration. +- If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration. -If you don't configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item. +- If you do not configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item. + - + + + - -ADMX Info: -- GP Friendly name: *Windows To Go Default Startup Options* -- GP name: *PortableOperatingSystem_Launcher* -- GP path: *Windows Components\Portable Operating System* -- GP ADMX file name: *ExternalBoot.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | PortableOperatingSystem_Launcher | +| Friendly Name | Windows To Go Default Startup Options | +| Location | Computer Configuration | +| Path | Windows Components > Portable Operating System | +| Registry Key Name | Software\Policies\Microsoft\PortableOperatingSystem | +| Registry Value Name | Launcher | +| ADMX File Name | ExternalBoot.admx | + + + + + + + + + +## PortableOperatingSystem_Sleep + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ExternalBoot/PortableOperatingSystem_Sleep +``` + + + + +Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace. + +- If you enable this setting, Windows, when started from a Windows To Go workspace, can't use standby states to make the PC sleep. + +- If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can use standby states to make the PC sleep. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PortableOperatingSystem_Sleep | +| Friendly Name | Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace | +| Location | Computer Configuration | +| Path | Windows Components > Portable Operating System | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem | +| Registry Value Name | Sleep | +| ADMX File Name | ExternalBoot.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 88de0a6413..b645c3d188 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,80 +1,110 @@ --- -title: Policy CSP - ADMX_FileRecovery -description: Learn about the Policy CSP - ADMX_FileRecovery. +title: ADMX_FileRecovery Policy CSP +description: Learn more about the ADMX_FileRecovery Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/24/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileRecovery > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -
    -
    - ADMX_FileRecovery/WdiScenarioExecutionPolicy -
    -
    + + + + +## WdiScenarioExecutionPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileRecovery/WdiScenarioExecutionPolicy** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileRecovery/WdiScenarioExecutionPolicy +``` + - + + +This policy setting allows you to configure the recovery behavior for corrupted files to one of three states: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system restart is required. This is the default recovery behavior for corrupted files. - -
    +Silent: Detection, troubleshooting, and recovery of corrupted files will automatically start with no UI. Windows will log an administrator event when a system restart is required. This behavior is recommended for headless operation. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Troubleshooting Only: Detection and troubleshooting of corrupted files will automatically start with no UI. Recovery is not attempted automatically. Windows will log an administrator event with instructions if manual recovery is possible. -> [!div class = "checklist"] -
    +- If you enable this setting, the recovery behavior for corrupted files will be set to either the regular (default), silent, or troubleshooting only state. - - +- If you disable this setting, the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. + +- If you do not configure this setting, the recovery behavior for corrupted files will be set to the regular recovery behavior. + +No system or service restarts are required for changes to this policy to take immediate effect after a Group Policy refresh. > [!NOTE] -> This policy setting applies to all sites in Trusted zones. +> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + + +**Note** This policy setting applies to all sites in Trusted zones. + + +**Description framework properties**: - -ADMX Info: -- GP ADMX file name: *FileRecovery.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Corrupted File Recovery behavior | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Corrupted File Recovery | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{8519d925-541e-4a2b-8b1e-8059d16082f2} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | FileRecovery.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index 7707136130..a23152f09a 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,91 +1,101 @@ --- -title: Policy CSP - ADMX_FileRevocation -description: Learn about the Policy CSP - ADMX_FileRevocation. +title: ADMX_FileRevocation Policy CSP +description: Learn more about the ADMX_FileRevocation Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/13/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileRevocation > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -
    -
    - ADMX_FileRevocation/DelegatedPackageFamilyNames -
    -
    + +## DelegatedPackageFamilyNames + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FileRevocation/DelegatedPackageFamilyNames +``` + - -**ADMX_FileRevocation/DelegatedPackageFamilyNames** + + +Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. - +Example value: +Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - - - -Windows Runtime applications can protect content that has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. -Example value: `Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy` - -If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. - -If you disable or don't configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. - -Any other Windows Runtime application will only be able to revoke access to content it protected. +- If you disable or do not configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to revoke access to content it protected. > [!NOTE] -> Information the user should notice even if skimmingFile revocation applies to all content protected under the same second level domain as the provided enterprise identifier. Therefore, revoking an enterprise ID of `mail.contoso.com` will revoke the user’s access to all content protected under the contoso.com hierarchy. +> File revocation applies to all content protected under the same second level domain as the provided enterprise identifier. So, revoking an enterprise ID of mail.contoso.com will revoke the user's access to all content protected under the contoso.com hierarchy. + - + + + - -ADMX Info: -- GP Friendly name: *Allow Windows Runtime apps to revoke enterprise data.* -- GP name: *DelegatedPackageFamilyNames* -- GP path: *Windows Components\File Revocation* -- GP ADMX file name: *FileRevocation.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DelegatedPackageFamilyNames | +| Friendly Name | Allow Windows Runtime apps to revoke enterprise data | +| Location | User Configuration | +| Path | Windows Components > File Revocation | +| Registry Key Name | Software\Policies\Microsoft\Windows\FileRevocation | +| ADMX File Name | FileRevocation.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index ffb6a56824..2333b8c1fb 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,92 +1,99 @@ --- -title: Policy CSP - ADMX_FileServerVSSProvider -description: Learn about the Policy CSP - ADMX_FileServerVSSProvider. +title: ADMX_FileServerVSSProvider Policy CSP +description: Learn more about the ADMX_FileServerVSSProvider Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileServerVSSProvider > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_FileServerVSSProvider policies + +## Pol_EncryptProtocol -
    -
    - ADMX_FileServerVSSProvider/Pol_EncryptProtocol -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileServerVSSProvider/Pol_EncryptProtocol +``` + -
    - - -**ADMX_FileServerVSSProvider/Pol_EncryptProtocol** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. + + +Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. > [!NOTE] -> To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. +> To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service . + - + + + - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.* -- GP name: *Pol_EncryptProtocol* -- GP path: *System/File Share Shadow Copy Provider* -- GP ADMX file name: *FileServerVSSProvider.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | Pol_EncryptProtocol | +| Friendly Name | Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers. | +| Location | Computer Configuration | +| Path | System > File Share Shadow Copy Provider | +| Registry Key Name | Software\Policies\Microsoft\Windows\fssProv | +| Registry Value Name | EncryptProtocol | +| ADMX File Name | FileServerVSSProvider.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 89ca799f8e..329a7e9c63 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,409 +1,501 @@ --- -title: Policy CSP - ADMX_FileSys -description: Learn about the Policy CSP - ADMX_FileSys. +title: ADMX_FileSys Policy CSP +description: Learn more about the ADMX_FileSys Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileSys -
    - - -## ADMX_FileSys policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_FileSys/DisableCompression -
    -
    - ADMX_FileSys/DisableDeleteNotification -
    -
    - ADMX_FileSys/DisableEncryption -
    -
    - ADMX_FileSys/EnablePagefileEncryption -
    -
    - ADMX_FileSys/LongPathsEnabled -
    -
    - ADMX_FileSys/ShortNameCreationSettings -
    -
    - ADMX_FileSys/SymlinkEvaluation -
    -
    - ADMX_FileSys/TxfDeprecatedFunctionality -
    -
    + + + + +## DisableCompression -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileSys/DisableCompression** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/DisableCompression +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. - +A reboot is required for this setting to take effect + + + + - -ADMX Info: -- GP Friendly name: *Do not allow compression on all NTFS volumes* -- GP name: *DisableCompression* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FileSys/DisableDeleteNotification** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableCompression | +| Friendly Name | Do not allow compression on all NTFS volumes | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsDisableCompression | +| ADMX File Name | FileSys.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DisableDeleteNotification - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/DisableDeleteNotification +``` + + + + Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. - A value of 1 will disable delete notifications for all volumes. + - + + + - -ADMX Info: -- GP Friendly name: *Disable delete notifications on all volumes* -- GP name: *DisableDeleteNotification* -- GP path: *System/Filesystem* -- GP ADMX file name: *FileSys.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FileSys/DisableEncryption** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableDeleteNotification | +| Friendly Name | Disable delete notifications on all volumes | +| Location | Computer Configuration | +| Path | System > Filesystem | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | DisableDeleteNotification | +| ADMX File Name | FileSys.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DisableEncryption - - -Encryption can add to the processing overhead of filesystem operations. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Enabling this setting will prevent access to and creation of encrypted files. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/DisableEncryption +``` + - -ADMX Info: -- GP Friendly name: *Do not allow encryption on all NTFS volumes* -- GP name: *DisableEncryption* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + + +Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. - - -
    +A reboot is required for this setting to take effect + - -**ADMX_FileSys/EnablePagefileEncryption** + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DisableEncryption | +| Friendly Name | Do not allow encryption on all NTFS volumes | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsDisableEncryption | +| ADMX File Name | FileSys.admx | + - - -Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. + + + -Enabling this setting will cause the page files to be encrypted. + - + +## EnablePagefileEncryption - -ADMX Info: -- GP Friendly name: *Enable NTFS pagefile encryption* -- GP name: *EnablePagefileEncryption* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/EnablePagefileEncryption +``` + - -**ADMX_FileSys/LongPathsEnabled** + + +Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. +| Name | Value | +|:--|:--| +| Name | EnablePagefileEncryption | +| Friendly Name | Enable NTFS pagefile encryption | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsEncryptPagingFile | +| ADMX File Name | FileSys.admx | + -Enabling this setting will cause the long paths to be accessible within the process. + + + - + - -ADMX Info: -- GP Friendly name: *Enable Win32 long paths* -- GP name: *LongPathsEnabled* -- GP path: *System/Filesystem* -- GP ADMX file name: *FileSys.admx* + +## LongPathsEnabled - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileSys/ShortNameCreationSettings** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/LongPathsEnabled +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. +**ADMX mapping**: -If you enable short names on all volumes, then short names will always be generated. If you disable them on all volumes, then they'll never be generated. If you set short name creation to be configurable on a per volume basis, then an on-disk flag will determine whether or not short names are created on a given volume. +| Name | Value | +|:--|:--| +| Name | LongPathsEnabled | +| Friendly Name | Enable Win32 long paths | +| Location | Computer Configuration | +| Path | System > Filesystem | +| Registry Key Name | System\CurrentControlSet\Control\FileSystem | +| Registry Value Name | LongPathsEnabled | +| ADMX File Name | FileSys.admx | + -If you disable short name creation on all data volumes, then short names will only be generated for files created on the system volume. + + + - + - -ADMX Info: -- GP Friendly name: *Short name creation options* -- GP name: *ShortNameCreationSettings* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + +## ShortNameCreationSettings - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileSys/SymlinkEvaluation** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/ShortNameCreationSettings +``` + + + +These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShortNameCreationSettings | +| Friendly Name | Short name creation options | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| ADMX File Name | FileSys.admx | + + + + + + + + + +## SymlinkEvaluation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/SymlinkEvaluation +``` + + + + Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: -- Local Link to a Local Target -- Local Link to a Remote Target -- Remote Link to Remote Target -- Remote Link to Local Target +Local Link to a Local Target +Local Link to a Remote Target +Remote Link to Remote Target +Remote Link to Local Target -For more information, see the Windows Help section. +For further information please refer to the Windows Help section -> [!NOTE] -> If this policy is disabled or not configured, local administrators may select the types of symbolic links to be evaluated. +NOTE: If this policy is Disabled or Not Configured, local administrators may select the types of symbolic links to be evaluated. + - + + + - -ADMX Info: -- GP Friendly name: *Selectively allow the evaluation of a symbolic link* -- GP name: *SymlinkEvaluation* -- GP path: *System/Filesystem* -- GP ADMX file name: *FileSys.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FileSys/TxfDeprecatedFunctionality** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | SymlinkEvaluation | +| Friendly Name | Selectively allow the evaluation of a symbolic link | +| Location | Computer Configuration | +| Path | System > Filesystem | +| Registry Key Name | Software\Policies\Microsoft\Windows\Filesystems\NTFS | +| Registry Value Name | SymLinkState | +| ADMX File Name | FileSys.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TxfDeprecatedFunctionality - - -TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/TxfDeprecatedFunctionality +``` + + + +TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Please enable it if you want to use these APIs. + - -ADMX Info: -- GP Friendly name: *Enable / disable TXF deprecated features* -- GP name: *TxfDeprecatedFunctionality* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | TxfDeprecatedFunctionality | +| Friendly Name | Enable / disable TXF deprecated features | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsEnableTxfDeprecatedFunctionality | +| ADMX File Name | FileSys.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index 9098d1152d..e3ca25a214 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,407 +1,486 @@ --- -title: Policy CSP - ADMX_FolderRedirection -description: Learn about the Policy CSP - ADMX_FolderRedirection. +title: ADMX_FolderRedirection Policy CSP +description: Learn more about the ADMX_FolderRedirection Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FolderRedirection -
    - - -## ADMX_FolderRedirection policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_FolderRedirection/DisableFRAdminPin -
    -
    - ADMX_FolderRedirection/DisableFRAdminPinByFolder -
    -
    - ADMX_FolderRedirection/FolderRedirectionEnableCacheRename -
    -
    - ADMX_FolderRedirection/LocalizeXPRelativePaths_1 -
    -
    - ADMX_FolderRedirection/LocalizeXPRelativePaths_2 -
    -
    - ADMX_FolderRedirection/PrimaryComputer_FR_1 -
    -
    - ADMX_FolderRedirection/PrimaryComputer_FR_2 -
    -
    + + + + +## DisableFRAdminPin -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FolderRedirection/DisableFRAdminPin** - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/DisableFRAdminPin +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. -If you enable this policy setting, users must manually select the files they wish to make available offline. +- If you enable this policy setting, users must manually select the files they wish to make available offline. -If you disable or don't configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. +- If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. > [!NOTE] > This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. -> -> Don't enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files becomes unavailable. -> + +> [!NOTE] +> Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files becomes unavailable. + +> [!NOTE] > If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". + - + + + - -ADMX Info: -- GP Friendly name: *Do not automatically make all redirected folders available offline* -- GP name: *DisableFRAdminPin* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/DisableFRAdminPinByFolder** - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableFRAdminPin | +| Friendly Name | Do not automatically make all redirected folders available offline | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | DisableFRAdminPin | +| ADMX File Name | FolderRedirection.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableFRAdminPinByFolder - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/DisableFRAdminPinByFolder +``` + + + + This policy setting allows you to control whether individual redirected shell folders are available offline by default. For the folders affected by this setting, users must manually select the files they wish to make available offline. -If you disable or don't configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. +- If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. > [!NOTE] > This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. -> + +> [!NOTE] > The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". + - + + + - -ADMX Info: -- GP Friendly name: *Do not automatically make specific redirected folders available offline* -- GP name: *DisableFRAdminPinByFolder* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/FolderRedirectionEnableCacheRename** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableFRAdminPinByFolder | +| Friendly Name | Do not automatically make specific redirected folders available offline | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache\DisableFRAdminPinByFolder | +| ADMX File Name | FolderRedirection.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## FolderRedirectionEnableCacheRename -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or renamed in the Offline Files cache when a folder is redirected to a new location. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/FolderRedirectionEnableCacheRename +``` + -If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. + + +This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. -If you disable or don't configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. +- If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. - +- If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. + - -ADMX Info: -- GP Friendly name: *Enable optimized move of contents in Offline Files cache on Folder Redirection server path change* -- GP name: *FolderRedirectionEnableCacheRename* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_FolderRedirection/LocalizeXPRelativePaths_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | FolderRedirectionEnableCacheRename | +| Friendly Name | Enable optimized move of contents in Offline Files cache on Folder Redirection server path change | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | FolderRedirectionEnableCacheRename | +| ADMX File Name | FolderRedirection.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## LocalizeXPRelativePaths_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/LocalizeXPRelativePaths_1 +``` + + + + This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. -If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. +- If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. -If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. +- If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. > [!NOTE] > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. + - + + + - -ADMX Info: -- GP Friendly name: *Use localized subfolder names when redirecting Start Menu and My Documents* -- GP name: *LocalizeXPRelativePaths_1* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/LocalizeXPRelativePaths_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LocalizeXPRelativePaths_1 | +| Friendly Name | Use localized subfolder names when redirecting Start Menu and My Documents | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | LocalizeXPRelativePaths | +| ADMX File Name | FolderRedirection.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LocalizeXPRelativePaths_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/LocalizeXPRelativePaths_2 +``` + + + + This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. -If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. +- If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. -If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. +- If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. > [!NOTE] > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. + - + + + - -ADMX Info: -- GP Friendly name: *Use localized subfolder names when redirecting Start Menu and My Documents* -- GP name: *LocalizeXPRelativePaths_2* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/PrimaryComputer_FR_1** - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | LocalizeXPRelativePaths_2 | +| Friendly Name | Use localized subfolder names when redirecting Start Menu and My Documents | +| Location | Computer Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | LocalizeXPRelativePaths | +| ADMX File Name | FolderRedirection.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## PrimaryComputer_FR_1 - - -This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve sign-in performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/PrimaryComputer_FR_1 +``` + + + + +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. -If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. +- If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. -If you disable or don't configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user signs in to. +- If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. > [!NOTE] > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Redirect folders on primary computers only* -- GP name: *PrimaryComputer_FR_1* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/PrimaryComputer_FR_2** - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | PrimaryComputer_FR_1 | +| Friendly Name | Redirect folders on primary computers only | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | PrimaryComputerEnabledFR | +| ADMX File Name | FolderRedirection.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## PrimaryComputer_FR_2 - - -This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve sign-in performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/PrimaryComputer_FR_2 +``` + + + + +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. -If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. +- If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. -If you disable or don't configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user signs in to. +- If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. > [!NOTE] > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Redirect folders on primary computers only* -- GP name: *PrimaryComputer_FR_2* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | PrimaryComputer_FR_2 | +| Friendly Name | Redirect folders on primary computers only | +| Location | Computer Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | PrimaryComputerEnabledFR | +| ADMX File Name | FolderRedirection.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index 5e1a31bd4d..898a9c4f92 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,139 +1,160 @@ --- -title: Policy CSP - ADMX_FramePanes -description: Learn about the Policy CSP - ADMX_FramePanes. +title: ADMX_FramePanes Policy CSP +description: Learn more about the ADMX_FramePanes Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FramePanes > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_FramePanes policies + + + -
    -
    - ADMX_FramePanes/NoReadingPane -
    -
    - ADMX_FramePanes/NoPreviewPane -
    -
    + +## NoPreviewPane + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FramePanes/NoPreviewPane +``` + - -**ADMX_FramePanes/NoReadingPane** - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting shows or hides the Details Pane in File Explorer. -If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and can't be turned on by the user. +- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. -If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and can't be hidden by the user. +- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user > [!NOTE] -> This has a side effect of not being able to toggle to the Preview Pane since the two can't be displayed at the same time. +> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time. -If you disable, or don't configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. +If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. This is the default policy setting. + -This setting is the default policy setting. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on or off details pane* -- GP name: *NoReadingPane* -- GP path: *Windows Components\File Explorer\Explorer Frame Pane* -- GP ADMX file name: *FramePanes.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_FramePanes/NoPreviewPane** +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NoPreviewPane | +| Friendly Name | Turn on or off details pane | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Explorer Frame Pane | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | FramePanes.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoReadingPane -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FramePanes/NoReadingPane +``` + - - + + Hides the Preview Pane in File Explorer. -If you enable this policy setting, the Preview Pane in File Explorer is hidden and can't be turned on by the user. +- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. -If you disable, or don't configure this setting, the Preview Pane is hidden by default and can be displayed by the user. +If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Preview Pane* -- GP name: *NoPreviewPane* -- GP path: *Windows Components\File Explorer\Explorer Frame Pane* -- GP ADMX file name: *FramePanes.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | NoReadingPane | +| Friendly Name | Turn off Preview Pane | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Explorer Frame Pane | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoReadingPane | +| ADMX File Name | FramePanes.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index 6d52f5da19..79f96e961d 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,95 +1,104 @@ --- -title: Policy CSP - ADMX_FTHSVC -description: Learn about the Policy CSP - ADMX_FTHSVC. +title: ADMX_fthsvc Policy CSP +description: Learn more about the ADMX_fthsvc Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/15/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - ADMX_FTHSVC + + + +# Policy CSP - ADMX_fthsvc > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_FTHSVC policies + +## WdiScenarioExecutionPolicy -
    -
    - ADMX_FTHSVC/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_fthsvc/WdiScenarioExecutionPolicy +``` + - -**ADMX_FTHSVC/WdiScenarioExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - + + This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems. -If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. +- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. -If you disable this policy setting, Windows can't detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. +- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. -If you don't configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. +- If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. -This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. -The DPS can be configured with the Services snap-in to the Microsoft Management Console. No system restart or service restart is required for this policy setting to take effect: changes take effect immediately. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Fault Tolerant Heap* -- GP ADMX file name: *FTHSVC.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Fault Tolerant Heap | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | fthsvc.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 663d447e5d..9a730ad116 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,1343 +1,1617 @@ --- -title: Policy CSP - ADMX_Globalization -description: Learn about the Policy CSP - ADMX_Globalization. +title: ADMX_Globalization Policy CSP +description: Learn more about the ADMX_Globalization Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Globalization -
    - - -## ADMX_Globalization policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_Globalization/BlockUserInputMethodsForSignIn -
    -
    - ADMX_Globalization/CustomLocalesNoSelect_1 -
    -
    - ADMX_Globalization/CustomLocalesNoSelect_2 -
    -
    - ADMX_Globalization/HideAdminOptions -
    -
    - ADMX_Globalization/HideCurrentLocation -
    -
    - ADMX_Globalization/HideLanguageSelection -
    -
    - ADMX_Globalization/HideLocaleSelectAndCustomize -
    -
    - ADMX_Globalization/ImplicitDataCollectionOff_1 -
    -
    - ADMX_Globalization/ImplicitDataCollectionOff_2 -
    -
    - ADMX_Globalization/LocaleSystemRestrict -
    -
    - ADMX_Globalization/LocaleUserRestrict_1 -
    -
    - ADMX_Globalization/LocaleUserRestrict_2 -
    -
    - ADMX_Globalization/LockMachineUILanguage -
    -
    - ADMX_Globalization/LockUserUILanguage -
    -
    - ADMX_Globalization/PreventGeoIdChange_1 -
    -
    - ADMX_Globalization/PreventGeoIdChange_2 -
    -
    - ADMX_Globalization/PreventUserOverrides_1 -
    -
    - ADMX_Globalization/PreventUserOverrides_2 -
    -
    - ADMX_Globalization/RestrictUILangSelect -
    -
    - ADMX_Globalization/TurnOffAutocorrectMisspelledWords -
    -
    - ADMX_Globalization/TurnOffHighlightMisspelledWords -
    -
    - ADMX_Globalization/TurnOffInsertSpace -
    -
    - ADMX_Globalization/TurnOffOfferTextPredictions -
    -
    - ADMX_Globalization/Y2K -
    -
    + + + + +## BlockUserInputMethodsForSignIn -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_Globalization/BlockUserInputMethodsForSignIn** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/BlockUserInputMethodsForSignIn +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. -This confinement doesn't affect the availability of user input methods on the lock screen or with the UAC prompt. +**Note** this does not affect the availability of user input methods on the lock screen or with the UAC prompt. -If the policy is enabled, then the user will get input methods enabled for the system account on the sign-in page. +- If the policy is enabled, then the user will get input methods enabled for the system account on the sign-in page. -If the policy is disabled or not configured, then the user will be able to use input methods enabled for their user account on the sign-in page. +- If the policy is disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disallow copying of user input methods to the system account for sign-in* -- GP name: *BlockUserInputMethodsForSignIn* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Globalization/CustomLocalesNoSelect_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BlockUserInputMethodsForSignIn | +| Friendly Name | Disallow copying of user input methods to the system account for sign-in | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | BlockUserInputMethodsForSignIn | +| ADMX File Name | Globalization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomLocalesNoSelect_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_1 +``` + - - + + This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. -This confinement doesn't affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. -The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting isn't configured. +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. -If you enable this policy setting, the user can't select a custom locale as their user locale, but they can still select a replacement locale if one is installed. +- If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. -If you disable or don't configure this policy setting, the user can select a custom locale as their user locale. +- If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. -If this policy setting is enabled at the machine level, it can't be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting isn't configured at the machine level, restrictions will be based on per-user policy settings. +- If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. +- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. +- If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. -To set this policy setting on a per-user basis, make sure that you don't configure the per-machine policy setting. +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow selection of Custom Locales* -- GP name: *CustomLocalesNoSelect_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/CustomLocalesNoSelect_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CustomLocalesNoSelect_1 | +| Friendly Name | Disallow selection of Custom Locales | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | CustomLocalesNoSelect | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CustomLocalesNoSelect_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_2 +``` + + + + This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. -This confinement doesn't affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. -The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting isn't configured. +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. -If you enable this policy setting, the user can't select a custom locale as their user locale, but they can still select a replacement locale if one is installed. +- If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. -If you disable or don't configure this policy setting, the user can select a custom locale as their user locale. +- If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. -If this policy setting is enabled at the machine level, it can't be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting isn't configured at the machine level, restrictions will be based on per-user policy settings. +- If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. +- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. +- If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. -To set this policy setting on a per-user basis, make sure that you don't configure the per-machine policy setting. +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow selection of Custom Locales* -- GP name: *CustomLocalesNoSelect_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/HideAdminOptions** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CustomLocalesNoSelect_2 | +| Friendly Name | Disallow selection of Custom Locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | CustomLocalesNoSelect | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideAdminOptions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting removes the Administrative options from the Region settings control panel. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideAdminOptions +``` + -Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting doesn't, however, prevent an administrator or another application from changing these values programmatically. + + +This policy setting removes the Administrative options from the Region settings control panel. Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically. This policy setting is used only to simplify the Regional Options control panel. -If you enable this policy setting, the user can't see the Administrative options. +- If you enable this policy setting, the user cannot see the Administrative options. -If you disable or don't configure this policy setting, the user can see the Administrative options. +- If you disable or do not configure this policy setting, the user can see the Administrative options. > [!NOTE] > Even if a user can see the Administrative options, other policies may prevent them from modifying the values. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Regional and Language Options administrative options* -- GP name: *HideAdminOptions* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Globalization/HideCurrentLocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HideAdminOptions | +| Friendly Name | Hide Regional and Language Options administrative options | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideAdminOptions | +| ADMX File Name | Globalization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideCurrentLocation -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideCurrentLocation +``` + - - + + This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. This policy setting is used only to simplify the Regional Options control panel. -If you enable this policy setting, the user doesn't see the option to change the GeoID. This lack of display doesn't prevent the user or an application from changing the GeoID programmatically. +- If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically. -If you disable or don't configure this policy setting, the user sees the option for changing the user location (GeoID). +- If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID). > [!NOTE] > Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. + - + + + - -ADMX Info: -- GP Friendly name: *Hide the geographic location option* -- GP name: *HideCurrentLocation* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/HideLanguageSelection** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideCurrentLocation | +| Friendly Name | Hide the geographic location option | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideCurrentLocation | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideLanguageSelection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideLanguageSelection +``` + + + + This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. This policy setting is used only to simplify the Regional Options control panel. -If you enable this policy setting, the user doesn't see the option for changing the UI language. This lack of display doesn't prevent the user or an application from changing the UI language programmatically. If you disable or don't configure this policy setting, the user sees the option for changing the UI language. +- If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically. + +- If you disable or do not configure this policy setting, the user sees the option for changing the UI language. > [!NOTE] > Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide the select language group options* -- GP name: *HideLanguageSelection* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Globalization/HideLocaleSelectAndCustomize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HideLanguageSelection | +| Friendly Name | Hide the select language group options | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideLanguageSelection | +| ADMX File Name | Globalization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideLocaleSelectAndCustomize -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideLocaleSelectAndCustomize +``` + - - + + This policy setting removes the regional formats interface from the Region settings control panel. This policy setting is used only to simplify the Regional and Language Options control panel. -If you enable this policy setting, the user doesn't see the regional formats options. This lack of display doesn't prevent the user or an application from changing their user locale or user overrides programmatically. +- If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically. -If you disable or don't configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. +- If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. + - + + + - -ADMX Info: -- GP Friendly name: *Hide user locale selection and customization options* -- GP name: *HideLocaleSelectAndCustomize* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/ImplicitDataCollectionOff_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideLocaleSelectAndCustomize | +| Friendly Name | Hide user locale selection and customization options | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideLocaleSelectAndCustomize | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## ImplicitDataCollectionOff_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_1 +``` + + + + This policy setting turns off the automatic learning component of handwriting recognition personalization. -Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, and URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history doesn't delete the stored personalization data. Ink entered through Input Panel is collected and stored. +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. + +Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. > [!NOTE] -> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help. +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. -If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel. +- If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. -If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. +- If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. -If you don't configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. +- If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. This policy setting is related to the "Turn off handwriting personalization" policy setting. > [!NOTE] > The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. -> -> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. - - - - -ADMX Info: -- GP Friendly name: *Turn off automatic learning* -- GP name: *ImplicitDataCollectionOff_1* -- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/ImplicitDataCollectionOff_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting turns off the automatic learning component of handwriting recognition personalization. - -Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, and URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history doesn't delete the stored personalization data. Ink entered through Input Panel is collected and stored. > [!NOTE] -> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help. +> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + -If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel. + + + -If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +**Description framework properties**: -If you don't configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ImplicitDataCollectionOff_1 | +| Friendly Name | Turn off automatic learning | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options > Handwriting personalization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## ImplicitDataCollectionOff_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_2 +``` + + + + +This policy setting turns off the automatic learning component of handwriting recognition personalization. + +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. + +Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +> [!NOTE] +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. + +- If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. + +- If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +- If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. This policy setting is related to the "Turn off handwriting personalization" policy setting. > [!NOTE] > The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. -> + +> [!NOTE] > Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off automatic learning* -- GP name: *ImplicitDataCollectionOff_2* -- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/LocaleSystemRestrict** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ImplicitDataCollectionOff_2 | +| Friendly Name | Turn off automatic learning | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options > Handwriting personalization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LocaleSystemRestrict -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleSystemRestrict +``` + + + + +This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). -If you enable this policy setting, administrators can select a system locale only from the specified system locale list. +- If you enable this policy setting, administrators can select a system locale only from the specified system locale list. -If you disable or don't configure this policy setting, administrators can select any system locale shipped with the operating system. +- If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict system locales* -- GP name: *LocaleSystemRestrict* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/LocaleUserRestrict_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LocaleSystemRestrict | +| Friendly Name | Restrict system locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictSystemLocales | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## LocaleUserRestrict_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting doesn't change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_1 +``` + -To set this policy setting on a per-user basis, make sure that you don't configure the per-computer policy setting. + + +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). -If you enable this policy setting, only locales in the specified locale list can be selected by users. +- If you enable this policy setting, only locales in the specified locale list can be selected by users. -If you disable or don't configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it can't be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting isn't configured at the computer level, restrictions are based on per-user policies. +- If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - +- If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. +- If this policy setting is disabled at the computer level, the per-user policy is ignored. +- If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + - -ADMX Info: -- GP Friendly name: *Restrict user locales* -- GP name: *LocaleUserRestrict_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Globalization/LocaleUserRestrict_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | LocaleUserRestrict_1 | +| Friendly Name | Restrict user locales | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictUserLocales | +| ADMX File Name | Globalization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## LocaleUserRestrict_2 - - -This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting doesn't change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -To set this policy setting on a per-user basis, make sure that you don't configure the per-computer policy setting. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_2 +``` + + + + +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). -If you enable this policy setting, only locales in the specified locale list can be selected by users. +- If you enable this policy setting, only locales in the specified locale list can be selected by users. -If you disable or don't configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. +- If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. -If this policy setting is enabled at the computer level, it can't be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting isn't configured at the computer level, restrictions are based on per-user policies. +- If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. +- If this policy setting is disabled at the computer level, the per-user policy is ignored. +- If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict user locales* -- GP name: *LocaleUserRestrict_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/LockMachineUILanguage** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LocaleUserRestrict_2 | +| Friendly Name | Restrict user locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictUserLocales | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LockMachineUILanguage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockMachineUILanguage +``` + + + + This policy setting restricts the Windows UI language for all users. -This policy setting is meant for computers with more than one UI language installed. +This is a policy setting for computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it's different than any of the system UI languages. +- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages. -If you disable or don't configure this policy setting, the user can specify which UI language is used. +- If you disable or do not configure this policy setting, the user can specify which UI language is used. + - + + + - -ADMX Info: -- GP Friendly name: *Restricts the UI language Windows uses for all logged users* -- GP name: *LockMachineUILanguage* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/LockUserUILanguage** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LockMachineUILanguage | +| Friendly Name | Restricts the UI language Windows uses for all logged users | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\MUI\Settings | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## LockUserUILanguage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockUserUILanguage +``` + + + + This policy setting restricts the Windows UI language for specific users. This policy setting applies to computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language isn't installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. +- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. -If you disable or don't configure this policy setting, there's no restriction on which language users should use. +- If you disable or do not configure this policy setting, there is no restriction on which language users should use. To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Restricts the UI languages Windows should use for the selected user* -- GP name: *LockUserUILanguage* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/PreventGeoIdChange_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LockUserUILanguage | +| Friendly Name | Restricts the UI languages Windows should use for the selected user | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\Desktop | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## PreventGeoIdChange_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_1 +``` + + + + This policy setting prevents users from changing their user geographical location (GeoID). -If you enable this policy setting, users can't change their GeoID. +- If you enable this policy setting, users cannot change their GeoID. -If you disable or don't configure this policy setting, users may select any GeoID. +- If you disable or do not configure this policy setting, users may select any GeoID. -If you enable this policy setting at the computer level, it can't be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you don't configure this policy setting at the computer level, restrictions are based on per-user policy settings. +- If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. +- If you disable this policy setting at the computer level, the per-user policy is ignored. +- If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. -To set this policy setting on a per-user basis, make sure that the per-computer policy setting isn't configured. +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow changing of geographic location* -- GP name: *PreventGeoIdChange_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/PreventGeoIdChange_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PreventGeoIdChange_1 | +| Friendly Name | Disallow changing of geographic location | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventGeoIdChange | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PreventGeoIdChange_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_2 +``` + + + + This policy setting prevents users from changing their user geographical location (GeoID). -If you enable this policy setting, users can't change their GeoID. +- If you enable this policy setting, users cannot change their GeoID. -If you disable or don't configure this policy setting, users may select any GeoID. +- If you disable or do not configure this policy setting, users may select any GeoID. -If you enable this policy setting at the computer level, it can't be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you don't configure this policy setting at the computer level, restrictions are based on per-user policy settings. +- If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. +- If you disable this policy setting at the computer level, the per-user policy is ignored. +- If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. -To set this policy setting on a per-user basis, make sure that the per-computer policy setting isn't configured. +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow changing of geographic location* -- GP name: *PreventGeoIdChange_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/PreventUserOverrides_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PreventGeoIdChange_2 | +| Friendly Name | Disallow changing of geographic location | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventGeoIdChange | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## PreventUserOverrides_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_1 +``` + + + + This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. -When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides. -The user can't customize their user locale with user overrides. +- If this policy setting is disabled or not configured, then the user can customize their user locale overrides. -If this policy setting is disabled or not configured, then the user can customize their user locale overrides. - -If this policy is set to Enabled at the computer level, then it can't be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. +- If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. +- If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. +- If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow user override of locale settings* -- GP name: *PreventUserOverrides_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/PreventUserOverrides_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PreventUserOverrides_1 | +| Friendly Name | Disallow user override of locale settings | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventUserOverrides | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PreventUserOverrides_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_2 +``` + + + + This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. -When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides. -The user can't customize their user locale with user overrides. +- If this policy setting is disabled or not configured, then the user can customize their user locale overrides. -If this policy setting is disabled or not configured, then the user can customize their user locale overrides. - -If this policy is set to Enabled at the computer level, then it can't be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. +- If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. +- If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. +- If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow user override of locale settings* -- GP name: *PreventUserOverrides_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/RestrictUILangSelect** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PreventUserOverrides_2 | +| Friendly Name | Disallow user override of locale settings | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventUserOverrides | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## RestrictUILangSelect -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language isn't installed on the target computer, the language selection defaults to English. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/RestrictUILangSelect +``` + -If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel aren't accessible to the signed-in user. This prevention of access prevents users from specifying a language different than the one used. + + +This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. + +- If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy setting. -If you disable or don't configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. +- If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict selection of Windows menus and dialogs language* -- GP name: *RestrictUILangSelect* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/TurnOffAutocorrectMisspelledWords** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RestrictUILangSelect | +| Friendly Name | Restrict selection of Windows menus and dialogs language | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\Desktop | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TurnOffAutocorrectMisspelledWords -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy turns off the autocorrect misspelled words option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffAutocorrectMisspelledWords +``` + + + + +This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. -If the policy is enabled, then the option will be locked to not autocorrect misspelled words. +- If the policy is enabled, then the option will be locked to not autocorrect misspelled words. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. - +**Note** that the availability and function of this setting is dependent on supported languages being enabled. + - -ADMX Info: -- GP Friendly name: *Turn off autocorrect misspelled words* -- GP name: *TurnOffAutocorrectMisspelledWords* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Globalization/TurnOffHighlightMisspelledWords** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TurnOffAutocorrectMisspelledWords | +| Friendly Name | Turn off autocorrect misspelled words | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffAutocorrectMisspelledWords | +| ADMX File Name | Globalization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## TurnOffHighlightMisspelledWords - - -This policy turns off the highlight misspelled words option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffHighlightMisspelledWords +``` + + + + +This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. -If the policy is enabled, then the option will be locked to not highlight misspelled words. +- If the policy is enabled, then the option will be locked to not highlight misspelled words. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. +**Note** that the availability and function of this setting is dependent on supported languages being enabled. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off highlight misspelled words* -- GP name: *TurnOffHighlightMisspelledWords* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/TurnOffInsertSpace** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TurnOffHighlightMisspelledWords | +| Friendly Name | Turn off highlight misspelled words | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffHighlightMisspelledWords | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TurnOffInsertSpace -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy turns off the insert a space after selecting a text prediction option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffInsertSpace +``` + + + + +This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. -If the policy is enabled, then the option will be locked to not insert a space after selecting a text prediction. +- If the policy is enabled, then the option will be locked to not insert a space after selecting a text prediction. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. - +**Note** that the availability and function of this setting is dependent on supported languages being enabled. + - -ADMX Info: -- GP Friendly name: *Turn off insert a space after selecting a text prediction* -- GP name: *TurnOffInsertSpace* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Globalization/TurnOffOfferTextPredictions** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TurnOffInsertSpace | +| Friendly Name | Turn off insert a space after selecting a text prediction | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffInsertSpace | +| ADMX File Name | Globalization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## TurnOffOfferTextPredictions - - -This policy turns off the offer text predictions as I type option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffOfferTextPredictions +``` + + + + +This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. -If the policy is enabled, then the option will be locked to not offer text predictions. +- If the policy is enabled, then the option will be locked to not offer text predictions. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. +**Note** that the availability and function of this setting is dependent on supported languages being enabled. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off offer text predictions as I type* -- GP name: *TurnOffOfferTextPredictions* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/Y2K** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TurnOffOfferTextPredictions | +| Friendly Name | Turn off offer text predictions as I type | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffOfferTextPredictions | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Y2K -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/Y2K +``` + + + + This policy setting determines how programs interpret two-digit years. -This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program doesn't interpret two-digit years correctly, consult the documentation or manufacturer of the program. +This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. -If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19. +- If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19. For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999. -If you disable or don't configure this policy setting, Windows doesn't interpret two-digit year formats using this scheme for the program. +- If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. + - + + + - -ADMX Info: -- GP Friendly name: *Century interpretation for Year 2000* -- GP name: *Y2K* -- GP path: *System* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | Y2K | +| Friendly Name | Century interpretation for Year 2000 | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax | +| ADMX File Name | Globalization.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index cc8dec4cff..f755796c17 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,1213 +1,1311 @@ --- -title: Policy CSP - ADMX_GroupPolicy -description: Learn about the Policy CSP - ADMX_GroupPolicy. +title: ADMX_GroupPolicy Policy CSP +description: Learn more about the ADMX_GroupPolicy Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_GroupPolicy ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_GroupPolicy policies + +##### AllowX/ForestPolicy/and/RUP -
    -
    - ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP -
    -
    - ADMX_GroupPolicy/CSE_AppMgmt -
    -
    - ADMX_GroupPolicy/CSE_DiskQuota -
    -
    - ADMX_GroupPolicy/CSE_EFSRecovery -
    -
    - ADMX_GroupPolicy/CSE_FolderRedirection -
    -
    - ADMX_GroupPolicy/CSE_IEM -
    -
    - ADMX_GroupPolicy/CSE_IPSecurity -
    -
    - ADMX_GroupPolicy/CSE_Registry -
    -
    - ADMX_GroupPolicy/CSE_Scripts -
    -
    - ADMX_GroupPolicy/CSE_Security -
    -
    - ADMX_GroupPolicy/CSE_Wired -
    -
    - ADMX_GroupPolicy/CSE_Wireless -
    -
    - ADMX_GroupPolicy/CorpConnSyncWaitTime -
    -
    - ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 -
    -
    - ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 -
    -
    - ADMX_GroupPolicy/DisableAOACProcessing -
    -
    - ADMX_GroupPolicy/DisableAutoADMUpdate -
    -
    - ADMX_GroupPolicy/DisableBackgroundPolicy -
    -
    - ADMX_GroupPolicy/DisableLGPOProcessing -
    -
    - ADMX_GroupPolicy/DisableUsersFromMachGP -
    -
    - ADMX_GroupPolicy/EnableCDP -
    -
    - ADMX_GroupPolicy/EnableLogonOptimization -
    -
    - ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU -
    -
    - ADMX_GroupPolicy/EnableMMX -
    -
    - ADMX_GroupPolicy/EnforcePoliciesOnly -
    -
    - ADMX_GroupPolicy/FontMitigation -
    -
    - ADMX_GroupPolicy/GPDCOptions -
    -
    - ADMX_GroupPolicy/GPTransferRate_1 -
    -
    - ADMX_GroupPolicy/GPTransferRate_2 -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRate -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRateDC -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRateUser -
    -
    - ADMX_GroupPolicy/LogonScriptDelay -
    -
    - ADMX_GroupPolicy/NewGPODisplayName -
    -
    - ADMX_GroupPolicy/NewGPOLinksDisabled -
    -
    - ADMX_GroupPolicy/OnlyUseLocalAdminFiles -
    -
    - ADMX_GroupPolicy/ProcessMitigationOptions -
    -
    - ADMX_GroupPolicy/RSoPLogging -
    -
    - ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy -
    -
    - ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess -
    -
    - ADMX_GroupPolicy/SlowlinkDefaultToAsync -
    -
    - ADMX_GroupPolicy/SyncWaitTime -
    -
    - ADMX_GroupPolicy/UserPolicyMode -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP +``` + -
    - - -**ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. -This policy setting affects all user accounts that interactively sign in to a computer in a different forest when a trust across forests or a two-way forest trust exists. - -If you don't configure this policy setting: +This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. +- If you do not configure this policy setting: - No user-based policy settings are applied from the user's forest. -- Users don't receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. +- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. - Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. - An event log message (1109) is posted, stating that loopback was invoked in Replace mode. -If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. +- If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. -If you disable this policy setting, the behavior is the same as if it isn't configured. +- If you disable this policy setting, the behavior is the same as if it is not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow cross-forest user policy and roaming user profiles* -- GP name: *AllowX-ForestPolicy-and-RUP* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_AppMgmt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowX-ForestPolicy-and-RUP | +| Friendly Name | Allow cross-forest user policy and roaming user profiles | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowX-ForestPolicy-and-RUP | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CorpConnSyncWaitTime -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CorpConnSyncWaitTime +``` + - - + + +This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + +- If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. + +- If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpConnSyncWaitTime | +| Friendly Name | Specify workplace connectivity wait time for policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## CSE_AppMgmt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_AppMgmt +``` + + + + This policy setting determines when software installation policies are updated. This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, not for Group Policy Objects on the local computer. This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy setting implementations specify that they're updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policy in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure software Installation policy processing* -- GP name: *CSE_AppMgmt* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_DiskQuota** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_AppMgmt | +| Friendly Name | Configure software Installation policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f7} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_DiskQuota -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_DiskQuota +``` + - - + + This policy setting determines when disk quota policies are updated. -This policy setting affects all policies that use the disk quota component of Group Policy, such as those policies in Computer Configuration\Administrative Templates\System\Disk Quotas. +This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas. This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure disk quota policy processing* -- GP name: *CSE_DiskQuota* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_EFSRecovery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_DiskQuota | +| Friendly Name | Configure disk quota policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_EFSRecovery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_EFSRecovery +``` + - - + + This policy setting determines when encryption policies are updated. This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings. It overrides customized settings that the program implementing the encryption policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure EFS recovery policy processing* -- GP name: *CSE_EFSRecovery* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_FolderRedirection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_EFSRecovery | +| Friendly Name | Configure EFS recovery policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_FolderRedirection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_FolderRedirection +``` + - - + + This policy setting determines when folder redirection policies are updated. -This policy setting affects all policies that use the folder redirection component of Group Policy, such as those policies in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer. +This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer. This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure folder redirection policy processing* -- GP name: *CSE_FolderRedirection* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_IEM** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_FolderRedirection | +| Friendly Name | Configure folder redirection policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F8080861} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_IEM -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_IEM +``` + - - + + This policy setting determines when Internet Explorer Maintenance policies are updated. -This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those policies in Windows Settings\Internet Explorer Maintenance. +This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance. This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Internet Explorer Maintenance policy processing* -- GP name: *CSE_IEM* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_IPSecurity** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_IEM | +| Friendly Name | Configure Internet Explorer Maintenance policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_IPSecurity -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_IPSecurity +``` + - - + + This policy setting determines when IP security policies are updated. This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine. This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure IP security policy processing* -- GP name: *CSE_IPSecurity* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_Registry** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_IPSecurity | +| Friendly Name | Configure IP security policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e27} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Registry -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Registry +``` + - - + + This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure registry policy processing* -- GP name: *CSE_Registry* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_Scripts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Registry | +| Friendly Name | Configure registry policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Scripts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Scripts +``` + - - + + This policy setting determines when policies that assign shared scripts are updated. -This policy setting affects all policies that use the scripts component of Group Policy, such as those policies in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. +This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure scripts policy processing* -- GP name: *CSE_Scripts* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_Security** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Scripts | +| Friendly Name | Configure scripts policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Security -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Security +``` + - - + + This policy setting determines when security policies are updated. -This policy setting affects all policies that use the security component of Group Policy, such as those policies in Windows Settings\Security Settings. +This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings. This policy setting overrides customized settings that the program implementing the security policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure security policy processing* -- GP name: *CSE_Security* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_Wired** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Security | +| Friendly Name | Configure security policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Wired -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Wired +``` + - - + + This policy setting determines when policies that assign wired network settings are updated. -This policy setting affects all policies that use the wired network component of Group Policy, such as those policies in Windows Settings\Wired Network Policies. +This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies. It overrides customized settings that the program implementing the wired network set when it was installed. -If you enable this policy, you can use the check boxes provided to change the options. +- If you enable this policy, you can use the check boxes provided to change the options. -If you disable this setting or don't configure it, it has no effect on the system. +- If you disable this setting or do not configure it, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure wired policy processing* -- GP name: *CSE_Wired* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CSE_Wireless** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Wired | +| Friendly Name | Configure wired policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Wireless -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Wireless +``` + - - + + This policy setting determines when policies that assign wireless network settings are updated. -This policy setting affects all policies that use the wireless network component of Group Policy, such as those policies in WindowsSettings\Wireless Network Policies. +This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies. It overrides customized settings that the program implementing the wireless network set when it was installed. -If you enable this policy, you can use the check boxes provided to change the options. +- If you enable this policy, you can use the check boxes provided to change the options. -If you disable this setting or don't configure it, it has no effect on the system. +- If you disable this setting or do not configure it, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure wireless policy processing* -- GP name: *CSE_Wireless* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/CorpConnSyncWaitTime** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Wireless | +| Friendly Name | Configure wireless policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyRsopToInteractiveUser_1 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 +``` + - - -This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer isn't blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. - -If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. - -If you disable or don't configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. - - - - - -ADMX Info: -- GP Friendly name: *Specify workplace connectivity wait time for policy processing* -- GP name: *CorpConnSyncWaitTime* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/DenyRsopToInteractiveUser_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. -If you enable this policy setting, interactive users can't generate RSoP data. +- If you enable this policy setting, interactive users cannot generate RSoP data. -If you disable or don't configure this policy setting, interactive users can generate RSoP. +- If you disable or do not configure this policy setting, interactive users can generate RSoP. > [!NOTE] -> This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. -> -> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. -> -> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. - +> [!NOTE] +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc +> [!NOTE] +> This policy setting exists as both a User Configuration and Computer Configuration setting. - -ADMX Info: -- GP Friendly name: *Determine if interactive users can generate Resultant Set of Policy data* -- GP name: *DenyRsopToInteractiveUser_1* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + - - -
    + + + - -**ADMX_GroupPolicy/DenyRsopToInteractiveUser_2** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | DenyRsopToInteractiveUser_1 | +| Friendly Name | Determine if interactive users can generate Resultant Set of Policy data | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DenyRsopToInteractiveUser | +| ADMX File Name | GroupPolicy.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## DenyRsopToInteractiveUser_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 +``` + + + + This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. -If you enable this policy setting, interactive users can't generate RSoP data. +- If you enable this policy setting, interactive users cannot generate RSoP data. -If you disable or don't configure this policy setting, interactive users can generate RSoP +- If you disable or do not configure this policy setting, interactive users can generate RSoP. > [!NOTE] -> This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. -> -> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. -> -> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. - +> [!NOTE] +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc +> [!NOTE] +> This policy setting exists as both a User Configuration and Computer Configuration setting. - -ADMX Info: -- GP Friendly name: *Determine if interactive users can generate Resultant Set of Policy data* -- GP name: *DenyRsopToInteractiveUser_2* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + - - -
    + + + - -**ADMX_GroupPolicy/DisableAOACProcessing** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | DenyRsopToInteractiveUser_2 | +| Friendly Name | Determine if interactive users can generate Resultant Set of Policy data | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DenyRsopToInteractiveUser | +| ADMX File Name | GroupPolicy.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## DisableAOACProcessing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableAOACProcessing +``` + + + + This policy setting prevents the Group Policy Client Service from stopping when idle. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Group Policy Client Service AOAC optimization* -- GP name: *DisableAOACProcessing* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/DisableAutoADMUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableAOACProcessing | +| Friendly Name | Turn off Group Policy Client Service AOAC optimization | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableAOACProcessing | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAutoADMUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableAutoADMUpdate +``` + - - -Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. + + +Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. -Administrators might want to use this option if they're concerned about the amount of space used on the system volume of a DC. - -By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. - -If the local files are newer, they're copied into the GPO. +By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. If the local files are newer, they are copied into the GPO. Changing the status of this setting to Enabled will keep any source files from copying to the GPO. -Changing the status of this setting to Disabled will enforce the default behavior. +Changing the status of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp. -Files will always be copied to the GPO if they have a later timestamp. +NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. + -> [!NOTE] -> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off automatic update of ADM files* -- GP name: *DisableAutoADMUpdate* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_GroupPolicy/DisableBackgroundPolicy** +| Name | Value | +|:--|:--| +| Name | DisableAutoADMUpdate | +| Friendly Name | Turn off automatic update of ADM files | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | DisableAutoADMUpdate | +| ADMX File Name | GroupPolicy.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableBackgroundPolicy - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableBackgroundPolicy +``` + -
    - - - + + This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. -If you enable this policy setting, the system waits until the current user signs out the system before updating the computer and user settings. +- If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings. -If you disable or don't configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. +- If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. > [!NOTE] > If you make changes to this policy setting, you must restart your computer for it to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off background refresh of Group Policy* -- GP name: *DisableBackgroundPolicy* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/DisableLGPOProcessing** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableBackgroundPolicy | +| Friendly Name | Turn off background refresh of Group Policy | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableBkGndGroupPolicy | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableLGPOProcessing -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableLGPOProcessing +``` + - - + + This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied. By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. -If you enable this policy setting, the system doesn't process and apply any Local GPOs. +- If you enable this policy setting, the system does not process and apply any Local GPOs. -If you disable or don't configure this policy setting, Local GPOs continue to be applied. +- If you disable or do not configure this policy setting, Local GPOs continue to be applied. > [!NOTE] -> For computers joined to a domain, it's strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. +> For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Local Group Policy Objects processing* -- GP name: *DisableLGPOProcessing* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/DisableUsersFromMachGP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableLGPOProcessing | +| Friendly Name | Turn off Local Group Policy Objects processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableLGPOProcessing | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableUsersFromMachGP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableUsersFromMachGP +``` + - - + + This policy setting allows you to control a user's ability to invoke a computer policy refresh. -If you enable this policy setting, users aren't able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. +- If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. -If you disable or don't configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. +- If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. > [!NOTE] > This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. @@ -1216,350 +1314,434 @@ Also, see the "Set Group Policy refresh interval for computers" policy setting t > [!NOTE] > If you make changes to this policy setting, you must restart your computer for it to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove users' ability to invoke machine policy refresh* -- GP name: *DisableUsersFromMachGP* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/EnableCDP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableUsersFromMachGP | +| Friendly Name | Remove users' ability to invoke machine policy refresh | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DenyUsersFromMachGP | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableCDP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableCDP +``` + - - + + This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). -If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. +- If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. -If you disable this policy setting, the Windows device isn't discoverable by other devices, and can't participate in cross-device experiences. +- If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences. -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Continue experiences on this device* -- GP name: *EnableCDP* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/EnableLogonOptimization** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableCDP | +| Friendly Name | Continue experiences on this device | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableCdp | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableLogonOptimization -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableLogonOptimization +``` + - - + + This policy setting allows you to configure Group Policy caching behavior. -If you enable or don't configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +- If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. -The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there's no network connectivity. This waiting period stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or sign in. The default is 5000 milliseconds. +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. -If you disable this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +- If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Group Policy Caching* -- GP name: *EnableLogonOptimization* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableLogonOptimization | +| Friendly Name | Configure Group Policy Caching | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableLogonOptimization | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableLogonOptimizationOnServerSKU -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU +``` + - - + + This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. - -If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) - +- If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. +- If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) + -The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there's no network connectivity. This waiting period stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or sign in. The default is 5000 milliseconds. + + + -If you disable or don't configure this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Enable Group Policy Caching for Servers* -- GP name: *EnableLogonOptimizationOnServerSKU* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | EnableLogonOptimizationOnServerSKU | +| Friendly Name | Enable Group Policy Caching for Servers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableLogonOptimizationOnServerSKU | +| ADMX File Name | GroupPolicy.admx | + - -**ADMX_GroupPolicy/EnableMMX** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnableMMX - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableMMX +``` + -> [!div class = "checklist"] -> * Device + + +This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. -
    +- If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. - - -This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that require linking between Phone and PC. +- If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. -If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + -If you disable this policy setting, the Windows device isn't allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and can't participate in Continue on PC experiences. + + + -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Phone-PC linking on this device* -- GP name: *EnableMMX* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | EnableMMX | +| Friendly Name | Phone-PC linking on this device | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableMmx | +| ADMX File Name | GroupPolicy.admx | + - -**ADMX_GroupPolicy/EnforcePoliciesOnly** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnforcePoliciesOnly - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnforcePoliciesOnly +``` + -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prevents administrators from viewing or using Group Policy preferences. -A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which aren't fully supported, use registry entries in other subkeys. +A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys. -If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators can't turn it off. As a result, Group Policy Object Editor displays only true settings; preferences don't appear. +- If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear. -If you disable or don't configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. +- If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. > [!NOTE] > To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enforce Show Policies Only* -- GP name: *EnforcePoliciesOnly* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/FontMitigation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnforcePoliciesOnly | +| Friendly Name | Enforce Show Policies Only | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | ShowPoliciesOnly | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## FontMitigation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/FontMitigation +``` + - - -This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. + + +This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues. + -This feature can be configured to be in three modes: On, Off, and Audit. By default, it's Off and no fonts are blocked. If you aren't ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Untrusted Font Blocking* -- GP name: *DisableUsersFromMachGP* -- GP path: *System\Mitigation Options* -- GP ADMX file name: *GroupPolicy.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_GroupPolicy/GPDCOptions** +| Name | Value | +|:--|:--| +| Name | FontMitigation | +| Friendly Name | Untrusted Font Blocking | +| Location | Computer Configuration | +| Path | System > Mitigation Options | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions | +| ADMX File Name | GroupPolicy.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## GPDCOptions - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPDCOptions +``` + -
    - - - + + This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. -If you enable this setting, you can know which domain controller is used according to these options: +- If you enable this setting, you can which domain controller is used according to these options: "Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. @@ -1567,291 +1749,351 @@ If you enable this setting, you can know which domain controller is used accordi "Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller. -If you disable this setting or don't configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. +- If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. > [!NOTE] > To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Group Policy domain controller selection* -- GP name: *GPDCOptions* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/GPTransferRate_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GPDCOptions | +| Friendly Name | Configure Group Policy domain controller selection | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GPTransferRate_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPTransferRate_1 +``` + - - + + This policy setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. -The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder let you override the programs' specified responses to slow links. +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. -If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. +- If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. -If you disable this setting or don't configure it, the system uses the default value of 500 kilobits per second. +- If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. -Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile > [!NOTE] -> If the profile server has IP connectivity, the connection speed setting is used. If the profile server doesn't have IP connectivity, the SMB timing is used. +> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Group Policy slow link detection* -- GP name: *GPTransferRate_1* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/GPTransferRate_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GPTransferRate_1 | +| Friendly Name | Configure Group Policy slow link detection | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GPTransferRate_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPTransferRate_2 +``` + - - + + This policy setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. -The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder let you override the programs' specified responses to slow links. +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. -If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. +- If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. -If you disable this setting or don't configure it, the system uses the default value of 500 kilobits per second. +- If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. -Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile > [!NOTE] -> If the profile server has IP connectivity, the connection speed setting is used. If the profile server doesn't have IP connectivity, the SMB timing is used. +> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Group Policy slow link detection* -- GP name: *GPTransferRate_2* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/GroupPolicyRefreshRate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GPTransferRate_2 | +| Friendly Name | Configure Group Policy slow link detection | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GroupPolicyRefreshRate -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRate +``` + - - + + This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder. In addition to background updates, Group Policy for the computer is always updated when the system starts. By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. +- If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. -If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. +- If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. The Set Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. This setting establishes the update rate for computer Group Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Administrative Templates\System\Group Policy). -This setting is only used when the "Turn off background refresh of Group Policy" setting isn't enabled. +This setting is only used when the "Turn off background refresh of Group Policy" setting is not enabled. > [!NOTE] > Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Group Policy refresh interval for computers* -- GP name: *GroupPolicyRefreshRate* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/GroupPolicyRefreshRateDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GroupPolicyRefreshRate | +| Friendly Name | Set Group Policy refresh interval for computers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GroupPolicyRefreshRateDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRateDC +``` + - - -This policy setting specifies how often Group Policy is updated on domain controllers while they're running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. + + +This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. By default, Group Policy on the domain controllers is updated every five minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. +- If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. -If you disable or don't configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. +- If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly. > [!NOTE] > This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Group Policy refresh interval for domain controllers* -- GP name: *GroupPolicyRefreshRateDC* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/GroupPolicyRefreshRateUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GroupPolicyRefreshRateDC | +| Friendly Name | Set Group Policy refresh interval for domain controllers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GroupPolicyRefreshRateUser -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRateUser +``` + - - + + This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. -In addition to background updates, Group Policy for users is always updated when users sign in. +In addition to background updates, Group Policy for users is always updated when users log on. By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. +- If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. -If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. +- If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. @@ -1863,414 +2105,525 @@ This setting also lets you specify how much the actual update interval varies. T > [!TIP] > Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Group Policy refresh interval for users* -- GP name: *GroupPolicyRefreshRateUser* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/LogonScriptDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GroupPolicyRefreshRateUser | +| Friendly Name | Set Group Policy refresh interval for users | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LogonScriptDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/LogonScriptDelay +``` + - - -Enter “0” to disable Logon Script Delay. + + +Enter "0" to disable Logon Script Delay. -This policy setting allows you to configure how long the Group Policy client waits after a sign in before running scripts. +This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. -By default, the Group Policy client waits 5 minutes before running logon scripts. This 5-minute wait helps create a responsive desktop environment by preventing disk contention. +By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention. -If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. +- If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. -If you disable this policy setting, Group Policy will run scripts immediately after a sign in. +- If you disable this policy setting, Group Policy will run scripts immediately after logon. -If you don't configure this policy setting, Group Policy will wait five minutes before running logon scripts. +- If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Logon Script Delay* -- GP name: *LogonScriptDelay* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/NewGPODisplayName** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LogonScriptDelay | +| Friendly Name | Configure Logon Script Delay | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableLogonScriptDelay | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NewGPODisplayName -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPODisplayName +``` + - - + + This policy setting allows you to set the default display name for new Group Policy objects. This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser. The display name can contain environment variables and can be a maximum of 255 characters long. -If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used. +- If this setting is disabled or Not Configured, the default display name of New Group Policy object is used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set default name for new Group Policy objects* -- GP name: *NewGPODisplayName* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/NewGPOLinksDisabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NewGPODisplayName | +| Friendly Name | Set default name for new Group Policy objects | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NewGPOLinksDisabled -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPOLinksDisabled +``` + - - + + This policy setting allows you to create new Group Policy object links in the disabled state. -If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. +- If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. -If you disable this setting or don't configure it, new Group Policy object links are created in the enabled state. If you don't want them to be effective until they're configured and tested, you must disable the object link. +- If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Create new Group Policy Object links disabled by default* -- GP name: *NewGPOLinksDisabled* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/OnlyUseLocalAdminFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NewGPOLinksDisabled | +| Friendly Name | Create new Group Policy Object links disabled by default | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | NewGPOLinksDisabled | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## OnlyUseLocalAdminFiles -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/OnlyUseLocalAdminFiles +``` + - - + + This policy setting lets you always use local ADM files for the Group Policy snap-in. -By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This edit-option allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO. +By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO. -This edit-option leads to the following behavior: +This leads to the following behavior: - If you originally created the GPO with, for example, an English system, the GPO contains English ADM files. + - If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO. You can change this behavior by using this setting. -If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. +- If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. -This pattern leads to the following behavior: +This leads to the following behavior: -If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. +- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. -If you disable or don't configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. +- If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. > [!NOTE] -> If the ADMs that you require aren't all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. +> If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Always use local ADM files for Group Policy Object Editor* -- GP name: *OnlyUseLocalAdminFiles* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/ProcessMitigationOptions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | OnlyUseLocalAdminFiles | +| Friendly Name | Always use local ADM files for Group Policy Object Editor | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy | +| Registry Value Name | OnlyUseLocalAdminFiles | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProcessMitigationOptions -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/ProcessMitigationOptions +``` - - -This security feature provides a means to override individual process MitigationOptions settings. This security feature can be used to enforce many security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/ProcessMitigationOptions +``` + -PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001): Enables data execution prevention (DEP) for the child process + + +This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: -PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002): Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. +PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001) +Enables data execution prevention (DEP) for the child process -PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004): Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. +PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) +Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. -PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100): The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that aren't dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that don't have a base relocation section won't be loaded. +PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004) +Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. -PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000),PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000): The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. +PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) +The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that do not have a base relocation section will not be loaded. + +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) +The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of: ???????????????0???????1???????1 Setting flags not specified here to any value other than ? results in undefined behavior. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Process Mitigation Options* -- GP name: *ProcessMitigationOptions* -- GP path: *System\Mitigation Options* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/RSoPLogging** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProcessMitigationOptions | +| Friendly Name | Process Mitigation Options | +| Location | Computer and User Configuration | +| Path | System > Mitigation Options | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ResetDfsClientInfoDuringRefreshPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy +``` + - - + + +Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ResetDfsClientInfoDuringRefreshPolicy | +| Friendly Name | Enable AD/DFS domain controller synchronization during policy refresh | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | ResetDfsClientInfoDuringRefreshPolicy | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## RSoPLogging + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/RSoPLogging +``` + + + + This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included. -If you enable this setting, RSoP logging is turned off. +- If you enable this setting, RSoP logging is turned off. -If you disable or don't configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. +- If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. > [!NOTE] > To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Resultant Set of Policy logging* -- GP name: *RSoPLogging* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RSoPLogging | +| Friendly Name | Turn off Resultant Set of Policy logging | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | RSoPLogging | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SlowLinkDefaultForDirectAccess -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess +``` + - - -Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. - - - - - -ADMX Info: -- GP Friendly name: *Enable AD/DFS domain controller synchronization during policy refresh* -- GP name: *ResetDfsClientInfoDuringRefreshPolicy* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. @@ -2278,184 +2631,251 @@ When Group Policy detects the bandwidth speed of a Direct Access connection, the > [!NOTE] > When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). -If you enable this policy, when Group Policy can't determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. +- If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. -If you disable this setting or don't configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. +- If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Direct Access connections as a fast network connection* -- GP name: *SlowLinkDefaultForDirectAccess* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/SlowlinkDefaultToAsync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SlowLinkDefaultForDirectAccess | +| Friendly Name | Configure Direct Access connections as a fast network connection | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | SlowLinkDefaultForDirectAccess | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SlowlinkDefaultToAsync -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/SlowlinkDefaultToAsync +``` + - - -This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user sign in) when a slow network connection is detected. + + +This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. -If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. -Client computers won't wait for the network to be fully initialized at startup and sign in. Existing users will be signed in using cached credentials, which will result in shorter sign-in times. Group Policy will be applied in the background after the network becomes available. -Because this policy setting enables a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection and Drive Maps preference extension won't be applied. +- If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. +Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials, +which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. +> [!NOTE] +> that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection +and Drive Maps preference extension will not be applied. > [!NOTE] > There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: -> -> - 1 - At the first computer startup after the client computer has joined the domain. -> - 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. +1 - At the first computer startup after the client computer has joined the domain. +2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. -If you disable or don't configure this policy setting, detecting a slow network connection won't affect whether Group Policy processing will be synchronous or asynchronous. +- If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Change Group Policy processing to run asynchronously when a slow network connection is detected.* -- GP name: *SlowlinkDefaultToAsync* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/SyncWaitTime** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SlowlinkDefaultToAsync | +| Friendly Name | Change Group Policy processing to run asynchronously when a slow network connection is detected. | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | SlowlinkDefaultToAsync | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SyncWaitTime -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/SyncWaitTime +``` + - - -This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer isn't blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + + +This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. -If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. +- If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. -If you disable or don't configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. +- If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify startup policy processing wait time* -- GP name: *SyncWaitTime* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_GroupPolicy/UserPolicyMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SyncWaitTime | +| Friendly Name | Specify startup policy processing wait time | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## UserPolicyMode -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/UserPolicyMode +``` + - - -This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who signs in to a computer affected by this setting. It's intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. + + +This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. -By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then when a user signs in to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. +By default, the user's Group Policy Objects determine which user settings apply. +- If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. -If you enable this setting, you can select one of the following modes from the Mode box: +- If you enable this setting, you can select one of the following modes from the Mode box: -- "Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. -- "Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. +"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. -If you disable this setting or don't configure it, the user's Group Policy Objects determines which user settings apply. +"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. + +- If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply. > [!NOTE] > This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure user Group Policy loopback processing mode* -- GP name: *UserPolicyMode* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | UserPolicyMode | +| Friendly Name | Configure user Group Policy loopback processing mode | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 80b40e5fdd..08e004e302 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,265 +1,301 @@ --- -title: Policy CSP - ADMX_Help -description: Learn about the Policy CSP - ADMX_Help. +title: ADMX_Help Policy CSP +description: Learn more about the ADMX_Help Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/03/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Help ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Help policies + +## DisableHHDEP -
    -
    - ADMX_Help/DisableHHDEP -
    -
    - ADMX_Help/HelpQualifiedRootDir_Comp -
    -
    - ADMX_Help/RestrictRunFromHelp -
    -
    - ADMX_Help/RestrictRunFromHelp_Comp -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Help/DisableHHDEP +``` + -
    - - -**ADMX_Help/DisableHHDEP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely. -If you enable this policy setting, DEP for HTML Help Executable is turned off. This turn off will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. +- If you enable this policy setting, DEP for HTML Help Executable is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. -If you disable or don't configure this policy setting, DEP is turned on for HTML Help Executable. This turn on provides one more security benefit, but HTML Help stops if DEP detects system memory abnormalities. +- If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTLM Help stops if DEP detects system memory abnormalities. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Data Execution Prevention for HTML Help Executable* -- GP name: *DisableHHDEP* -- GP path: *System* -- GP ADMX file name: *Help.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Help/HelpQualifiedRootDir_Comp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableHHDEP | +| Friendly Name | Turn off Data Execution Prevention for HTML Help Executible | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableHHDEP | +| ADMX File Name | Help.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HelpQualifiedRootDir_Comp -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Help/HelpQualifiedRootDir_Comp +``` + - - -This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It's recommended that only folders requiring administrative privileges be added to this policy setting. + + +This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. -If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. +- If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. To restrict the commands to one or more folders, enable the policy setting and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate folders. For example, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder, add the following string to the edit box: "%windir%\help;D:\somefolder". > [!NOTE] -> An environment variable may be used, (for example, %windir%), as long as it's defined on the system. For example, %programfiles% is not defined on some early versions of Windows. +> An environment variable may be used, (for example, %windir%), as long as it is defined on the system. For example, %programfiles% is not defined on some early versions of Windows. The "Shortcut" command is used to add a link to a Help topic, and runs executables that are external to the Help file. The "WinHelp" command is used to add a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file. To disallow the "Shortcut" and "WinHelp" commands on the entire local system, enable the policy setting and leave the text box on the Settings tab of the Policy Properties dialog box blank. -If you disable or don't configure this policy setting, these commands are fully functional for all Help files. +- If you disable or do not configure this policy setting, these commands are fully functional for all Help files. > [!NOTE] > Only folders on the local computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths. -For more options, see the "Restrict these programs from being launched from Help" policy. +For additional options, see the "Restrict these programs from being launched from Help" policy. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict potentially unsafe HTML Help functions to specified folders* -- GP name: *HelpQualifiedRootDir_Comp* -- GP path: *System* -- GP ADMX file name: *Help.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Help/RestrictRunFromHelp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HelpQualifiedRootDir_Comp | +| Friendly Name | Restrict potentially unsafe HTML Help functions to specified folders | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Help.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictRunFromHelp -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Help/RestrictRunFromHelp +``` + - - + + This policy setting allows you to restrict programs from being run from online Help. -If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names of the programs you want to restrict, separated by commas. +- If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. -If you disable or don't configure this policy setting, users can run all applications from online Help. +- If you disable or do not configure this policy setting, users can run all applications from online Help. > [!NOTE] > You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. -> -> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help. - +> [!NOTE] +> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help + + + + - -ADMX Info: -- GP Friendly name: *Restrict these programs from being launched from Help* -- GP name: *RestrictRunFromHelp* -- GP path: *System* -- GP ADMX file name: *Help.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Help/RestrictRunFromHelp_Comp** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RestrictRunFromHelp | +| Friendly Name | Restrict these programs from being launched from Help | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Help.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RestrictRunFromHelp_Comp -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Help/RestrictRunFromHelp_Comp +``` + + + + This policy setting allows you to restrict programs from being run from online Help. -If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names of the programs you want to restrict, separated by commas. +- If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. -If you disable or don't configure this policy setting, users can run all applications from online Help. +- If you disable or do not configure this policy setting, users can run all applications from online Help. > [!NOTE] > You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. -> -> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help. - +> [!NOTE] +> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help + - -ADMX Info: -- GP Friendly name: *Restrict these programs from being launched from Help* -- GP name: *RestrictRunFromHelp_Comp* -- GP path: *System* -- GP ADMX file name: *Help.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | RestrictRunFromHelp_Comp | +| Friendly Name | Restrict these programs from being launched from Help | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Help.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index f4b99642f1..2fa008cfe0 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,241 +1,278 @@ --- -title: Policy CSP - ADMX_HelpAndSupport -description: Learn about the Policy CSP - ADMX_HelpAndSupport. +title: ADMX_HelpAndSupport Policy CSP +description: Learn more about the ADMX_HelpAndSupport Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/03/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_HelpAndSupport ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_HelpAndSupport policies + +## ActiveHelp -
    -
    - ADMX_HelpAndSupport/ActiveHelp -
    -
    - ADMX_HelpAndSupport/HPExplicitFeedback -
    -
    - ADMX_HelpAndSupport/HPImplicitFeedback -
    -
    - ADMX_HelpAndSupport/HPOnlineAssistance -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/ActiveHelp +``` + -
    - - -**ADMX_HelpAndSupport/ActiveHelp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. -If you enable this policy setting, active content links aren't rendered. The text is displayed, but there are no clickable links for these elements. +- If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. -If you disable or don't configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). +- If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Active Help* -- GP name: *ActiveHelp* -- GP path: *Windows Components/Online Assistance* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_HelpAndSupport/HPExplicitFeedback** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ActiveHelp | +| Friendly Name | Turn off Active Help | +| Location | Computer Configuration | +| Path | Windows Components > Online Assistance | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoActiveHelp | +| ADMX File Name | HelpAndSupport.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HPExplicitFeedback -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/HPExplicitFeedback +``` + - - + + This policy setting specifies whether users can provide ratings for Help content. -If you enable this policy setting, ratings controls aren't added to Help content. +- If you enable this policy setting, ratings controls are not added to Help content. -If you disable or don't configure this policy setting, ratings controls are added to Help topics. +- If you disable or do not configure this policy setting, ratings controls are added to Help topics. Users can use the control to provide feedback on the quality and usefulness of the Help and Support content. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help Ratings* -- GP name: *HPExplicitFeedback* -- GP path: *System/Internet Communication Management/Internet Communication settings* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_HelpAndSupport/HPImplicitFeedback** - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HPExplicitFeedback | +| Friendly Name | Turn off Help Ratings | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoExplicitFeedback | +| ADMX File Name | HelpAndSupport.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HPImplicitFeedback -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/HPImplicitFeedback +``` + + + + This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. -If you enable this policy setting, users can't participate in the Help Experience Improvement program. +- If you enable this policy setting, users cannot participate in the Help Experience Improvement program. -If you disable or don't configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. +- If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help Experience Improvement Program* -- GP name: *HPImplicitFeedback* -- GP path: *System/Internet Communication Management/Internet Communication settings* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_HelpAndSupport/HPOnlineAssistance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HPImplicitFeedback | +| Friendly Name | Turn off Help Experience Improvement Program | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoImplicitFeedback | +| ADMX File Name | HelpAndSupport.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HPOnlineAssistance -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/HPOnlineAssistance +``` + - - + + This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. -If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. +- If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. -If you disable or don't configure this policy setting, users can access online assistance if they have a connection to the Internet and haven't disabled Windows Online from the Help and Support Options page. +- If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Online* -- GP name: *HPOnlineAssistance* -- GP path: *System/Internet Communication Management/Internet Communication settings* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | HPOnlineAssistance | +| Friendly Name | Turn off Windows Online | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoOnlineAssist | +| ADMX File Name | HelpAndSupport.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 56106a030b..b16c585854 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,93 +1,98 @@ --- -title: Policy CSP - ADMX_HotSpotAuth -description: Learn about the Policy CSP - ADMX_HotSpotAuth. +title: ADMX_hotspotauth Policy CSP +description: Learn more about the ADMX_hotspotauth Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/15/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - ADMX_HotSpotAuth + + + +# Policy CSP - ADMX_hotspotauth > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_HotSpotAuth policies + +## HotspotAuth_Enable -
    -
    - ADMX_HotSpotAuth/HotspotAuth_Enable -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_hotspotauth/HotspotAuth_Enable +``` + - -**ADMX_HotSpotAuth/HotspotAuth_Enable** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - + + This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support. -- If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. +If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. -- If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. +- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. -- If you enable this policy setting, or if you don't configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. +- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. + -- If you disable this policy setting, WLAN hotspots aren't probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Hotspot Authentication* -- GP name: *HotspotAuth_Enable* -- GP path: *Network\Hotspot Authentication* -- GP ADMX file name: *HotSpotAuth.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | HotspotAuth_Enable | +| Friendly Name | Enable Hotspot Authentication | +| Location | Computer Configuration | +| Path | Network > Hotspot Authentication | +| Registry Key Name | Software\Policies\Microsoft\Windows\HotspotAuthentication | +| Registry Value Name | Enabled | +| ADMX File Name | hotspotauth.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index 757dd29c41..27fdebb0e8 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,1415 +1,1674 @@ --- -title: Policy CSP - ADMX_ICM -description: Learn about the Policy CSP - ADMX_ICM. +title: ADMX_ICM Policy CSP +description: Learn more about the ADMX_ICM Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ICM ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_ICM policies + +## CEIPEnable -
    -
    - ADMX_ICM/CEIPEnable -
    -
    - ADMX_ICM/CertMgr_DisableAutoRootUpdates -
    -
    - ADMX_ICM/DisableHTTPPrinting_1 -
    -
    - ADMX_ICM/DisableWebPnPDownload_1 -
    -
    - ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate -
    -
    - ADMX_ICM/EventViewer_DisableLinks -
    -
    - ADMX_ICM/HSS_HeadlinesPolicy -
    -
    - ADMX_ICM/HSS_KBSearchPolicy -
    -
    - ADMX_ICM/InternetManagement_RestrictCommunication_1 -
    -
    - ADMX_ICM/InternetManagement_RestrictCommunication_2 -
    -
    - ADMX_ICM/NC_ExitOnISP -
    -
    - ADMX_ICM/NC_NoRegistration -
    -
    - ADMX_ICM/PCH_DoNotReport -
    -
    - ADMX_ICM/RemoveWindowsUpdate_ICM -
    -
    - ADMX_ICM/SearchCompanion_DisableFileUpdates -
    -
    - ADMX_ICM/ShellNoUseInternetOpenWith_1 -
    -
    - ADMX_ICM/ShellNoUseInternetOpenWith_2 -
    -
    - ADMX_ICM/ShellNoUseStoreOpenWith_1 -
    -
    - ADMX_ICM/ShellNoUseStoreOpenWith_2 -
    -
    - ADMX_ICM/ShellPreventWPWDownload_1 -
    -
    - ADMX_ICM/ShellRemoveOrderPrints_1 -
    -
    - ADMX_ICM/ShellRemoveOrderPrints_2 -
    -
    - ADMX_ICM/ShellRemovePublishToWeb_1 -
    -
    - ADMX_ICM/ShellRemovePublishToWeb_2 -
    -
    - ADMX_ICM/WinMSG_NoInstrumentation_1 -
    -
    - ADMX_ICM/WinMSG_NoInstrumentation_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/CEIPEnable +``` + -
    + + +This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly. - -**ADMX_ICM/CEIPEnable** +- If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. - +- If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft won't collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It's simple and user-friendly. +**ADMX mapping**: -If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. +| Name | Value | +|:--|:--| +| Name | CEIPEnable | +| Friendly Name | Turn off Windows Customer Experience Improvement Program | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\SQMClient\Windows | +| Registry Value Name | CEIPEnable | +| ADMX File Name | ICM.admx | + -If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program. + + + -If you don't configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. + - + +## CertMgr_DisableAutoRootUpdates + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Turn off Windows Customer Experience Improvement Program* -- GP name: *CEIPEnable* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/CertMgr_DisableAutoRootUpdates +``` + - - -
    - - -**ADMX_ICM/CertMgr_DisableAutoRootUpdates** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether to automatically update root certificates using the Windows Update website. Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. -If you enable this policy setting, when you're presented with a certificate issued by an untrusted root authority, your computer won't contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. +- If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. -If you disable or don't configure this policy setting, your computer will contact the Windows Update website. +- If you disable or do not configure this policy setting, your computer will contact the Windows Update website. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Automatic Root Certificates Update* -- GP name: *CertMgr_DisableAutoRootUpdates* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/DisableHTTPPrinting_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CertMgr_DisableAutoRootUpdates | +| Friendly Name | Turn off Automatic Root Certificates Update | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\SystemCertificates\AuthRoot | +| Registry Value Name | DisableRootAutoUpdate | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableHTTPPrinting_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableHTTPPrinting_1 +``` + - - + + This policy setting specifies whether to allow printing over HTTP from this client. -Printing over HTTP allows a client to print to printers on the intranet and the Internet. +Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. > [!NOTE] -> This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. +> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. -If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. +- If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. -If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. +- If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. - +Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. + + + + - -ADMX Info: -- GP Friendly name: *Turn off printing over HTTP* -- GP name: *DisableHTTPPrinting_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ICM/DisableWebPnPDownload_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableHTTPPrinting_1 | +| Friendly Name | Turn off printing over HTTP | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableHTTPPrinting | +| ADMX File Name | ICM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisableWebPnPDownload_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableWebPnPDownload_1 +``` + + + + This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. > [!NOTE] -> This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP. +> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. -It only prohibits downloading drivers that aren't already installed locally. +- If you enable this policy setting, print drivers cannot be downloaded over HTTP. -If you enable this policy setting, print drivers can't be downloaded over HTTP. +- If you disable or do not configure this policy setting, users can download print drivers over HTTP. + -If you disable or don't configure this policy setting, users can download print drivers over HTTP. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off downloading of print drivers over HTTP* -- GP name: *DisableWebPnPDownload_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate** +| Name | Value | +|:--|:--| +| Name | DisableWebPnPDownload_1 | +| Friendly Name | Turn off downloading of print drivers over HTTP | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableWebPnPDownload | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DriverSearchPlaces_DontSearchWindowsUpdate - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate +``` + -
    - - - + + This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. -If you enable this policy setting, Windows Update isn't searched when a new device is installed. +- If you enable this policy setting, Windows Update is not searched when a new device is installed. -If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present. +- If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present. -If you don't configure this policy setting, searching Windows Update is optional when installing a device. +- If you do not configure this policy setting, searching Windows Update is optional when installing a device. -Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver isn't found locally. +Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally. > [!NOTE] > This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Update device driver searching* -- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/EventViewer_DisableLinks** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DriverSearchPlaces_DontSearchWindowsUpdate | +| Friendly Name | Turn off Windows Update device driver searching | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\DriverSearching | +| Registry Value Name | DontSearchWindowsUpdate | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EventViewer_DisableLinks -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/EventViewer_DisableLinks +``` + - - + + This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred. -If you enable this policy setting, event description hyperlinks aren't activated and the text "More Information" isn't displayed at the end of the description. +- If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description. -If you disable or don't configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. +- If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". + -Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off Event Viewer "Events.asp" links* -- GP name: *EventViewer_DisableLinks* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_ICM/HSS_HeadlinesPolicy** +| Name | Value | +|:--|:--| +| Name | EventViewer_DisableLinks | +| Friendly Name | Turn off Event Viewer "Events.asp" links | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| Registry Value Name | MicrosoftEventVwrDisableLinks | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## HSS_HeadlinesPolicy - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/HSS_HeadlinesPolicy +``` + -
    - - - + + This policy setting specifies whether to show the "Did you know?" section of Help and Support Center. This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer. -If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. +- If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. -If you disable or don't configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. +- If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. -You might want to enable this policy setting for users who don't have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. +You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help and Support Center "Did you know?" content* -- GP name: *HSS_HeadlinesPolicy* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/HSS_KBSearchPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HSS_HeadlinesPolicy | +| Friendly Name | Turn off Help and Support Center "Did you know?" content | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\HelpSvc | +| Registry Value Name | Headlines | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HSS_KBSearchPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/HSS_KBSearchPolicy +``` + - - + + This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options. -If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched. +- If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched. -If you disable or don't configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and hasn't disabled the Knowledge Base search from the Search Options page. +- If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help and Support Center Microsoft Knowledge Base search* -- GP name: *HSS_KBSearchPolicy* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/InternetManagement_RestrictCommunication_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HSS_KBSearchPolicy | +| Friendly Name | Turn off Help and Support Center Microsoft Knowledge Base search | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\HelpSvc | +| Registry Value Name | MicrosoftKBSearch | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetManagement_RestrictCommunication_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/InternetManagement_RestrictCommunication_1 +``` + - - + + This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. -If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can't access the Internet. +- If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. -If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. +- If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. -If you don't configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured. +- If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict Internet communication* -- GP name: *InternetManagement_RestrictCommunication_1* -- GP path: *System\Internet Communication Management* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/InternetManagement_RestrictCommunication_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | InternetManagement_RestrictCommunication_1 | +| Friendly Name | Restrict Internet communication | +| Location | User Configuration | +| Path | System > Internet Communication Management | +| Registry Key Name | Software\Policies\Microsoft\InternetManagement | +| Registry Value Name | RestrictCommunication | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetManagement_RestrictCommunication_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/InternetManagement_RestrictCommunication_2 +``` + - - + + This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. -If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can't access the Internet. +- If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. -If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. +- If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. -If you don't configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured. - +- If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + + + + - -ADMX Info: -- GP Friendly name: *Restrict Internet communication* -- GP name: *InternetManagement_RestrictCommunication_2* -- GP path: *System\Internet Communication Management* -- GP ADMX file name: *ICM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ICM/NC_ExitOnISP** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | InternetManagement_RestrictCommunication_2 | +| Friendly Name | Restrict Internet communication | +| Location | Computer Configuration | +| Path | System > Internet Communication Management | +| Registry Key Name | Software\Policies\Microsoft\InternetManagement | +| Registry Value Name | RestrictCommunication | +| ADMX File Name | ICM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## NC_ExitOnISP -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/NC_ExitOnISP +``` + + + + This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). -If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This exit prevents users from retrieving the list of ISPs, which resides on Microsoft servers. +- If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. -If you disable or don't configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. +- If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com* -- GP name: *NC_ExitOnISP* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/NC_NoRegistration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_ExitOnISP | +| Friendly Name | Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Internet Connection Wizard | +| Registry Value Name | ExitOnMSICW | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_NoRegistration -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/NC_NoRegistration +``` + - - + + This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. -If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users can't register their copy of Windows online. +- If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. -If you disable or don't configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. +- If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. -Registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but doesn't involve submitting any personal information (except the country/region you live in). +**Note** that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Registration if URL connection is referring to Microsoft.com* -- GP name: *NC_NoRegistration* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/PCH_DoNotReport** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_NoRegistration | +| Friendly Name | Turn off Registration if URL connection is referring to Microsoft.com | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Registration Wizard Control | +| Registry Value Name | NoRegistration | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PCH_DoNotReport -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/PCH_DoNotReport +``` + - - + + This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. -If you enable this policy setting, users aren't given the option to report errors. +- If you enable this policy setting, users are not given the option to report errors. -If you disable or don't configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. +- If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. This policy setting overrides any user setting made from the Control Panel for error reporting. Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Error Reporting* -- GP name: *PCH_DoNotReport* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/RemoveWindowsUpdate_ICM** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PCH_DoNotReport | +| Friendly Name | Turn off Windows Error Reporting | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RemoveWindowsUpdate_ICM -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/RemoveWindowsUpdate_ICM +``` + - - + + This policy setting allows you to remove access to Windows Update. -If you enable this policy setting, all Windows Update features are removed. This list of features includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you won't get notified or receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. +- If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at , from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. -If you disable or don't configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. +- If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. > [!NOTE] > This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off access to all Windows Update features* -- GP name: *RemoveWindowsUpdate_ICM* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/SearchCompanion_DisableFileUpdates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RemoveWindowsUpdate_ICM | +| Friendly Name | Turn off access to all Windows Update features | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | DisableWindowsUpdateAccess | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SearchCompanion_DisableFileUpdates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/SearchCompanion_DisableFileUpdates +``` + - - + + This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. -When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and more content files used to format and display results. +When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results. -If you enable this policy setting, Search Companion doesn't download content updates during searches. +- If you enable this policy setting, Search Companion does not download content updates during searches. -If you disable or don't configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. +- If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. > [!NOTE] > Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Search Companion content file updates* -- GP name: *SearchCompanion_DisableFileUpdates* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/ShellNoUseInternetOpenWith_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SearchCompanion_DisableFileUpdates | +| Friendly Name | Turn off Search Companion content file updates | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\SearchCompanion | +| Registry Value Name | DisableContentFileUpdates | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellNoUseInternetOpenWith_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseInternetOpenWith_1 +``` + - - + + This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. -When a user opens a file that has an extension that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. -If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. +- If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. -If you disable or don't configure this policy setting, the user is allowed to use the Web service. +- If you disable or do not configure this policy setting, the user is allowed to use the Web service. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet File Association service* -- GP name: *ShellNoUseInternetOpenWith_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/ShellNoUseInternetOpenWith_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellNoUseInternetOpenWith_1 | +| Friendly Name | Turn off Internet File Association service | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInternetOpenWith | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellNoUseInternetOpenWith_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseInternetOpenWith_2 +``` + - - + + This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. -When a user opens a file that has an extension that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. -If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. +- If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. -If you disable or don't configure this policy setting, the user is allowed to use the Web service. +- If you disable or do not configure this policy setting, the user is allowed to use the Web service. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet File Association service* -- GP name: *ShellNoUseInternetOpenWith_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/ShellNoUseStoreOpenWith_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellNoUseInternetOpenWith_2 | +| Friendly Name | Turn off Internet File Association service | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInternetOpenWith | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellNoUseStoreOpenWith_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseStoreOpenWith_1 +``` + - - + + This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. -When a user opens a file type or protocol that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. -If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. +- If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. -If you disable or don't configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. +- If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off access to the Store* -- GP name: *ShellNoUseStoreOpenWith_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/ShellNoUseStoreOpenWith_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellNoUseStoreOpenWith_1 | +| Friendly Name | Turn off access to the Store | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUseStoreOpenWith | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellNoUseStoreOpenWith_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseStoreOpenWith_2 +``` + - - + + This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. -When a user opens a file type or protocol that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. -If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. +- If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. -If you disable or don't configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. +- If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off access to the Store* -- GP name: *ShellNoUseStoreOpenWith_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/ShellPreventWPWDownload_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellNoUseStoreOpenWith_2 | +| Friendly Name | Turn off access to the Store | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUseStoreOpenWith | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellPreventWPWDownload_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellPreventWPWDownload_1 +``` + - - -This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. + + +This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. -If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed. +These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. -If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards. +- If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. -For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards. +- If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. - +See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. + + + + - -ADMX Info: -- GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards* -- GP name: *ShellPreventWPWDownload_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ICM/ShellRemoveOrderPrints_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ShellPreventWPWDownload_1 | +| Friendly Name | Turn off Internet download for Web publishing and online ordering wizards | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWebServices | +| ADMX File Name | ICM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## ShellRemoveOrderPrints_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemoveOrderPrints_1 +``` + -The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. - -If you disable or don't configure this policy setting, the task is displayed. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the "Order Prints" picture task* -- GP name: *ShellRemoveOrderPrints_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/ShellRemoveOrderPrints_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. -If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. +- If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. -If you disable or don't configure this policy setting, the task is displayed. +- If you disable or do not configure this policy setting, the task is displayed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the "Order Prints" picture task* -- GP name: *ShellRemoveOrderPrints_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/ShellRemovePublishToWeb_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellRemoveOrderPrints_1 | +| Friendly Name | Turn off the "Order Prints" picture task | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoOnlinePrintsWizard | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellRemoveOrderPrints_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemoveOrderPrints_2 +``` + - - + + +This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. + +- If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. + +- If you disable or do not configure this policy setting, the task is displayed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellRemoveOrderPrints_2 | +| Friendly Name | Turn off the "Order Prints" picture task | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoOnlinePrintsWizard | +| ADMX File Name | ICM.admx | + + + + + + + + + +## ShellRemovePublishToWeb_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemovePublishToWeb_1 +``` + + + + This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. -If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or don't configure this policy setting, the tasks are shown. +- If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. - +- If you disable or do not configure this policy setting, the tasks are shown. + + + + - -ADMX Info: -- GP Friendly name: *Turn off the "Publish to Web" task for files and folders* -- GP name: *ShellRemovePublishToWeb_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ICM/ShellRemovePublishToWeb_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ShellRemovePublishToWeb_1 | +| Friendly Name | Turn off the "Publish to Web" task for files and folders | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPublishingWizard | +| ADMX File Name | ICM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ShellRemovePublishToWeb_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemovePublishToWeb_2 +``` + + + + This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. -If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. +- If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. -If you disable or don't configure this policy setting, the tasks are shown. +- If you disable or do not configure this policy setting, the tasks are shown. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the "Publish to Web" task for files and folders* -- GP name: *ShellRemovePublishToWeb_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/WinMSG_NoInstrumentation_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellRemovePublishToWeb_2 | +| Friendly Name | Turn off the "Publish to Web" task for files and folders | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPublishingWizard | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WinMSG_NoInstrumentation_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/WinMSG_NoInstrumentation_1 +``` + - - -This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service are used. + + +This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. -With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases. -This information is used to improve the product in future releases. +- If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. -If you enable this policy setting, Windows Messenger doesn't collect usage information, and the user settings to enable the collection of usage information aren't shown. +- If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. -If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting isn't shown. If you don't configure this policy setting, users have the choice to opt in and allow information to be collected. +- If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program* -- GP name: *WinMSG_NoInstrumentation_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ICM/WinMSG_NoInstrumentation_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WinMSG_NoInstrumentation_1 | +| Friendly Name | Turn off the Windows Messenger Customer Experience Improvement Program | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Messenger\Client | +| Registry Value Name | CEIP | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WinMSG_NoInstrumentation_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/WinMSG_NoInstrumentation_2 +``` + - - -This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service are used. + + +This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. -With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases. -This information is used to improve the product in future releases. +- If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. -If you enable this policy setting, Windows Messenger doesn't collect usage information, and the user settings to enable the collection of usage information aren't shown. +- If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. -If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting isn't shown. +- If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + -If you don't configure this policy setting, users have the choice to opt in and allow information to be collected. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program* -- GP name: *WinMSG_NoInstrumentation_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WinMSG_NoInstrumentation_2 | +| Friendly Name | Turn off the Windows Messenger Customer Experience Improvement Program | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Messenger\Client | +| Registry Value Name | CEIP | +| ADMX File Name | ICM.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index 9310adaf97..0af1df4d24 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,92 +1,94 @@ --- -title: Policy CSP - ADMX_IIS -description: Learn about the Policy CSP - ADMX_IIS. +title: ADMX_IIS Policy CSP +description: Learn more about the ADMX_IIS Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_IIS > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_IIS policies + +## PreventIISInstall -
    -
    - ADMX_IIS/PreventIISInstall -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_IIS/PreventIISInstall +``` + - -**ADMX_IIS/PreventIISInstall** + + +"This policy setting prevents installation of Internet Information Services (IIS) on this computer. +- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. +- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Machine +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | PreventIISInstall | +| Friendly Name | Prevent IIS installation | +| Location | Computer Configuration | +| Path | Windows Components > Internet Information Services | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\IIS | +| Registry Value Name | PreventIISInstall | +| ADMX File Name | IIS.admx | + - - -This policy setting prevents installation of Internet Information Services (IIS) on this computer. + + + -If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you'll not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting. + -Enabling this setting won't have any effect on IIS, if IIS is already installed on the computer. + + + -If you disable or don't configure this policy setting, IIS can be installed, and all the programs and applications that require IIS to run." + - +## Related articles - - -ADMX Info: -- GP Friendly name: *Prevent IIS installation* -- GP name: *PreventIISInstall* -- GP path: *Windows Components\Internet Information Services* -- GP ADMX file name: *IIS.admx* - - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index 44fac81071..a7898086b3 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,183 +1,596 @@ --- -title: Policy CSP - ADMX_iSCSI -description: Learn about the Policy CSP - ADMX_iSCSI. +title: ADMX_iSCSI Policy CSP +description: Learn more about the ADMX_iSCSI Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_iSCSI > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_iSCSI policies + +## iSCSIDiscovery_ConfigureiSNSServers -
    -
    - ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins -
    -
    - ADMX_iSCSI/iSCSIGeneral_ChangeIQNName -
    -
    - ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureiSNSServers +``` + -
    + + +If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + - -**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_ConfigureiSNSServers | +| Friendly Name | Do not allow manual configuration of iSNS servers | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ConfigureiSNSServers | +| ADMX File Name | iSCSI.admx | + -
    + + + - - -If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. + -If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + +## iSCSIDiscovery_ConfigureTargetPortals + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureTargetPortals +``` + - -ADMX Info: -- GP Friendly name: *Do not allow manual configuration of iSNS servers* -- GP name: *iSCSIGeneral_RestrictAdditionalLogins* -- GP path: *System\iSCSI\iSCSI Target Discovery* -- GP ADMX file name: *iSCSI.admx* + + +If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + - - -
    + + + - -**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_ConfigureTargetPortals | +| Friendly Name | Do not allow manual configuration of target portals | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ConfigureTargetPortals | +| ADMX File Name | iSCSI.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. + +## iSCSIDiscovery_ConfigureTargets -If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureTargets +``` + - -ADMX Info: -- GP Friendly name: *Do not allow manual configuration of target portals* -- GP name: *iSCSIGeneral_ChangeIQNName* -- GP path: *System\iSCSI\iSCSI Target Discovery* -- GP ADMX file name: *iSCSI.admx* + + +If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. **Note** if enabled there may be cases where this will break VDS. + - - -
    + + + - -**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_ConfigureTargets | +| Friendly Name | Do not allow manual configuration of discovered targets | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ConfigureTargets | +| ADMX File Name | iSCSI.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -If enabled then don't allow the initiator CHAP secret to be changed. + +## iSCSIDiscovery_NewStaticTargets -If disabled then the initiator CHAP secret may be changed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_NewStaticTargets +``` + + + +If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured. **Note** if enabled there may be cases where this will break VDS. + - -ADMX Info: -- GP Friendly name: *Do not allow changes to initiator CHAP secret* -- GP name: *iSCSISecurity_ChangeCHAPSecret* -- GP path: *System\iSCSI\iSCSI Security* -- GP ADMX file name: *iSCSI.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_NewStaticTargets | +| Friendly Name | Do not allow adding new targets via manual configuration | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | NewStaticTargets | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSIGeneral_ChangeIQNName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +``` + + + + +If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSIGeneral_ChangeIQNName | +| Friendly Name | Do not allow changes to initiator iqn name | +| Location | Computer Configuration | +| Path | System > iSCSI > General iSCSI | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ChangeIQNName | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSIGeneral_RestrictAdditionalLogins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +``` + + + + +If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSIGeneral_RestrictAdditionalLogins | +| Friendly Name | Do not allow additional session logins | +| Location | Computer Configuration | +| Path | System > iSCSI > General iSCSI | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RestrictAdditionalLogins | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_ChangeCHAPSecret + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +``` + + + + +If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_ChangeCHAPSecret | +| Friendly Name | Do not allow changes to initiator CHAP secret | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ChangeCHAPSecret | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_RequireIPSec + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireIPSec +``` + + + + +If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured for IPSec or connections not configured for IPSec may be established. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_RequireIPSec | +| Friendly Name | Do not allow connections without IPSec | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RequireIPSec | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_RequireMutualCHAP + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireMutualCHAP +``` + + + + +If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_RequireMutualCHAP | +| Friendly Name | Do not allow sessions without mutual CHAP | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RequireMutualCHAP | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_RequireOneWayCHAP + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireOneWayCHAP +``` + + + + +If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. **Note** that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_RequireOneWayCHAP | +| Friendly Name | Do not allow sessions without one way CHAP | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RequireOneWayCHAP | +| ADMX File Name | iSCSI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index c0cab32903..0b0cd3777a 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,384 +1,435 @@ --- -title: Policy CSP - ADMX_kdc -description: Learn about the Policy CSP - ADMX_kdc. +title: ADMX_kdc Policy CSP +description: Learn more about the ADMX_kdc Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_kdc ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_kdc policies + +## CbacAndArmor -
    -
    - ADMX_kdc/CbacAndArmor -
    -
    - ADMX_kdc/ForestSearch -
    -
    - ADMX_kdc/PKINITFreshness -
    -
    - ADMX_kdc/RequestCompoundId -
    -
    - ADMX_kdc/TicketSizeThreshold -
    -
    - ADMX_kdc/emitlili -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/CbacAndArmor +``` + -
    - - -**ADMX_kdc/CbacAndArmor** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. -If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. +- If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. -If you disable or don't configure this policy setting, the domain controller doesn't support claims, compound authentication or armoring. +- If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring. -If you configure the "Not supported" option, the domain controller doesn't support claims, compound authentication or armoring, which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. +If you configure the "Not supported" option, the domain controller does not support claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. > [!NOTE] -> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting isn't enabled, Kerberos authentication messages won't use these features. +> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features. If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. -**Domain functional level requirements** - -For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier, then domain controllers behave as if the "Supported" option is selected. +Domain functional level requirements +For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and: - - If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages. > [!WARNING] -> When "Fail unarmored authentication requests" is set, then client computers which don't support Kerberos armoring will fail to authenticate to the domain controller. +> When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled). Impact on domain controller performance when this policy setting is enabled: +- Secure Kerberos domain capability discovery is required resulting in additional message exchanges. +- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. +- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size. + -- Secure Kerberos domain capability discovery is required, resulting in more message exchanges. -- Claims and compound authentication for Dynamic Access Control increase the size and complexity of the data in the message, which results in more processing time and greater Kerberos service ticket size. -- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which result in increased processing time, but doesn't change the service ticket size. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *KDC support for claims, compound authentication and Kerberos armoring* -- GP name: *CbacAndArmor* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_kdc/ForestSearch** +| Name | Value | +|:--|:--| +| Name | CbacAndArmor | +| Friendly Name | KDC support for claims, compound authentication and Kerberos armoring | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | EnableCbacAndArmor | +| ADMX File Name | kdc.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## emitlili - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/emitlili +``` + -
    + + +This policy setting controls whether the domain controller provides information about previous logons to client computers. - - +- If you enable this policy setting, the domain controller provides the information message about previous logons. + +For Windows Logon to leverage this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled. + +- If you disable or do not configure this policy setting, the domain controller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled. + +> [!NOTE] +> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | emitlili | +| Friendly Name | Provide information about previous logons to client computers | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | EmitLILI | +| ADMX File Name | kdc.admx | + + + + + + + + + +## ForestSearch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/ForestSearch +``` + + + + This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). -If you enable this policy setting, the KDC will search the forests in this list if it's unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. +- If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. -If you disable or don't configure this policy setting, the KDC won't search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name isn't found, NTLM authentication might be used. +- If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used. To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use forest search order* -- GP name: *ForestSearch* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_kdc/PKINITFreshness** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForestSearch | +| Friendly Name | Use forest search order | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | UseForestSearch | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PKINITFreshness -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/PKINITFreshness +``` + - - -Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain isn't at Windows Server 2016 DFL or higher, this policy won't be applied. + + +Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller's domain is not at Windows Server 2016 DFL or higher this policy will not be applied. This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension. -If you enable this policy setting, the following options are supported: +- If you enable this policy setting, the following options are supported: Supported: PKInit Freshness Extension is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. -Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients that don't support the PKInit Freshness Extension will always fail when using public key credentials. +Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials. -If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID. +- If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *KDC support for PKInit Freshness Extension* -- GP name: *PKINITFreshness* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_kdc/RequestCompoundId** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PKINITFreshness | +| Friendly Name | KDC support for PKInit Freshness Extension | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequestCompoundId -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/RequestCompoundId +``` + - - + + This policy setting allows you to configure a domain controller to request compound authentication. > [!NOTE] > For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. -If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. +- If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. -If you disable or don't configure this policy setting, domain controllers will return service tickets that contain compound authentication anytime the client sends a compound authentication request regardless of the account configuration. +- If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Request compound authentication* -- GP name: *RequestCompoundId* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_kdc/TicketSizeThreshold** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RequestCompoundId | +| Friendly Name | Request compound authentication | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | RequestCompoundId | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TicketSizeThreshold -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/TicketSizeThreshold +``` + - - + + This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. -If you enable this policy setting, you can set the threshold limit for Kerberos ticket, which triggers the warning events. If set too high, then authentication failures might be occurring even though warning events aren't being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you aren't configuring using Group Policy. +- If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. -If you disable or don't configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions. +- If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Warning for large Kerberos tickets* -- GP name: *TicketSizeThreshold* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_kdc/emitlili** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TicketSizeThreshold | +| Friendly Name | Warning for large Kerberos tickets | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | EnableTicketSizeThreshold | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting controls whether the domain controller provides information about previous logons to client computers. - -If you enable this policy setting, the domain controller provides the information message about previous logons. - -For Windows Logon to use this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled. - -If you disable or don't configure this policy setting, the domain controller doesn't provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled. - -> [!NOTE] -> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting doesn't affect anything. - - - - - -ADMX Info: -- GP Friendly name: *Provide information about previous logons to client computers* -- GP name: *emitlili* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* - - - -
    - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 3838c7a105..1845af6733 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,463 +1,541 @@ --- -title: Policy CSP - ADMX_Kerberos -description: Learn about the Policy CSP - ADMX_Kerberos. +title: ADMX_Kerberos Policy CSP +description: Learn more about the ADMX_Kerberos Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Kerberos ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Kerberos policies + +## AlwaysSendCompoundId -
    -
    - ADMX_Kerberos/AlwaysSendCompoundId -
    -
    - ADMX_Kerberos/DevicePKInitEnabled -
    -
    - ADMX_Kerberos/HostToRealm -
    -
    - ADMX_Kerberos/KdcProxyDisableServerRevocationCheck -
    -
    - ADMX_Kerberos/KdcProxyServer -
    -
    - ADMX_Kerberos/MitRealms -
    -
    - ADMX_Kerberos/ServerAcceptsCompound -
    -
    - ADMX_Kerberos/StrictTarget -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/AlwaysSendCompoundId +``` + -
    - - -**ADMX_Kerberos/AlwaysSendCompoundId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. > [!NOTE] > For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. -If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. +- If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. -If you disable or don't configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. +- If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Always send compound authentication first* -- GP name: *AlwaysSendCompoundId* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Kerberos/DevicePKInitEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AlwaysSendCompoundId | +| Friendly Name | Always send compound authentication first | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | AlwaysSendCompoundId | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DevicePKInitEnabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/DevicePKInitEnabled +``` + - - -Support for device authentication using certificate will require connectivity to a DC in the device account domain that supports certificate authentication for computer accounts. + + +Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. -If you enable this policy setting, the device's credentials will be selected based on the following options: +- If you enable this policy setting, the device’s credentials will be selected based on the following options: -- Automatic: Device will attempt to authenticate using its certificate. If the DC doesn't support computer account authentication using certificates, then authentication with password will be attempted. -- Force: Device will always authenticate using its certificate. If a DC can't be found which support computer account authentication using certificates, then authentication will fail. +Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. -If you disable this policy setting, certificates will never be used. +Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. -If you don't configure this policy setting, Automatic will be used. +- If you disable this policy setting, certificates will never be used. +- If you do not configure this policy setting, Automatic will be used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Support device authentication using certificate* -- GP name: *DevicePKInitEnabled* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Kerberos/HostToRealm** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DevicePKInitEnabled | +| Friendly Name | Support device authentication using certificate | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | DevicePKInitEnabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HostToRealm -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/HostToRealm +``` + - - + + This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. -If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. +- If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. -If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. +- If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. -If you don't configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. +- If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define host name-to-Kerberos realm mappings* -- GP name: *HostToRealm* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HostToRealm | +| Friendly Name | Define host name-to-Kerberos realm mappings | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos | +| Registry Value Name | domain_realm_Enabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## KdcProxyDisableServerRevocationCheck -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/KdcProxyDisableServerRevocationCheck +``` + - - + + This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. -If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. +- If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. > [!WARNING] -> When revocation check is ignored, the server represented by the certificate isn't guaranteed valid. +> When revocation check is ignored, the server represented by the certificate is not guaranteed valid. -If you disable or don't configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server isn't established if the revocation check fails. +- If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable revocation checking for the SSL certificate of KDC proxy servers* -- GP name: *KdcProxyDisableServerRevocationCheck* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Kerberos/KdcProxyServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | KdcProxyDisableServerRevocationCheck | +| Friendly Name | Disable revocation checking for the SSL certificate of KDC proxy servers | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | NoRevocationCheck | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## KdcProxyServer -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/KdcProxyServer +``` + - - + + This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. -If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller can't be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. +- If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. -If you disable or don't configure this policy setting, the Kerberos client doesn't have KDC proxy servers settings defined by Group Policy. +- If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify KDC proxy servers for Kerberos clients* -- GP name: *KdcProxyServer* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Kerberos/MitRealms** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | KdcProxyServer | +| Friendly Name | Specify KDC proxy servers for Kerberos clients | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos | +| Registry Value Name | KdcProxyServer_Enabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MitRealms -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/MitRealms +``` + - - + + This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. -If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. +- If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. -If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. +- If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. -If you don't configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. +- If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define interoperable Kerberos V5 realm settings* -- GP name: *MitRealms* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Kerberos/ServerAcceptsCompound** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MitRealms | +| Friendly Name | Define interoperable Kerberos V5 realm settings | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos | +| Registry Value Name | MitRealms_Enabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ServerAcceptsCompound -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/ServerAcceptsCompound +``` + - - + + This policy setting controls configuring the device's Active Directory account for compound authentication. -Support for providing compound authentication that is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. +Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. -If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: +- If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: -- Never: Compound authentication is never provided for this computer account. -- Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. -- Always: Compound authentication is always provided for this computer account. +Never: Compound authentication is never provided for this computer account. -If you disable this policy setting, Never will be used. +Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. -If you don't configure this policy setting, Automatic will be used. +Always: Compound authentication is always provided for this computer account. - +- If you disable this policy setting, Never will be used. +- If you do not configure this policy setting, Automatic will be used. + + + + - -ADMX Info: -- GP Friendly name: *Support compound authentication* -- GP name: *ServerAcceptsCompound* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Kerberos/StrictTarget** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ServerAcceptsCompound | +| Friendly Name | Support compound authentication | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | CompoundIdDisabled | +| ADMX File Name | Kerberos.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## StrictTarget -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/StrictTarget +``` + + + + This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. -If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. +- If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. -If you disable or don't configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. +- If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Require strict target SPN match on remote procedure calls* -- GP name: *StrictTarget* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | StrictTarget | +| Friendly Name | Require strict target SPN match on remote procedure calls | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | StrictTargetContext | +| ADMX File Name | Kerberos.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 4f59845591..6db1233f57 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,212 +1,209 @@ --- -title: Policy CSP - ADMX_LanmanServer -description: Learn about the Policy CSP - ADMX_LanmanServer. +title: ADMX_LanmanServer Policy CSP +description: Learn more about the ADMX_LanmanServer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LanmanServer ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_LanmanServer policies + +## Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanServer/Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanServer/Pol_HashPublication -
    -
    - ADMX_LanmanServer/Pol_HashSupportVersion -
    -
    - ADMX_LanmanServer/Pol_HonorCipherSuiteOrder -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_CipherSuiteOrder +``` + -
    - - -**ADMX_LanmanServer/Pol_CipherSuiteOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the cipher suites used by the SMB server. -If you enable this policy setting, cipher suites are prioritized in the order specified. +- If you enable this policy setting, cipher suites are prioritized in the order specified. -If you enable this policy setting and don't specify at least one supported cipher suite, or if you disable or don't configure this policy setting, the default cipher suite order is used. +- If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. SMB 3.11 cipher suites: -- AES_128_GCM -- AES_128_CCM +AES_128_GCM +AES_128_CCM +AES_256_GCM +AES_256_CCM SMB 3.0 and 3.02 cipher suites: -- AES_128_CCM +AES_128_CCM -**How to modify this setting:** +How to modify this setting: Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use. > [!NOTE] > When configuring this security setting, changes will not take effect until you restart Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Cipher suite order* -- GP name: *Pol_CipherSuiteOrder* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Pol_CipherSuiteOrder | +| Friendly Name | Cipher suite order | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + - -**ADMX_LanmanServer/Pol_HashPublication** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Pol_HashPublication - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_HashPublication +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. Policy configuration -Select one of the following options: +Select one of the following: + +- Not Configured. With this selection, hash publication settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache. -- Not Configured. With this selection, hash publication settings aren't applied to file servers. In the circumstance where file servers are domain members but you don't want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting isn't configured, it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache. - Enabled. With this selection, hash publication is turned on for all file servers where Group Policy is applied. For example, if Hash Publication for BranchCache is enabled in domain Group Policy, hash publication is turned on for all domain member file servers to which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-enabled file shares. + - Disabled. With this selection, hash publication is turned off for all file servers where Group Policy is applied. In circumstances where this policy setting is enabled, you can also select the following configuration options: - Allow hash publication for all shared folders. With this option, BranchCache generates content information for all content in all shares on the file server. + - Allow hash publication only for shared folders on which BranchCache is enabled. With this option, content information is generated only for shared folders on which BranchCache is enabled. If you use this setting, you must enable BranchCache for individual shares in Share and Storage Management on the file server. -- Disallow hash publication on all shared folders. With this option, BranchCache doesn't generate content information for any shares on the computer and doesn't send content information to client computers that request content. - +- Disallow hash publication on all shared folders. With this option, BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content. + + + + - -ADMX Info: -- GP Friendly name: *Hash Publication for BranchCache* -- GP name: *Pol_HashPublication* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_LanmanServer/Pol_HashSupportVersion** +| Name | Value | +|:--|:--| +| Name | Pol_HashPublication | +| Friendly Name | Hash Publication for BranchCache | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Pol_HashSupportVersion - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_HashSupportVersion +``` + -
    - - - + + This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. -If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it's the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. +If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. -For policy configuration, select one of the following options: +Policy configuration + +Select one of the following: + +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported. -- Not Configured. With this selection, BranchCache settings aren't applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported. - Enabled. With this selection, the policy setting is applied and the hash version(s) that are specified in "Hash version supported" are generated and retrieved. + - Disabled. With this selection, both V1 and V2 hash generation and retrieval are supported. In circumstances where this setting is enabled, you can also select and configure the following option: @@ -214,77 +211,116 @@ In circumstances where this setting is enabled, you can also select and configur Hash version supported: - To support V1 content information only, configure "Hash version supported" with the value of 1. + - To support V2 content information only, configure "Hash version supported" with the value of 2. + - To support both V1 and V2 content information, configure "Hash version supported" with the value of 3. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hash Version support for BranchCache* -- GP name: *Pol_HashSupportVersion* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_LanmanServer/Pol_HonorCipherSuiteOrder** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_HashSupportVersion | +| Friendly Name | Hash Version support for BranchCache | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_HonorCipherSuiteOrder -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_HonorCipherSuiteOrder +``` + - - + + This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. -If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. +- If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. -If you disable or don't configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites. +- If you disable or do not configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites. > [!NOTE] > When configuring this security setting, changes will not take effect until you restart Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Honor cipher suite order* -- GP name: *Pol_HonorCipherSuiteOrder* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_HonorCipherSuiteOrder | +| Friendly Name | Honor cipher suite order | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| Registry Value Name | HonorCipherSuiteOrder | +| ADMX File Name | LanmanServer.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 7d6f194bfc..4b3d5a5868 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,92 +1,63 @@ --- -title: Policy CSP - ADMX_LanmanWorkstation -description: Learn about the Policy CSP - ADMX_LanmanWorkstation. +title: ADMX_LanmanWorkstation Policy CSP +description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LanmanWorkstation ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_LanmanWorkstation policies + +## Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanWorkstation/Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles -
    -
    - ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanWorkstation/Pol_CipherSuiteOrder +``` + -
    - - -**ADMX_LanmanWorkstation/Pol_CipherSuiteOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the cipher suites used by the SMB client. -If you enable this policy setting, cipher suites are prioritized in the order specified. +- If you enable this policy setting, cipher suites are prioritized in the order specified. -If you enable this policy setting and don't specify at least one supported cipher suite, or if you disable or don't configure this policy setting, the default cipher suite order is used. +- If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. SMB 3.11 cipher suites: -- AES_128_GCM -- AES_128_CCM -- AES_256_GCM -- AES_256_CCM - -> [!NOTE] -> AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only AES_256 crypto lines, the older clients will not be able to connect anymore. +AES_128_GCM +AES_128_CCM +AES_256_GCM +AES_256_CCM SMB 3.0 and 3.02 cipher suites: -- AES_128_CCM +AES_128_CCM How to modify this setting: @@ -94,125 +65,176 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in > [!NOTE] > When configuring this security setting, changes will not take effect until you restart Windows. + - + +[!NOTE] +AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only AES_256 crypto lines, the older clients will not be able to connect anymore. + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Cipher suite order* -- GP name: *Pol_CipherSuiteOrder* -- GP path: *Network\Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_CipherSuiteOrder | +| Friendly Name | Cipher suite order | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| ADMX File Name | LanmanWorkstation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_EnableHandleCachingForCAFiles -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles +``` + - - + + This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. -If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This provision may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. +- If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. -If you disable or don't configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. +- If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. > [!NOTE] -> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft doesn't recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. +> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Handle Caching on Continuous Availability Shares* -- GP name: *Pol_EnableHandleCachingForCAFiles* -- GP path: *Network\Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_EnableHandleCachingForCAFiles | +| Friendly Name | Handle Caching on Continuous Availability Shares | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | EnableHandleCachingForCAFiles | +| ADMX File Name | LanmanWorkstation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_EnableOfflineFilesforCAShares -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares +``` + - - + + This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. -If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. +- If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. -If you disable or don't configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. +- If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. > [!NOTE] -> Microsoft doesn't recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. +> Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Offline Files Availability on Continuous Availability Shares* -- GP name: *Pol_EnableOfflineFilesforCAShares* -- GP path: *Network\Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_EnableOfflineFilesforCAShares | +| Friendly Name | Offline Files Availability on Continuous Availability Shares | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | AllowOfflineFilesforCAShares | +| ADMX File Name | LanmanWorkstation.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index 665083e58a..3908dc2a9b 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,100 +1,105 @@ --- -title: Policy CSP - ADMX_LeakDiagnostic -description: Learn about the Policy CSP - ADMX_LeakDiagnostic. +title: ADMX_LeakDiagnostic Policy CSP +description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LeakDiagnostic > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_LeakDiagnostic policies + + + -
    -
    - ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy -
    -
    + +## WdiScenarioExecutionPolicy + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy +``` + - -**ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy** + + +This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems. - +- If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this policy setting, the DPS is not able to diagnose memory leak problems. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - -This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. - -If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. - -If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message. - -No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. - -This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. - -The DPS can be configured with the Services snap-in to the Microsoft Management Console. +This policy setting takes effect only under the following conditions: +- If the diagnostics-wide scenario execution policy is not configured. +- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. > [!NOTE] -> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. +> The DPS can be configured with the Services snap-in to the Microsoft Management Console. - +No operating system restart or service restart is required for this policy to take effect. Changes take effect immediately. + + +[!NOTE] +For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + - -ADMX Info: -- GP Friendly name: *Configure custom alert text* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* -- GP ADMX file name: *LeakDiagnostic.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Memory Leak Diagnosis | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{eb73b633-3f4e-4ba0-8f60-8f3c6f53168f} | +| ADMX File Name | LeakDiagnostic.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index 2360df199e..3d53041435 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -1,145 +1,160 @@ --- -title: Policy CSP - ADMX_LinkLayerTopologyDiscovery -description: Learn about Policy CSP - ADMX_LinkLayerTopologyDiscovery. +title: ADMX_LinkLayerTopologyDiscovery Policy CSP +description: Learn more about the ADMX_LinkLayerTopologyDiscovery Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/04/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LinkLayerTopologyDiscovery ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_LinkLayerTopologyDiscovery policies + +## LLTD_EnableLLTDIO -
    -
    - ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO -
    -
    - ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO +``` + -
    - - -**ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. -If you enable this policy setting, more options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. +- If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. -If you disable or don't configure this policy setting, the default behavior of LLTDIO will apply. +- If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Mapper I/O (LLTDIO) driver* -- GP name: *LLTD_EnableLLTDIO* -- GP path: *Network/Link-Layer Topology Discovery* -- GP ADMX file name: *LinkLayerTopologyDiscovery.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LLTD_EnableLLTDIO | +| Friendly Name | Turn on Mapper I/O (LLTDIO) driver | +| Location | Computer Configuration | +| Path | Network > Link-Layer Topology Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\LLTD | +| Registry Value Name | EnableLLTDIO | +| ADMX File Name | LinkLayerTopologyDiscovery.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LLTD_EnableRspndr -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr +``` + - - + + This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. -If you enable this policy setting, more options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. +- If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. -If you disable or don't configure this policy setting, the default behavior for the Responder will apply. +- If you disable or do not configure this policy setting, the default behavior for the Responder will apply. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Responder (RSPNDR) driver* -- GP name: *LLTD_EnableRspndr* -- GP path: *Network/Link-Layer Topology Discovery* -- GP ADMX file name: *LinkLayerTopologyDiscovery.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | LLTD_EnableRspndr | +| Friendly Name | Turn on Responder (RSPNDR) driver | +| Location | Computer Configuration | +| Path | Network > Link-Layer Topology Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\LLTD | +| Registry Value Name | EnableRspndr | +| ADMX File Name | LinkLayerTopologyDiscovery.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index ef3c5aaed0..1bef7d5e63 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -1,93 +1,98 @@ --- -title: Policy CSP - ADMX_LocationProviderAdm -description: Learn about Policy CSP - ADMX_LocationProviderAdm. +title: ADMX_LocationProviderAdm Policy CSP +description: Learn more about the ADMX_LocationProviderAdm Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LocationProviderAdm -> [!WARNING] -> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_LocationProviderAdm policies + + +> [!WARNING] +> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + -
    -
    - ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1 -
    -
    + +## DisableWindowsLocationProvider_1 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1 +``` + - -**ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - + + This policy setting turns off the Windows Location Provider feature for this computer. -- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer won't be able to use the Windows Location Provider feature. +- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. -- If you disable or don't configure this policy setting, all programs on this computer can use the Windows Location Provider feature. +- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Windows Location Provider* -- GP name: *DisableWindowsLocationProvider_1* -- GP path: *Windows Components\Location and Sensors\Windows Location Provider* -- GP ADMX file name: *LocationProviderAdm.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!NOTE] -> These policies are currently only available as a part of Windows Insider release. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DisableWindowsLocationProvider_1 | +| Friendly Name | Turn off Windows Location Provider | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors > Windows Location Provider | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableWindowsLocationProvider | +| ADMX File Name | LocationProviderAdm.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 636ace2a3b..d95dcfdb4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1,867 +1,1026 @@ --- -title: Policy CSP - ADMX_Logon -description: Learn about Policy CSP - ADMX_Logon. +title: ADMX_Logon Policy CSP +description: Learn more about the ADMX_Logon Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Logon ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Logon policies + +## BlockUserFromShowingAccountDetailsOnSignin -
    -
    - ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin -
    -
    - ADMX_Logon/DisableAcrylicBackgroundOnLogon -
    -
    - ADMX_Logon/DisableExplorerRunLegacy_1 -
    -
    - ADMX_Logon/DisableExplorerRunLegacy_2 -
    -
    - ADMX_Logon/DisableExplorerRunOnceLegacy_1 -
    -
    - ADMX_Logon/DisableExplorerRunOnceLegacy_2 -
    -
    - ADMX_Logon/DisableStatusMessages -
    -
    - ADMX_Logon/DontEnumerateConnectedUsers -
    -
    - ADMX_Logon/NoWelcomeTips_1 -
    -
    - ADMX_Logon/NoWelcomeTips_2 -
    -
    - ADMX_Logon/Run_1 -
    -
    - ADMX_Logon/Run_2 -
    -
    - ADMX_Logon/SyncForegroundPolicy -
    -
    - ADMX_Logon/UseOEMBackground -
    -
    - ADMX_Logon/VerboseStatus -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin +``` + -
    - - -**ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy prevents the user from showing account details (email address or user name) on the sign-in screen. -If you enable this policy setting, the user can't choose to show account details on the sign-in screen. +- If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. -If you disable or don't configure this policy setting, the user may choose to show account details on the sign-in screen. +- If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen. + - + + + - -ADMX Info: -- GP Friendly name: *Block user from showing account details on sign-in* -- GP name: *BlockUserFromShowingAccountDetailsOnSignin* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableAcrylicBackgroundOnLogon** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BlockUserFromShowingAccountDetailsOnSignin | +| Friendly Name | Block user from showing account details on sign-in | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | BlockUserFromShowingAccountDetailsOnSignin | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableAcrylicBackgroundOnLogon -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableAcrylicBackgroundOnLogon +``` + + + + This policy setting disables the acrylic blur effect on logon background image. -If you enable this policy, the logon background image shows without blur. +- If you enable this policy, the logon background image shows without blur. +- If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. + -If you disable or don't configure this policy, the logon background image adopts the acrylic blur effect. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Show clear logon background* -- GP name: *DisableAcrylicBackgroundOnLogon* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_Logon/DisableExplorerRunLegacy_1** +| Name | Value | +|:--|:--| +| Name | DisableAcrylicBackgroundOnLogon | +| Friendly Name | Show clear logon background | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableAcrylicBackgroundOnLogon | +| ADMX File Name | Logon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableExplorerRunLegacy_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunLegacy_1 +``` + -
    - - - + + This policy setting ignores the customized run list. -These programs are added to the standard run list of programs and services that the system starts. +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +- If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +- If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. > [!NOTE] -> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. - +Also, see the "Do not process the run once list" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Do not process the legacy run list* -- GP name: *DisableExplorerRunLegacy_1* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableExplorerRunLegacy_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunLegacy_1 | +| Friendly Name | Do not process the legacy run list | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableCurrentUserRun | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableExplorerRunLegacy_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunLegacy_2 +``` + + + + This policy setting ignores the customized run list. -These programs are added to the standard run list of programs and services that the system starts. +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +- If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +- If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. > [!NOTE] -> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. - +Also, see the "Do not process the run once list" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Do not process the legacy run list* -- GP name: *DisableExplorerRunLegacy_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableExplorerRunOnceLegacy_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunLegacy_2 | +| Friendly Name | Do not process the legacy run list | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableLocalMachineRun | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisableExplorerRunOnceLegacy_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunOnceLegacy_1 +``` + + + + This policy setting ignores customized run-once lists. -You can create a customized list of other programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. -If you enable this policy setting, the system ignores the run-once list. +- If you enable this policy setting, the system ignores the run-once list. -If you disable or don't configure this policy setting, the system runs the programs in the run-once list. +- If you disable or do not configure this policy setting, the system runs the programs in the run-once list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. > [!NOTE] -> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. - +Also, see the "Do not process the legacy run list" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Do not process the run once list* -- GP name: *DisableExplorerRunOnceLegacy_1* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableExplorerRunOnceLegacy_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunOnceLegacy_1 | +| Friendly Name | Do not process the run once list | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableCurrentUserRunOnce | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableExplorerRunOnceLegacy_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunOnceLegacy_2 +``` + + + + This policy setting ignores customized run-once lists. -You can create a customized list of other programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. -If you enable this policy setting, the system ignores the run-once list. +- If you enable this policy setting, the system ignores the run-once list. -If you disable or don't configure this policy setting, the system runs the programs in the run-once list. +- If you disable or do not configure this policy setting, the system runs the programs in the run-once list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. > [!NOTE] -> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. - +Also, see the "Do not process the legacy run list" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Do not process the run once list* -- GP name: *DisableExplorerRunOnceLegacy_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableStatusMessages** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunOnceLegacy_2 | +| Friendly Name | Do not process the run once list | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableLocalMachineRunOnce | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableStatusMessages -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableStatusMessages +``` + + + + This policy setting suppresses system status messages. -If you enable this setting, the system doesn't display a message reminding users to wait while their system starts or shuts down, or while users sign in or sign out. +- If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. -If you disable or don't configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users sign in or sign out. +- If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Boot / Shutdown / Logon / Logoff status messages* -- GP name: *DisableStatusMessages* -- GP path: *System* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Logon/DontEnumerateConnectedUsers** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableStatusMessages | +| Friendly Name | Remove Boot / Shutdown / Logon / Logoff status messages | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableStatusMessages | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DontEnumerateConnectedUsers -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DontEnumerateConnectedUsers +``` + - - + + This policy setting prevents connected users from being enumerated on domain-joined computers. -If you enable this policy setting, the Logon UI won't enumerate any connected users on domain-joined computers. +- If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. -If you disable or don't configure this policy setting, connected users will be enumerated on domain-joined computers. +- If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not enumerate connected users on domain-joined computers* -- GP name: *DontEnumerateConnectedUsers* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Logon/NoWelcomeTips_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DontEnumerateConnectedUsers | +| Friendly Name | Do not enumerate connected users on domain-joined computers | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DontEnumerateConnectedUsers | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWelcomeTips_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/NoWelcomeTips_1 +``` + - - -This policy setting hides the welcome screen that is displayed on Windows each time the user logs on. + + +This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. -If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. +- If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. -If you disable or don't configure this policy, the welcome screen is displayed each time a user signs in to the computer. +- If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. -This setting applies only to Windows. It doesn't affect the "Configure Your Server on a Windows Server" screen on Windows Server. +This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display the Getting Started welcome screen at logon* -- GP name: *NoWelcomeTips_1* -- GP path: *System* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Logon/NoWelcomeTips_2** +| Name | Value | +|:--|:--| +| Name | NoWelcomeTips_1 | +| Friendly Name | Do not display the Getting Started welcome screen at logon | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWelcomeScreen | +| ADMX File Name | Logon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NoWelcomeTips_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/NoWelcomeTips_2 +``` + -
    + + +This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. - - -This policy setting hides the welcome screen that is displayed on Windows each time the user logs on. - -If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. +- If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. -If you disable or don't configure this policy, the welcome screen is displayed each time a user signs in to the computer. This setting applies only to Windows. It doesn't affect the "Configure Your Server on a Windows Server" screen on Windows Server. +- If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. + +This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display the Getting Started welcome screen at logon* -- GP name: *NoWelcomeTips_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Logon/Run_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWelcomeTips_2 | +| Friendly Name | Do not display the Getting Started welcome screen at logon | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWelcomeScreen | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/Run_1 +``` + - - -This policy setting specifies other programs or documents that Windows starts automatically when a user signs in to the system. + + +This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. -If you enable this policy setting, you can specify which programs can run at the time the user signs in to this computer that has this policy applied. +- If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. -If you disable or don't configure this policy setting, the user will have to start the appropriate programs after signing in. +- If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. -Also, see the "Do not process the legacy run list" and the "don't process the run once list" settings. +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run these programs at user logon* -- GP name: *Run_1* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Logon/Run_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_1 | +| Friendly Name | Run these programs at user logon | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/Run_2 +``` + - - -This policy setting specifies other programs or documents that Windows starts automatically when a user signs in to the system. + + +This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. -If you enable this policy setting, you can specify which programs can run at the time the user signs in to this computer that has this policy applied. +- If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. -If you disable or don't configure this policy setting, the user will have to start the appropriate programs after signing in. +- If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. -Also, see the "Do not process the legacy run list" and the "don't process the run once list" settings. +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Run these programs at user logon* -- GP name: *Run_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_Logon/SyncForegroundPolicy** +| Name | Value | +|:--|:--| +| Name | Run_2 | +| Friendly Name | Run these programs at user logon | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | Logon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SyncForegroundPolicy - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/SyncForegroundPolicy +``` + -
    + + +This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available. - - -This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user sign in). By default, on client computers, Group Policy processing isn't synchronous; client computers typically don't wait for the network to be fully initialized at startup and sign in. Existing users are signed in using cached credentials, which results in shorter sign-in times. Group Policy is applied in the background after the network becomes available. +**Note** that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. -Because this process (of applying Group Policy) is a background refresh, extensions such as Software Installation and Folder Redirection take two sign-ins to apply changes. To be able to operate safely, these extensions require that no users be signed in. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script may take up to two sign-ins to be detected. +If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized. -If a user with a roaming profile, home directory, or user object logon script signs in to a computer, computers always wait for the network to be initialized before signing in the user. If a user has never signed in to this computer before, computers always wait for the network to be initialized. - -If you enable this policy setting, computers wait for the network to be fully initialized before users are signed in. Group Policy is applied in the foreground, synchronously. +- If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). -If the server is configured as follows, this policy setting takes effect during Group Policy processing at user sign in: - +If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon - The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and -- The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\\. +- The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. -If this configuration isn't implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user sign in is synchronous (these servers wait for the network to be initialized during user sign in). +If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). -If you disable or don't configure this policy setting and users sign in to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically doesn't wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. +- If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. -> [!NOTE] -> -> - If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one sign in, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. -> - If Folder Redirection policy will apply during the next sign in, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. +**Note** +-If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. +-If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Always wait for the network at computer startup and logon* -- GP name: *SyncForegroundPolicy* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Logon/UseOEMBackground** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SyncForegroundPolicy | +| Friendly Name | Always wait for the network at computer startup and logon | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon | +| Registry Value Name | SyncForegroundPolicy | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## UseOEMBackground -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/UseOEMBackground +``` + - - + + This policy setting ignores Windows Logon Background. -This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the sign-in screen always attempts to load a custom background instead of the Windows-branded logon background. +This policy setting may be used to make Windows give preference to a custom logon background. -If you disable or don't configure this policy setting, Windows uses the default Windows logon background or custom background. +- If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. - +- If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background. + + + + - -ADMX Info: -- GP Friendly name: *Always use custom logon background* -- GP name: *UseOEMBackground* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/VerboseStatus** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | UseOEMBackground | +| Friendly Name | Always use custom logon background | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | UseOEMBackground | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## VerboseStatus -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/VerboseStatus +``` + + + + This policy setting directs the system to display highly detailed status messages. This policy setting is designed for advanced users who require this information. -If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system. +- If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system. -If you disable or don't configure this policy setting, only the default status messages are displayed to the user during these processes. +- If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes. > [!NOTE] > This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display highly detailed status messages* -- GP name: *VerboseStatus* -- GP path: *System* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | VerboseStatus | +| Friendly Name | Display highly detailed status messages | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | VerboseStatus | +| ADMX File Name | Logon.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index db7d591d25..7cc5313827 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,819 +1,655 @@ --- -title: Policy CSP - ADMX_MicrosoftDefenderAntivirus -description: Learn about Policy CSP - ADMX_MicrosoftDefenderAntivirus. +title: ADMX_MicrosoftDefenderAntivirus Policy CSP +description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/19/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MicrosoftDefenderAntivirus ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MicrosoftDefenderAntivirus policies + +## AllowFastServiceStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders -
    -
    - ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyBypass -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyServer -
    -
    - ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/SpynetReporting -
    -
    - ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting -
    -
    - ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup +``` + -
    - - -**ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. -If you enable or don't configure this setting, the antimalware service will load as a normal priority task. +- If you enable or do not configure this setting, the antimalware service will load as a normal priority task. -If you disable this setting, the antimalware service will load as a low priority task. +- If you disable this setting, the antimalware service will load as a low priority task. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow antimalware service to startup with normal priority* -- GP name: *AllowFastServiceStartup* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowFastServiceStartup | +| Friendly Name | Allow antimalware service to startup with normal priority | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | AllowFastServiceStartup | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAntiSpywareDefender -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender +``` + - - + + This policy setting turns off Microsoft Defender Antivirus. -If you enable this policy setting, Microsoft Defender Antivirus doesn't run, and won't scan computers for malware or other potentially unwanted software. +- If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. -If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. +- If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. -If you don't configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. +- If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. -Enabling or disabling this policy may lead to unexpected or unsupported behavior. It's recommended that you leave this policy setting unconfigured. +Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Microsoft Defender Antivirus* -- GP name: *DisableAntiSpywareDefender* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableAntiSpywareDefender | +| Friendly Name | Turn off Microsoft Defender Antivirus | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | DisableAntiSpyware | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAutoExclusions -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions +``` + - - + + Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. -If you disable or don't configure this policy setting, Microsoft Defender Antivirus will exclude pre-defined list of paths from the scan to improve performance. It is disabled by default. +Disabled (Default): +Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. -If you enable this policy setting, Microsoft Defender Antivirus won't exclude pre-defined list of paths from scans. This non-exclusion can impact machine performance in some scenarios. +Enabled: +Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios. - +Not configured: +Same as Disabled. + + + + - -ADMX Info: -- GP Friendly name: *Turn off Auto Exclusions* -- GP name: *DisableAutoExclusions* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableAutoExclusions | +| Friendly Name | Turn off Auto Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | DisableAutoExclusions | +| ADMX File Name | WindowsDefender.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableBlockAtFirstSeen -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check won't occur, which will lower the protection state of the device. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen +``` + -If you enable this feature, the Block at First Sight setting is turned on. -If you disable this feature, the Block at First Sight setting is turned off. + + +This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. +Enabled - The Block at First Sight setting is turned on. +Disabled - The Block at First Sight setting is turned off. -This feature requires these Policy settings to be set as follows: +This feature requires these Group Policy settings to be set as follows: +MAPS -> The "Join Microsoft MAPS" must be enabled or the "Block at First Sight" feature will not function. +MAPS -> The "Send file samples when further analysis is required" should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. +Real-time Protection -> The "Scan all downloaded files and attachments" policy must be enabled or the "Block at First Sight" feature will not function. +Real-time Protection -> Do not enable the "Turn off real-time protection" policy or the "Block at First Sight" feature will not function. + -- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature won't function. -- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature won't function. -- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature won't function. -- Real-time Protection -> don't enable the “Turn off real-time protection” policy or the “Block at First Sight” feature won't function. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure the 'Block at First Sight' feature* -- GP name: *DisableBlockAtFirstSeen* -- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableBlockAtFirstSeen | +| Friendly Name | Configure the 'Block at First Sight' feature | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | DisableBlockAtFirstSeen | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableLocalAdminMerge -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge +``` + - - -This policy setting controls whether or not complex list settings configured by a local administrator are merged with Policy settings. This setting applies to lists such as threats and Exclusions. + + +This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. -If you enable or don't configure this setting, unique items defined in Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, Policy Settings will override preference settings. +- If you disable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. -If you disable this setting, only items defined by Policy will be used in the resulting effective policy. Policy settings will override preference settings configured by the local administrator. +- If you enable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure local administrator merge behavior for lists* -- GP name: *DisableLocalAdminMerge* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableLocalAdminMerge | +| Friendly Name | Configure local administrator merge behavior for lists | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | DisableLocalAdminMerge | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableRealtimeMonitoring -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring +``` + - - -This policy setting turns off real-time protection prompts for known malware detection. + + +This policy turns off real-time protection in Microsoft Defender Antivirus. -Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. +Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections. -If you enable this policy setting, Microsoft Defender Antivirus won't prompt users to take actions on malware detections. +- If you enable this policy setting, real-time protection is turned off. -If you disable or don't configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections. +- If you either disable or do not configure this policy setting, real-time protection is turned on. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off real-time protection* -- GP name: *DisableRealtimeMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRealtimeMonitoring | +| Friendly Name | Turn off real-time protection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableRealtimeMonitoring | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableRoutinelyTakingAction -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction +``` + - - + + This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action. -If you enable this policy setting, Microsoft Defender Antivirus doesn't automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. +- If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. -If you disable or don't configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. +- If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off routine remediation* -- GP name: *DisableRoutinelyTakingAction* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRoutinelyTakingAction | +| Friendly Name | Turn off routine remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | DisableRoutinelyTakingAction | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Exclusions_Extensions -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions +``` + - - -This policy setting allows you to specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value isn't used and it's recommended that this value is set to 0. + + +This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Extension Exclusions* -- GP name: *Exclusions_Extensions* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Exclusions_Extensions | +| Friendly Name | Extension Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Extensions | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Exclusions_Paths -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths +``` + - - -This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. + + +This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + -As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value isn't used and it's recommended that this value is set to 0. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Path Exclusions* -- GP name: *Exclusions_Paths* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes** +| Name | Value | +|:--|:--| +| Name | Exclusions_Paths | +| Friendly Name | Path Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Paths | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Exclusions_Processes - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes +``` + -
    + + +This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as "c\windows\app.exe". The value is not used and it is recommended that this be set to 0. + - - -This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself won't be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value isn't used and it's recommended that this value is set to 0. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Process Exclusions* -- GP name: *Exclusions_Processes* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions** +| Name | Value | +|:--|:--| +| Name | Exclusions_Processes | +| Friendly Name | Process Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Processes | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ExploitGuard_ASR_ASROnlyExclusions - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions +``` + -
    - - - + + Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: - - Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder - Value column: Enter "0" for each item @@ -823,61 +659,76 @@ No exclusions will be applied to the ASR rules. Not configured: Same as Disabled. -You can configure ASR rules in the "Configure Attack Surface Reduction rules" GP setting. +You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules* -- GP name: *ExploitGuard_ASR_ASROnlyExclusions* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_ASROnlyExclusions | +| Friendly Name | Exclude files and paths from Attack Surface Reduction Rules | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExploitGuard_ASR_Rules -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules +``` + - - -Set the state for each ASR rule. + + +Set the state for each Attack Surface Reduction (ASR) rule. -After enabling this setting, you can set each rule to the following values in the Options section: +After enabling this setting, you can set each rule to the following in the Options section: +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) +- Off: the rule will not be applied +- Not Configured: the rule is enabled with default values +- Warn: the rule will be applied and the end-user will have the option to bypass the block -- Block: The rule will be applied -- Audit Mode: If the rule would normally cause an event, then it will be recorded (although the rule won't actually be applied) -- Off: The rule won't be applied +Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured. Enabled: Specify the state for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: - - Name column: Enter a valid ASR rule ID - Value column: Enter the status ID that relates to state you want to specify for the associated rule @@ -885,11 +736,16 @@ The following status IDs are permitted under the value column: - 1 (Block) - 0 (Off) - 2 (Audit) +- 5 (Not Configured) +- 6 (Warn) Example: -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +2 Disabled: No ASR rules will be configured. @@ -898,3903 +754,4957 @@ Not configured: Same as Disabled. You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Attack Surface Reduction rules* -- GP name: *ExploitGuard_ASR_Rules* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_Rules | +| Friendly Name | Configure Attack Surface Reduction rules | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_Rules | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExploitGuard_ControlledFolderAccess_AllowedApplications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications +``` + - - -Add other applications that should be considered "trusted" by controlled folder access. + + +Add additional applications that should be considered "trusted" by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. -Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add other applications. +Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled: -Specify other allowed applications in the Options section. +Specify additional allowed applications in the Options section.. Disabled: -No other applications will be added to the trusted list. +No additional applications will be added to the trusted list. Not configured: Same as Disabled. -You can enable controlled folder access in the "Configure controlled folder access" GP setting. +You can enable controlled folder access in the Configure controlled folder access GP setting. -Default system folders are automatically guarded, but you can add folders in the "Configure protected folders" GP setting. +Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure allowed applications* -- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| Friendly Name | Configure allowed applications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExploitGuard_ControlledFolderAccess_ProtectedFolders -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders +``` + - - + + Specify additional folders that should be guarded by the Controlled folder access feature. -Files in these folders can't be modified or deleted by untrusted applications. +Files in these folders cannot be modified or deleted by untrusted applications. -Default system folders are automatically protected. You can configure this setting to add more folders. +Default system folders are automatically protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown in Windows Security. Enabled: -Specify more folders that should be protected in the Options section. +Specify additional folders that should be protected in the Options section. Disabled: -No other folders will be protected. +No additional folders will be protected. Not configured: Same as Disabled. -You can enable controlled folder access in the "Configure controlled folder access" GP setting. +You can enable controlled folder access in the Configure controlled folder access GP setting. -Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add more trusted applications in the "Configure allowed applications" GP setting. +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure protected folders* -- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| Friendly Name | Configure protected folders | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MpEngine_EnableFileHashComputation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation +``` + - - + + Enable or disable file hash computation feature. Enabled: -When this feature is enabled, Microsoft Defender Antivirus will compute hash value for files it scans. +When this feature is enabled Microsoft Defender will compute hash value for files it scans. Disabled: -File hash value isn't computed +File hash value is not computed Not configured: Same as Disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable file hash computation feature* -- GP name: *MpEngine_EnableFileHashComputation* -- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MpEngine_EnableFileHashComputation | +| Friendly Name | Enable file hash computation feature | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | +| Registry Value Name | EnableFileHashComputation | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Nis_Consumers_IPS_DisableSignatureRetirement -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement +``` + - - -This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system isn't vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired, then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. + + +This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocal are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. -If you enable or don't configure this setting, definition retirement will be enabled. +- If you enable or do not configure this setting, definition retirement will be enabled. -If you disable this setting, definition retirement will be disabled. +- If you disable this setting, definition retirement will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on definition retirement* -- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement* -- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Nis_Consumers_IPS_DisableSignatureRetirement | +| Friendly Name | Turn on definition retirement | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Network Inspection System | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS | +| Registry Value Name | DisableSignatureRetirement | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid +``` + - - -This policy setting defines more definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value isn't used and it's recommended that this value is set to 0. + + +This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: "{b54b6ac9-a737-498e-9120-6616ad3bf590}". The value is not used and it is recommended that this be set to 0. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify additional definition sets for network traffic inspection* -- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid* -- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid | +| Friendly Name | Specify additional definition sets for network traffic inspection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Network Inspection System | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\SKU Differentiation | +| Registry Value Name | Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Nis_DisableProtocolRecognition -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition +``` + - - + + This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. -If you enable or don't configure this setting, protocol recognition will be enabled. +- If you enable or do not configure this setting, protocol recognition will be enabled. -If you disable this setting, protocol recognition will be disabled. +- If you disable this setting, protocol recognition will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on protocol recognition* -- GP name: *Nis_DisableProtocolRecognition* -- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ProxyBypass** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Nis_DisableProtocolRecognition | +| Friendly Name | Turn on protocol recognition | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Network Inspection System | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\NIS | +| Registry Value Name | DisableProtocolRecognition | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProxyBypass -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ProxyBypass +``` + - - + + This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. -If you enable this setting, the proxy server will be bypassed for the specified addresses. +- If you enable this setting, the proxy server will be bypassed for the specified addresses. -If you disable or don't configure this setting, the proxy server won't be bypassed for the specified addresses. +- If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define addresses to bypass proxy server* -- GP name: *ProxyBypass* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProxyBypass | +| Friendly Name | Define addresses to bypass proxy server | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProxyPacUrl -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - - -This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there's no proxy auto-config specified, the client will fall back to the alternative options (in order): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl +``` + + + +This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .pac URL (if specified) + 3. None 4. Internet Explorer proxy settings + 5. Autodetect -If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. +- If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. -If you disable or don't configure this setting, the proxy will skip over this fallback step according to the order specified above. +- If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define proxy auto-config (.pac) for connecting to the network* -- GP name: *ProxyPacUrl* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ProxyServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProxyPacUrl | +| Friendly Name | Define proxy auto-config (.pac) for connecting to the network | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProxyServer -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - - -This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there's no proxy specified, the client will fall back to the alternative options (in order): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ProxyServer +``` + + + +This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .pac URL (if specified) + 3. None 4. Internet Explorer proxy settings + 5. Autodetect -If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://. +- If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either https:// or https://. -If you disable or don't configure this setting, the proxy will skip over this fallback step according to the order specified above. +- If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define proxy server for connecting to the network* -- GP name: *ProxyServer* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProxyServer | +| Friendly Name | Define proxy server for connecting to the network | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Quarantine_LocalSettingOverridePurgeItemsAfterDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay +``` + - - -This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Policy. + + +This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. -If you enable this setting, the local preference setting will take priority over Policy. +- If you enable this setting, the local preference setting will take priority over Group Policy. -If you disable or don't configure this setting, Policy will take priority over the local preference setting. +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure local setting override for the removal of items from Quarantine folder* -- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Quarantine_LocalSettingOverridePurgeItemsAfterDelay | +| Friendly Name | Configure local setting override for the removal of items from Quarantine folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Quarantine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | +| Registry Value Name | LocalSettingOverridePurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Quarantine_PurgeItemsAfterDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay +``` + - - + + This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. -If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. +- If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. -If you disable or don't configure this setting, items will be kept in the quarantine folder indefinitely and won't be automatically removed. +- If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure removal of items from Quarantine folder* -- GP name: *Quarantine_PurgeItemsAfterDelay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Quarantine_PurgeItemsAfterDelay | +| Friendly Name | Configure removal of items from Quarantine folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Quarantine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | +| Registry Value Name | PurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RandomizeScheduleTaskTimes -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes +``` + - - -This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. + + +This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours. -If you enable or don't configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time. +- If you disable or do not configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. +- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours. + -If you disable this setting, scheduled tasks will begin at the specified start time. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Randomize scheduled task times* -- GP name: *RandomizeScheduleTaskTimes* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring** +| Name | Value | +|:--|:--| +| Name | RandomizeScheduleTaskTimes | +| Friendly Name | Randomize scheduled task times | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | RandomizeScheduleTaskTimes | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## RealtimeProtection_DisableBehaviorMonitoring - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring +``` + -
    - - - + + This policy setting allows you to configure behavior monitoring. -If you enable or don't configure this setting, behavior monitoring will be enabled. +- If you enable or do not configure this setting, behavior monitoring will be enabled. -If you disable this setting, behavior monitoring will be disabled. +- If you disable this setting, behavior monitoring will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on behavior monitoring* -- GP name: *RealtimeProtection_DisableBehaviorMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableBehaviorMonitoring | +| Friendly Name | Turn on behavior monitoring | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableBehaviorMonitoring | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableIOAVProtection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection +``` + - - + + This policy setting allows you to configure scanning for all downloaded files and attachments. -If you enable or don't configure this setting, scanning for all downloaded files and attachments will be enabled. +- If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. -If you disable this setting, scanning for all downloaded files and attachments will be disabled. +- If you disable this setting, scanning for all downloaded files and attachments will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Scan all downloaded files and attachments* -- GP name: *RealtimeProtection_DisableIOAVProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableIOAVProtection | +| Friendly Name | Scan all downloaded files and attachments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableIOAVProtection | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableOnAccessProtection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection +``` + - - + + This policy setting allows you to configure monitoring for file and program activity. -If you enable or don't configure this setting, monitoring for file and program activity will be enabled. +- If you enable or do not configure this setting, monitoring for file and program activity will be enabled. -If you disable this setting, monitoring for file and program activity will be disabled. +- If you disable this setting, monitoring for file and program activity will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Monitor file and program activity on your computer* -- GP name: *RealtimeProtection_DisableOnAccessProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableOnAccessProtection | +| Friendly Name | Monitor file and program activity on your computer | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableOnAccessProtection | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableRawWriteNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification +``` + - - + + This policy setting controls whether raw volume write notifications are sent to behavior monitoring. -If you enable or don't configure this setting, raw write notifications will be enabled. +- If you enable or do not configure this setting, raw write notifications will be enabled. -If you disable this setting, raw write notifications be disabled. +- If you disable this setting, raw write notifications be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on raw volume write notifications* -- GP name: *RealtimeProtection_DisableRawWriteNotification* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableRawWriteNotification | +| Friendly Name | Turn on raw volume write notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableRawWriteNotification | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableScanOnRealtimeEnable -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable +``` + - - -This policy setting allows you to configure process scanning when real-time protection is turned on. This configuration helps to catch malware that could start when real-time protection is turned off. + + +This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. -If you enable or don't configure this setting, a process scan will be initiated when real-time protection is turned on. +- If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on. -If you disable this setting, a process scan won't be initiated when real-time protection is turned on. +- If you disable this setting, a process scan will not be initiated when real-time protection is turned on. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on process scanning whenever real-time protection is enabled* -- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableScanOnRealtimeEnable | +| Friendly Name | Turn on process scanning whenever real-time protection is enabled | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableScanOnRealtimeEnable | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_IOAVMaxSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize +``` + - - + + This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. -If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. - -If you disable or don't configure this setting, a default size will be applied. - - - - - -ADMX Info: -- GP Friendly name: *Define the maximum size of downloaded files and attachments to be scanned* -- GP name: *RealtimeProtection_IOAVMaxSize* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for turn on behavior monitoring* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for scanning all downloaded files and attachments* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for monitoring file and program activity on your computer* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override to turn on real-time protection* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for monitoring for incoming and outgoing file activity* -- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation* -- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. + +- If you disable or do not configure this setting, a default size will be applied. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_IOAVMaxSize | +| Friendly Name | Define the maximum size of downloaded files and attachments to be scanned | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | IOAVMaxSize | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring +``` + + + + +This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring | +| Friendly Name | Configure local setting override for turn on behavior monitoring | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableBehaviorMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableIOAVProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection +``` + + + + +This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableIOAVProtection | +| Friendly Name | Configure local setting override for scanning all downloaded files and attachments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableIOAVProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection +``` + + + + +This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection | +| Friendly Name | Configure local setting override for monitoring file and program activity on your computer | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableOnAccessProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring +``` + + + + +This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring | +| Friendly Name | Configure local setting override to turn on real-time protection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableRealtimeMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideRealtimeScanDirection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection +``` + + + + +This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideRealtimeScanDirection | +| Friendly Name | Configure local setting override for monitoring for incoming and outgoing file activity | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideRealtimeScanDirection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Remediation_LocalSettingOverrideScan_ScheduleTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime +``` + + + + +This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Remediation_LocalSettingOverrideScan_ScheduleTime | +| Friendly Name | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Remediation | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Remediation | +| Registry Value Name | LocalSettingOverrideScan_ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Remediation_Scan_ScheduleDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay +``` + + + + This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: +(0x0) Every Day +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never (default) -- (0x0) Every Day -- (0x1) Sunday -- (0x2) Monday -- (0x3) Tuesday -- (0x4) Wednesday -- (0x5) Thursday -- (0x6) Friday -- (0x7) Saturday -- (0x8) Never (default) +- If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. -If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. +- If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency. + -If you disable or don't configure this setting, a scheduled full scan to complete remediation will run at a default frequency. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the day of the week to run a scheduled full scan to complete remediation* -- GP name: *Remediation_Scan_ScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime** +| Name | Value | +|:--|:--| +| Name | Remediation_Scan_ScheduleDay | +| Friendly Name | Specify the day of the week to run a scheduled full scan to complete remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Remediation | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Remediation | +| Registry Value Name | Scan_ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Remediation_Scan_ScheduleTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime +``` + -
    + + +This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. - - -This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. +- If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. -If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. +- If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time. + -If you disable or don't configure this setting, a scheduled full scan to complete remediation will run at a default time. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the time of day to run a scheduled full scan to complete remediation* -- GP name: *Remediation_Scan_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout** +| Name | Value | +|:--|:--| +| Name | Remediation_Scan_ScheduleTime | +| Friendly Name | Specify the time of day to run a scheduled full scan to complete remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Remediation | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Remediation | +| Registry Value Name | Scan_ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Reporting_AdditionalActionTimeout - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout +``` + -
    - - - + + This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections requiring additional action* -- GP name: *Reporting_AdditionalActionTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_AdditionalActionTimeout | +| Friendly Name | Configure time out for detections requiring additional action | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | AdditionalActionTimeout | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_CriticalFailureTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout +``` + - - -This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state. + + +This policy setting configures the time in minutes before a detection in the "critically failed" state to moves to either the "additional action" state or the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections in critically failed state* -- GP name: *Reporting_CriticalFailureTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_CriticalFailureTimeout | +| Friendly Name | Configure time out for detections in critically failed state | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | CriticalFailureTimeout | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_DisableEnhancedNotifications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications +``` + - - + + Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. -If you disable or don't configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. +- If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. -If you enable this setting, Microsoft Defender Antivirus enhanced notifications won't display on clients. +- If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off enhanced notifications* -- GP name: *Reporting_DisableEnhancedNotifications* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports** -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_DisableEnhancedNotifications | +| Friendly Name | Turn off enhanced notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | DisableEnhancedNotifications | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_DisablegenericrePorts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts +``` + - - + + This policy setting allows you to configure whether or not Watson events are sent. -If you enable or don't configure this setting, Watson events will be sent. +- If you enable or do not configure this setting, Watson events will be sent. -If you disable this setting, Watson events won't be sent. +- If you disable this setting, Watson events will not be sent. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Watson events* -- GP name: *Reporting_Disablegenericreports* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_DisablegenericrePorts | +| Friendly Name | Configure Watson events | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | DisableGenericRePorts | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_NonCriticalTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout +``` + - - + + This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections in non-critical failed state* -- GP name: *Reporting_NonCriticalTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout** -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Reporting_NonCriticalTimeout | +| Friendly Name | Configure time out for detections in non-critical failed state | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | NonCriticalTimeout | +| ADMX File Name | WindowsDefender.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Reporting_RecentlyCleanedTimeout -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout +``` + + + + This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections in recently remediated state* -- GP name: *Reporting_RecentlyCleanedTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_RecentlyCleanedTimeout | +| Friendly Name | Configure time out for detections in recently remediated state | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | RecentlyCleanedTimeout | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_WppTracingComponents -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents +``` + - - + + This policy configures Windows software trace preprocessor (WPP Software Tracing) components. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Windows software trace preprocessor components* -- GP name: *Reporting_WppTracingComponents* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_WppTracingComponents | +| Friendly Name | Configure Windows software trace preprocessor components | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | WppTracingComponents | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_WppTracingLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel +``` + - - + + This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). - Tracing levels are defined as: +1 - Error +2 - Warning +3 - Info +4 - Debug + -- 1 - Error -- 2 - Warning -- 3 - Info -- 4 - Debug + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure WPP tracing level* -- GP name: *Reporting_WppTracingLevel* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause** +| Name | Value | +|:--|:--| +| Name | Reporting_WppTracingLevel | +| Friendly Name | Configure WPP tracing level | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | WppTracingLevel | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Scan_AllowPause - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause +``` + -
    - - - + + This policy setting allows you to manage whether or not end users can pause a scan in progress. -If you enable or don't configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. - -If you disable this setting, users won't be able to pause scans. - - - - - -ADMX Info: -- GP Friendly name: *Allow users to pause scan* -- GP name: *Scan_AllowPause* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. - -If you enable this setting, archive files will be scanned to the directory depth level specified. - -If you disable or don't configure this setting, archive files will be scanned to the default directory depth level. - - - - - -ADMX Info: -- GP Friendly name: *Specify the maximum depth to scan archive files* -- GP name: *Scan_ArchiveMaxDepth* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. - -If you enable this setting, archive files less than or equal to the size specified will be scanned. - -If you disable or don't configure this setting, archive files will be scanned according to the default value. - - - - - -ADMX Info: -- GP Friendly name: *Specify the maximum size of archive files to be scanned* -- GP name: *Scan_ArchiveMaxSize* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. - -If you enable or don't configure this setting, archive files will be scanned. - -If you disable this setting, archive files won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Scan archive files* -- GP name: *Scan_DisableArchiveScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). - -If you enable this setting, e-mail scanning will be enabled. - -If you disable or don't configure this setting, e-mail scanning will be disabled. - - - - - -ADMX Info: -- GP Friendly name: *Turn on e-mail scanning* -- GP name: *Scan_DisableEmailScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It's recommended that you don't turn off heuristics. - -If you enable or don't configure this setting, heuristics will be enabled. - -If you disable this setting, heuristics will be disabled. - - - - - -ADMX Info: -- GP Friendly name: *Turn on heuristics* -- GP name: *Scan_DisableHeuristics* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure scanning for packed executables. It's recommended that this type of scanning remains enabled. - -If you enable or don't configure this setting, packed executables will be scanned. - -If you disable this setting, packed executables won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Scan packed executables* -- GP name: *Scan_DisablePackedExeScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. + +- If you disable this setting, users will not be able to pause scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_AllowPause | +| Friendly Name | Allow users to pause scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | AllowPause | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_ArchiveMaxDepth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth +``` + + + + +This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0. + +- If you enable this setting, archive files will be scanned to the directory depth level specified. + +- If you disable or do not configure this setting, archive files will be scanned to the default directory depth level. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ArchiveMaxDepth | +| Friendly Name | Specify the maximum depth to scan archive files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ArchiveMaxDepth | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_ArchiveMaxSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize +``` + + + + +This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. + +- If you enable this setting, archive files less than or equal to the size specified will be scanned. + +- If you disable or do not configure this setting, archive files will be scanned according to the default value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ArchiveMaxSize | +| Friendly Name | Specify the maximum size of archive files to be scanned | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ArchiveMaxSize | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableArchiveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning +``` + + + + +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files. + +- If you enable or do not configure this setting, archive files will be scanned. + +- If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableArchiveScanning | +| Friendly Name | Scan archive files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableArchiveScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableEmailScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning +``` + + + + +This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients. + +- If you enable this setting, e-mail scanning will be enabled. + +- If you disable or do not configure this setting, e-mail scanning will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableEmailScanning | +| Friendly Name | Turn on e-mail scanning | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableEmailScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableHeuristics + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics +``` + + + + +This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. + +- If you enable or do not configure this setting, heuristics will be enabled. + +- If you disable this setting, heuristics will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableHeuristics | +| Friendly Name | Turn on heuristics | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableHeuristics | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisablePackedExeScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisablePackedExeScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableRemovableDriveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning +``` + + + + This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. -If you enable this setting, removable drives will be scanned during any type of scan. +- If you enable this setting, removable drives will be scanned during any type of scan. -If you disable or don't configure this setting, removable drives won't be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. +- If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Scan removable drives* -- GP name: *Scan_DisableRemovableDriveScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_DisableRemovableDriveScanning | +| Friendly Name | Scan removable drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableRemovableDriveScanning | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_DisableReparsePointScanning -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning +``` + - - -This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there's a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this setting is the recommended state for this functionality. + + +This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. -If you enable this setting, reparse point scanning will be enabled. +- If you enable this setting, reparse point scanning will be enabled. -If you disable or don't configure this setting, reparse point scanning will be disabled. +- If you disable or do not configure this setting, reparse point scanning will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on reparse point scanning* -- GP name: *Scan_DisableReparsePointScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_DisableReparsePointScanning | +| Friendly Name | Turn on reparse point scanning | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableReparsePointScanning | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_DisableRestorePoint -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint +``` + - - + + This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. -If you enable this setting, a system restore point will be created. +- If you enable this setting, a system restore point will be created. -If you disable or don't configure this setting, a system restore point won't be created. +- If you disable or do not configure this setting, a system restore point will not be created. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Create a system restore point* -- GP name: *Scan_DisableRestorePoint* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** -
    - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Scan_DisableRestorePoint | +| Friendly Name | Create a system restore point | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableRestorePoint | +| ADMX File Name | WindowsDefender.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Scan_DisableScanningMappedNetworkDrivesForFullScan -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan +``` + + + + This policy setting allows you to configure scanning mapped network drives. -If you enable this setting, mapped network drives will be scanned. - -If you disable or don't configure this setting, mapped network drives won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Run full scan on mapped network drives* -- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting. - -If you enable this setting, network files will be scanned. - -If you disable or don't configure this setting, network files won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Scan network files* -- GP name: *Scan_DisableScanningNetworkFiles* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for maximum percentage of CPU utilization* -- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for the scan type to use for a scheduled scan* -- GP name: *Scan_LocalSettingOverrideScanParameters* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for schedule scan day* -- GP name: *Scan_LocalSettingOverrideScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for scheduled quick scan time* -- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for scheduled scan time* -- GP name: *Scan_LocalSettingOverrideScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable this setting, mapped network drives will be scanned. + +- If you disable or do not configure this setting, mapped network drives will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningMappedNetworkDrivesForFullScan | +| Friendly Name | Run full scan on mapped network drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningMappedNetworkDrivesForFullScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableScanningNetworkFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles +``` + + + + +This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. + +- If you enable this setting, network files will be scanned. + +- If you disable or do not configure this setting, network files will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningNetworkFiles | +| Friendly Name | Scan network files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningNetworkFiles | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideAvgCPULoadFactor + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor +``` + + + + +This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideAvgCPULoadFactor | +| Friendly Name | Configure local setting override for maximum percentage of CPU utilization | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideAvgCPULoadFactor | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScanParameters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters +``` + + + + +This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScanParameters | +| Friendly Name | Configure local setting override for the scan type to use for a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScanParameters | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScheduleDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay +``` + + + + +This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScheduleDay | +| Friendly Name | Configure local setting override for schedule scan day | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScheduleDay | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScheduleQuickScantime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime +``` + + + + +This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScheduleQuickScantime | +| Friendly Name | Configure local setting override for scheduled quick scan time | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScheduleQuickScanTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScheduleTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime +``` + + + + +This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScheduleTime | +| Friendly Name | Configure local setting override for scheduled scan time | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LowCpuPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority +``` + + + + This policy setting allows you to enable or disable low CPU priority for scheduled scans. -If you enable this setting, low CPU priority will be used during scheduled scans. +- If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans. +- If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure low CPU priority for scheduled scans* -- GP name: *Scan_LowCpuPriority* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_LowCpuPriority | +| Friendly Name | Configure low CPU priority for scheduled scans | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LowCpuPriority | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_MissedScheduledScanCountBeforeCatchup -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup +``` + - - + + This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. -If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. +- If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. -If you disable or don't configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. +- If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define the number of days after which a catch-up scan is forced* -- GP name: *Scan_MissedScheduledScanCountBeforeCatchup* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_MissedScheduledScanCountBeforeCatchup | +| Friendly Name | Define the number of days after which a catch-up scan is forced | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | MissedScheduledScanCountBeforeCatchup | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_PurgeItemsAfterDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay +``` + - - -This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and won't be automatically removed. By default, the value is set to 30 days. + + +This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. -If you enable this setting, items will be removed from the scan history folder after the number of days specified. +- If you enable this setting, items will be removed from the scan history folder after the number of days specified. -If you disable or don't configure this setting, items will be kept in the scan history folder for the default number of days. +- If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on removal of items from scan history folder* -- GP name: *Scan_PurgeItemsAfterDelay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_PurgeItemsAfterDelay | +| Friendly Name | Turn on removal of items from scan history folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | PurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_QuickScanInterval -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval +``` + - - -This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans won't occur. By default, this setting is set to 0. + + +This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. -If you enable this setting, a quick scan will run at the interval specified. +- If you enable this setting, a quick scan will run at the interval specified. -If you disable or don't configure this setting, a quick scan will run at a default time. +- If you disable or do not configure this setting, quick scan controlled by this config will not be run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify the interval to run quick scans per day* -- GP name: *Scan_QuickScanInterval* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_QuickScanInterval | +| Friendly Name | Specify the interval to run quick scans per day | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | QuickScanInterval | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_ScanOnlyIfIdle -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle +``` + - - + + This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. -If you enable or don't configure this setting, scheduled scans will only run when the computer is on but not in use. +- If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. -If you disable this setting, scheduled scans will run at the scheduled time. +- If you disable this setting, scheduled scans will run at the scheduled time. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Start the scheduled scan only when computer is on but not in use* -- GP name: *Scan_ScanOnlyIfIdle* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_ScanOnlyIfIdle | +| Friendly Name | Start the scheduled scan only when computer is on but not in use | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScanOnlyIfIdle | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_ScheduleDay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay +``` + - - + + This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: +(0x0) Every Day +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never (default) -- (0x0) Every Day -- (0x1) Sunday -- (0x2) Monday -- (0x3) Tuesday -- (0x4) Wednesday -- (0x5) Thursday -- (0x6) Friday -- (0x7) Saturday -- (0x8) Never (default) +- If you enable this setting, a scheduled scan will run at the frequency specified. -If you enable this setting, a scheduled scan will run at the frequency specified. +- If you disable or do not configure this setting, a scheduled scan will run at a default frequency. + -If you disable or don't configure this setting, a scheduled scan will run at a default frequency. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the day of the week to run a scheduled scan* -- GP name: *Scan_ScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime** +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleDay | +| Friendly Name | Specify the day of the week to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Scan_ScheduleTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime +``` + -
    - - - + + This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. -If you enable this setting, a scheduled scan will run at the time of day specified. - -If you disable or don't configure this setting, a scheduled scan will run at a default time. - - - - - -ADMX Info: -- GP Friendly name: *Specify the time of day to run a scheduled scan* -- GP name: *Scan_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It's recommended that this setting remains disabled. - -If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence are disabled. - -If you disable or don't configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it's set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. - - - - - -ADMX Info: -- GP Friendly name: *Allow antimalware service to remain running always* -- GP name: *ServiceKeepAlive* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. - -We don't recommend setting the value to less than 2 days to prevent machines from going out of date. - -If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. - -If you disable or don't configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. - - - - - -ADMX Info: -- GP Friendly name: *Define the number of days before spyware security intelligence is considered out of date* -- GP name: *SignatureUpdate_ASSignatureDue* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. - -If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. - -If you disable or don't configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. - - - - - -ADMX Info: -- GP Friendly name: *Define the number of days before virus security intelligence is considered out of date* -- GP name: *SignatureUpdate_AVSignatureDue* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default. - -If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. - -If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted. - - - - - -ADMX Info: -- GP Friendly name: *Define file shares for downloading security intelligence updates* -- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure the automatic scan that starts after a security intelligence update has occurred. - -If you enable or don't configure this setting, a scan will start following a security intelligence update. - -If you disable this setting, a scan won't start following a security intelligence update. - - - - - -ADMX Info: -- GP Friendly name: *Turn on scan after security intelligence update* -- GP name: *SignatureUpdate_DisableScanOnUpdate* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable this setting, a scheduled scan will run at the time of day specified. + +- If you disable or do not configure this setting, a scheduled scan will run at a default time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleTime | +| Friendly Name | Specify the time of day to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ServiceKeepAlive + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive +``` + + + + +This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. + +- If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled. + +- If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ServiceKeepAlive | +| Friendly Name | Allow antimalware service to remain running always | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | ServiceKeepAlive | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_ASSignatureDue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue +``` + + + + +This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. + +- If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. + +- If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ASSignatureDue | +| Friendly Name | Define the number of days before spyware security intelligence is considered out of date | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ASSignatureDue | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_AVSignatureDue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue +``` + + + + +This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. + +- If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. + +- If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_AVSignatureDue | +| Friendly Name | Define the number of days before virus security intelligence is considered out of date | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | AVSignatureDue | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_DefinitionUpdateFileSharesSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources +``` + + + + +This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. + +- If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +- If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DefinitionUpdateFileSharesSources | +| Friendly Name | Define file shares for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_DisableScanOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate +``` + + + + +This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. + +- If you enable or do not configure this setting, a scan will start following a security intelligence update. + +- If you disable this setting, a scan will not start following a security intelligence update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DisableScanOnUpdate | +| Friendly Name | Turn on scan after security intelligence update | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | DisableScanOnUpdate | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_DisableScheduledSignatureUpdateonBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery +``` + + + + This policy setting allows you to configure security intelligence updates when the computer is running on battery power. -If you enable or don't configure this setting, security intelligence updates will occur as usual regardless of power state. +- If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state. -If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. +- If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow security intelligence updates when running on battery power* -- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DisableScheduledSignatureUpdateonBattery | +| Friendly Name | Allow security intelligence updates when running on battery power | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | DisableScheduledSignatureUpdateOnBattery | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_DisableUpdateOnStartupWithoutEngine -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine +``` + - - -This policy setting allows you to configure security intelligence updates on startup when there's no antimalware engine present. + + +This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. -If you enable or don't configure this setting, security intelligence updates will be initiated on startup when there's no antimalware engine present. +- If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present. -If you disable this setting, security intelligence updates won't be initiated on startup when there's no antimalware engine present. +- If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Initiate security intelligence update on startup* -- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DisableUpdateOnStartupWithoutEngine | +| Friendly Name | Initiate security intelligence update on startup | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | DisableUpdateOnStartupWithoutEngine | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_FallbackOrder -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder +``` + - - -This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”. + + +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } -If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. +- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. -If you disable or don't configure this setting, security intelligence update sources will be contacted in a default order. +- If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define the order of sources for downloading security intelligence updates* -- GP name: *SignatureUpdate_FallbackOrder* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_FallbackOrder | +| Friendly Name | Define the order of sources for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_ForceUpdateFromMU -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU +``` + - - + + This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. -If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. +- If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. -If you disable or don't configure this setting, security intelligence updates will be downloaded from the configured download source. +- If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow security intelligence updates from Microsoft Update* -- GP name: *SignatureUpdate_ForceUpdateFromMU* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ForceUpdateFromMU | +| Friendly Name | Allow security intelligence updates from Microsoft Update | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ForceUpdateFromMU | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_RealtimeSignatureDelivery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery +``` + - - + + This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work. -If you enable or don't configure this setting, real-time security intelligence updates will be enabled. +- If you enable or do not configure this setting, real-time security intelligence updates will be enabled. -If you disable this setting, real-time security intelligence updates will be disabled. +- If you disable this setting, real-time security intelligence updates will disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS* -- GP name: *SignatureUpdate_RealtimeSignatureDelivery* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_RealtimeSignatureDelivery | +| Friendly Name | Allow real-time security intelligence updates based on reports to Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | RealtimeSignatureDelivery | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_ScheduleDay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay +``` + - - + + This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: +(0x0) Every Day (default) +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never -- (0x0) Every Day (default) -- (0x1) Sunday -- (0x2) Monday -- (0x3) Tuesday -- (0x4) Wednesday -- (0x5) Thursday -- (0x6) Friday -- (0x7) Saturday -- (0x8) Never +- If you enable this setting, the check for security intelligence updates will occur at the frequency specified. -If you enable this setting, the check for security intelligence updates will occur at the frequency specified. +- If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency. + -If you disable or don't configure this setting, the check for security intelligence updates will occur at a default frequency. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the day of the week to check for security intelligence updates* -- GP name: *SignatureUpdate_ScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime** +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ScheduleDay | +| Friendly Name | Specify the day of the week to check for security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SignatureUpdate_ScheduleTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime +``` + -
    - - - + + This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. -If you enable this setting, the check for security intelligence updates will occur at the time of day specified. +- If you enable this setting, the check for security intelligence updates will occur at the time of day specified. -If you disable or don't configure this setting, the check for security intelligence updates will occur at the default time. +- If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify the time to check for security intelligence updates* -- GP name: *SignatureUpdate_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ScheduleTime | +| Friendly Name | Specify the time to check for security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_SharedSignaturesLocation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation +``` + - - + + This policy setting allows you to define the security intelligence location for VDI-configured computers. -If you disable or don't configure this setting, security intelligence will be referred from the default local source. +- If you disable or do not configure this setting, security intelligence will be referred from the default local source. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define security intelligence location for VDI clients.* -- GP name: *SignatureUpdate_SharedSignaturesLocation* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    - +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SharedSignaturesLocation | +| Friendly Name | Define security intelligence location for VDI clients. | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_SignatureDisableNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification +``` + - - + + This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work. -If you enable this setting or don't configure, the antimalware service will receive notifications to disable security intelligence. +- If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence. -If you disable this setting, the antimalware service won't receive notifications to disable security intelligence. +- If you disable this setting, the antimalware service will not receive notifications to disable security intelligence. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS* -- GP name: *SignatureUpdate_SignatureDisableNotification* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SignatureDisableNotification | +| Friendly Name | Allow notifications to disable security intelligence based reports to Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | SignatureDisableNotification | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_SignatureUpdateCatchupInterval -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval +``` + - - + + This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day. -If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. +- If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. -If you disable or don't configure this setting, a catch-up security intelligence update will be required after the default number of days. +- If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define the number of days after which a catch-up security intelligence update is required* -- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SignatureUpdateCatchupInterval | +| Friendly Name | Define the number of days after which a catch-up security intelligence update is required | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | SignatureUpdateCatchupInterval | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_UpdateOnStartup -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup +``` + - - + + This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup. -If you enable this setting, a check for new security intelligence will occur after service startup. +- If you enable this setting, a check for new security intelligence will occur after service startup. -If you disable this setting or don't configure this setting, a check for new security intelligence won't occur after service startup. +- If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Check for the latest virus and spyware security intelligence on startup* -- GP name: *SignatureUpdate_UpdateOnStartup* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SpynetReporting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_UpdateOnStartup | +| Friendly Name | Check for the latest virus and spyware security intelligence on startup | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | UpdateOnStartUp | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Spynet_LocalSettingOverrideSpynetReporting -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting +``` + - - + + +This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Spynet_LocalSettingOverrideSpynetReporting | +| Friendly Name | Configure local setting override for reporting to Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | LocalSettingOverrideSpynetReporting | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SpynetReporting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SpynetReporting +``` + + + + This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. -You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft won't use this information to identify you or contact you. +You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. Possible options are: - -- (0x0) Disabled (default) -- (0x1) Basic membership -- (0x2) Advanced membership +(0x0) Disabled (default) +(0x1) Basic membership +(0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. -If you enable this setting, you'll join Microsoft MAPS with the membership specified. +- If you enable this setting, you will join Microsoft MAPS with the membership specified. -If you disable or don't configure this setting, you won't join Microsoft MAPS. +- If you disable or do not configure this setting, you will not join Microsoft MAPS. In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Join Microsoft MAPS* -- GP name: *SpynetReporting* -- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SpynetReporting | +| Friendly Name | Join Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | SpynetReporting | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Threats_ThreatIdDefaultAction -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction +``` + - - - This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for reporting to Microsoft MAPS* -- GP name: *Spynet_LocalSettingOverrideSpynetReporting* -- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting customizes which remediation action will be taken for each listed Threat ID when it's detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. + + +This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. Valid remediation action values are: +2 = Quarantine +3 = Remove +6 = Ignore + -- 2 = Quarantine -- 3 = Remove -- 6 = Ignore + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify threats upon which default action should not be taken when detected* -- GP name: *Threats_ThreatIdDefaultAction* -- GP path: *Windows Components\Microsoft Defender Antivirus\Threats* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString** +| Name | Value | +|:--|:--| +| Name | Threats_ThreatIdDefaultAction | +| Friendly Name | Specify threats upon which default action should not be taken when detected | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Threats | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats | +| Registry Value Name | Threats_ThreatIdDefaultAction | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_CustomDefaultActionToastString - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString +``` + -
    + + +This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. - - -This policy setting allows you to configure whether or not to display more text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. +- If you enable this setting, the additional text specified will be displayed. -If you enable this setting, the extra text specified will be displayed. +- If you disable or do not configure this setting, there will be no additional text displayed. + -If you disable or don't configure this setting, there will be no extra text displayed. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Display additional text to clients when they need to perform an action* -- GP name: *UX_Configuration_CustomDefaultActionToastString* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress** +| Name | Value | +|:--|:--| +| Name | UX_Configuration_CustomDefaultActionToastString | +| Friendly Name | Display additional text to clients when they need to perform an action | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_Notification_Suppress - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress +``` + -
    - - - + + Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. +- If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients. -If you disable or don't configure this setting, Microsoft Defender Antivirus notifications will display on clients. +- If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients. + -If you enable this setting, Microsoft Defender Antivirus notifications won't display on clients. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Suppress all notifications* -- GP name: *UX_Configuration_Notification_Suppress* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification** +| Name | Value | +|:--|:--| +| Name | UX_Configuration_Notification_Suppress | +| Friendly Name | Suppress all notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | Notification_Suppress | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_SuppressRebootNotification - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification +``` + -
    + + +This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). - - -This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). +- If you enable this setting AM UI won't show reboot notifications. + -If you enable this setting, AM UI won't show reboot notifications. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Suppresses reboot notifications* -- GP name: *UX_Configuration_SuppressRebootNotification* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown** +| Name | Value | +|:--|:--| +| Name | UX_Configuration_SuppressRebootNotification | +| Friendly Name | Suppresses reboot notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | SuppressRebootNotification | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_UILockdown - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown +``` + -
    - - - + + This policy setting allows you to configure whether or not to display AM UI to the users. +- If you enable this setting AM UI won't be available to users. + -If you enable this setting, AM UI won't be available to users. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Enable headless UI mode* -- GP name: *UX_Configuration_UILockdown* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | UX_Configuration_UILockdown | +| Friendly Name | Enable headless UI mode | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefender.admx | + + + + - + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index cde0000329..1956accd4b 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -1,333 +1,379 @@ --- -title: Policy CSP - ADMX_MMC -description: Learn about Policy CSP - ADMX_MMC. +title: ADMX_MMC Policy CSP +description: Learn more about the ADMX_MMC Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/03/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MMC ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MMC policies + +## MMC_ActiveXControl -
    -
    - ADMX_MMC/MMC_ActiveXControl -
    -
    - ADMX_MMC/MMC_ExtendView -
    -
    - ADMX_MMC/MMC_LinkToWeb -
    -
    - ADMX_MMC/MMC_Restrict_Author -
    -
    - ADMX_MMC/MMC_Restrict_To_Permitted_Snapins -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_ActiveXControl +``` + -
    + + +Permits or prohibits use of this snap-in. - -**ADMX_MMC/MMC_ActiveXControl** +- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. - +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. - -
    +To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. -> [!div class = "checklist"] -> * User +To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted. -
    +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - - -This policy setting permits or prohibits use of this snap-in. + + + -If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. + +**Description framework properties**: -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited. +**ADMX mapping**: -- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited. +| Name | Value | +|:--|:--| +| Name | MMC_ActiveXControl | +| Friendly Name | ActiveX Control | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMC.admx | + -To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted. + + + -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. + - + +## MMC_ExtendView + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *ActiveX Control* -- GP name: *MMC_ActiveXControl* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMC.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_ExtendView +``` + - - -
    + + +Permits or prohibits use of this snap-in. - -**ADMX_MMC/MMC_ExtendView** +- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. - +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. - -
    +To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. -> [!div class = "checklist"] -> * User +To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted. -
    +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - - -This policy setting permits or prohibits use of this snap-in. + + + -If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. + +**Description framework properties**: -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited. +**ADMX mapping**: -- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited. +| Name | Value | +|:--|:--| +| Name | MMC_ExtendView | +| Friendly Name | Extended View (Web View) | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B708457E-DB61-4C55-A92F-0D4B5E9B1224} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMC.admx | + -To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted. + + + -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. + - + +## MMC_LinkToWeb + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Extended View (Web View)* -- GP name: *MMC_ExtendView* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMC.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_LinkToWeb +``` + - - -
    + + +Permits or prohibits use of this snap-in. - -**ADMX_MMC/MMC_LinkToWeb** +- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. - +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. - -
    +To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. -> [!div class = "checklist"] -> * User +To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted. -
    +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - - -This policy setting permits or prohibits use of this snap-in. + + + -If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. + +**Description framework properties**: -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited. +**ADMX mapping**: -- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited. +| Name | Value | +|:--|:--| +| Name | MMC_LinkToWeb | +| Friendly Name | Link to Web Address | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C96401D1-0E17-11D3-885B-00C04F72C717} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMC.admx | + -To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted. + + + -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. + - + +## MMC_Restrict_Author + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -ADMX Info: -- GP Friendly name: *Link to Web Address* -- GP name: *MMC_LinkToWeb* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMC.admx* - - - -
    - - -**ADMX_MMC/MMC_Restrict_Author** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users from entering author mode. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_Restrict_Author +``` + + + + +Prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. -As a result, users can't create console files or add or remove snap-ins. Also, because they can't open author-mode console files, they can't use the tools that the files contain. +As a result, users cannot create console files or add or remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain. -This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users can't open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also can't open a blank MMC console window from a command prompt. +This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt. -If you disable this setting or don't configure it, users can enter author mode and open author-mode console files. +- If you disable this setting or do not configure it, users can enter author mode and open author-mode console files. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict the user from entering author mode* -- GP name: *MMC_Restrict_Author* -- GP path: *Windows Components\Microsoft Management Console* -- GP ADMX file name: *MMC.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMC/MMC_Restrict_To_Permitted_Snapins** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Restrict_Author | +| Friendly Name | Restrict the user from entering author mode | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console | +| Registry Key Name | Software\Policies\Microsoft\MMC | +| Registry Value Name | RestrictAuthorMode | +| ADMX File Name | MMC.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Restrict_To_Permitted_Snapins -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_Restrict_To_Permitted_Snapins +``` + - - -This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. + + +Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. -- If you enable this setting, all snap-ins are prohibited, except those snap-ins that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins. +- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins. To explicitly permit a snap-in, open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited. -- If you disable this setting or don't configure it, all snap-ins are permitted, except those snap-ins that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins. +- If you disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins. To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. > [!NOTE] -> If you enable this setting, and you don't enable any settings in the Restricted/Permitted snap-ins folder, users can't use any MMC snap-ins. +> If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict users to the explicitly permitted list of snap-ins* -- GP name: *MMC_Restrict_To_Permitted_Snapins* -- GP path: *Windows Components\Microsoft Management Console* -- GP ADMX file name: *MMC.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | MMC_Restrict_To_Permitted_Snapins | +| Friendly Name | Restrict users to the explicitly permitted list of snap-ins | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console | +| Registry Key Name | Software\Policies\Microsoft\MMC | +| Registry Value Name | RestrictToPermittedSnapins | +| ADMX File Name | MMC.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index ccb7e6b2d6..b4f74ad73e 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -1,6137 +1,7316 @@ --- -title: Policy CSP - ADMX_MMCSnapins -description: Learn about Policy CSP - ADMX_MMCSnapins. +title: ADMX_MMCSnapins Policy CSP +description: Learn more about the ADMX_MMCSnapins Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MMCSnapins ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MMCSnapins policies + +## MMC_ActiveDirDomTrusts -
    -
    - ADMX_MMCSnapins/MMC_ADMComputers_1 -
    -
    - ADMX_MMCSnapins/MMC_ADMComputers_2 -
    -
    - ADMX_MMCSnapins/MMC_ADMUsers_1 -
    -
    - ADMX_MMCSnapins/MMC_ADMUsers_2 -
    -
    - ADMX_MMCSnapins/MMC_ADSI -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirDomTrusts -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirSitesServices -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirUsersComp -
    -
    - ADMX_MMCSnapins/MMC_AppleTalkRouting -
    -
    - ADMX_MMCSnapins/MMC_AuthMan -
    -
    - ADMX_MMCSnapins/MMC_CertAuth -
    -
    - ADMX_MMCSnapins/MMC_CertAuthPolSet -
    -
    - ADMX_MMCSnapins/MMC_Certs -
    -
    - ADMX_MMCSnapins/MMC_CertsTemplate -
    -
    - ADMX_MMCSnapins/MMC_ComponentServices -
    -
    - ADMX_MMCSnapins/MMC_ComputerManagement -
    -
    - ADMX_MMCSnapins/MMC_ConnectionSharingNAT -
    -
    - ADMX_MMCSnapins/MMC_DCOMCFG -
    -
    - ADMX_MMCSnapins/MMC_DFS -
    -
    - ADMX_MMCSnapins/MMC_DHCPRelayMgmt -
    -
    - ADMX_MMCSnapins/MMC_DeviceManager_1 -
    -
    - ADMX_MMCSnapins/MMC_DeviceManager_2 -
    -
    - ADMX_MMCSnapins/MMC_DiskDefrag -
    -
    - ADMX_MMCSnapins/MMC_DiskMgmt -
    -
    - ADMX_MMCSnapins/MMC_EnterprisePKI -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_1 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_2 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_3 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_4 -
    -
    - ADMX_MMCSnapins/MMC_FAXService -
    -
    - ADMX_MMCSnapins/MMC_FailoverClusters -
    -
    - ADMX_MMCSnapins/MMC_FolderRedirection_1 -
    -
    - ADMX_MMCSnapins/MMC_FolderRedirection_2 -
    -
    - ADMX_MMCSnapins/MMC_FrontPageExt -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicySnapIn -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicyTab -
    -
    - ADMX_MMCSnapins/MMC_HRA -
    -
    - ADMX_MMCSnapins/MMC_IAS -
    -
    - ADMX_MMCSnapins/MMC_IASLogging -
    -
    - ADMX_MMCSnapins/MMC_IEMaintenance_1 -
    -
    - ADMX_MMCSnapins/MMC_IEMaintenance_2 -
    -
    - ADMX_MMCSnapins/MMC_IGMPRouting -
    -
    - ADMX_MMCSnapins/MMC_IIS -
    -
    - ADMX_MMCSnapins/MMC_IPRouting -
    -
    - ADMX_MMCSnapins/MMC_IPSecManage_GP -
    -
    - ADMX_MMCSnapins/MMC_IPXRIPRouting -
    -
    - ADMX_MMCSnapins/MMC_IPXRouting -
    -
    - ADMX_MMCSnapins/MMC_IPXSAPRouting -
    -
    - ADMX_MMCSnapins/MMC_IndexingService -
    -
    - ADMX_MMCSnapins/MMC_IpSecManage -
    -
    - ADMX_MMCSnapins/MMC_IpSecMonitor -
    -
    - ADMX_MMCSnapins/MMC_LocalUsersGroups -
    -
    - ADMX_MMCSnapins/MMC_LogicalMappedDrives -
    -
    - ADMX_MMCSnapins/MMC_NPSUI -
    -
    - ADMX_MMCSnapins/MMC_NapSnap -
    -
    - ADMX_MMCSnapins/MMC_NapSnap_GP -
    -
    - ADMX_MMCSnapins/MMC_Net_Framework -
    -
    - ADMX_MMCSnapins/MMC_OCSP -
    -
    - ADMX_MMCSnapins/MMC_OSPFRouting -
    -
    - ADMX_MMCSnapins/MMC_PerfLogsAlerts -
    -
    - ADMX_MMCSnapins/MMC_PublicKey -
    -
    - ADMX_MMCSnapins/MMC_QoSAdmission -
    -
    - ADMX_MMCSnapins/MMC_RAS_DialinUser -
    -
    - ADMX_MMCSnapins/MMC_RIPRouting -
    -
    - ADMX_MMCSnapins/MMC_RIS -
    -
    - ADMX_MMCSnapins/MMC_RRA -
    -
    - ADMX_MMCSnapins/MMC_RSM -
    -
    - ADMX_MMCSnapins/MMC_RemStore -
    -
    - ADMX_MMCSnapins/MMC_RemoteAccess -
    -
    - ADMX_MMCSnapins/MMC_RemoteDesktop -
    -
    - ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn -
    -
    - ADMX_MMCSnapins/MMC_Routing -
    -
    - ADMX_MMCSnapins/MMC_SCA -
    -
    - ADMX_MMCSnapins/MMC_SMTPProtocol -
    -
    - ADMX_MMCSnapins/MMC_SNMP -
    -
    - ADMX_MMCSnapins/MMC_ScriptsMachine_1 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsMachine_2 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsUser_1 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsUser_2 -
    -
    - ADMX_MMCSnapins/MMC_SecuritySettings_1 -
    -
    - ADMX_MMCSnapins/MMC_SecuritySettings_2 -
    -
    - ADMX_MMCSnapins/MMC_SecurityTemplates -
    -
    - ADMX_MMCSnapins/MMC_SendConsoleMessage -
    -
    - ADMX_MMCSnapins/MMC_ServerManager -
    -
    - ADMX_MMCSnapins/MMC_ServiceDependencies -
    -
    - ADMX_MMCSnapins/MMC_Services -
    -
    - ADMX_MMCSnapins/MMC_SharedFolders -
    -
    - ADMX_MMCSnapins/MMC_SharedFolders_Ext -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 -
    -
    - ADMX_MMCSnapins/MMC_SysInfo -
    -
    - ADMX_MMCSnapins/MMC_SysProp -
    -
    - ADMX_MMCSnapins/MMC_TPMManagement -
    -
    - ADMX_MMCSnapins/MMC_Telephony -
    -
    - ADMX_MMCSnapins/MMC_TerminalServices -
    -
    - ADMX_MMCSnapins/MMC_WMI -
    -
    - ADMX_MMCSnapins/MMC_WindowsFirewall -
    -
    - ADMX_MMCSnapins/MMC_WindowsFirewall_GP -
    -
    - ADMX_MMCSnapins/MMC_WiredNetworkPolicy -
    -
    - ADMX_MMCSnapins/MMC_WirelessMon -
    -
    - ADMX_MMCSnapins/MMC_WirelessNetworkPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ActiveDirDomTrusts +``` + -
    - - -**ADMX_MMCSnapins/MMC_ADMComputers_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited. It can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Administrative Templates (Computers)* -- GP name: *MMC_ADMComputers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ADMComputers_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ActiveDirDomTrusts | +| Friendly Name | Active Directory Domains and Trusts | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ActiveDirSitesServices -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ActiveDirSitesServices +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited. It can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Administrative Templates (Computers)* -- GP name: *MMC_ADMComputers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ADMUsers_1** +| Name | Value | +|:--|:--| +| Name | MMC_ActiveDirSitesServices | +| Friendly Name | Active Directory Sites and Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{D967F824-9968-11D0-B936-00C04FD8D5B0} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ActiveDirUsersComp - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ActiveDirUsersComp +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Administrative Templates (Users)* -- GP name: *MMC_ADMUsers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ADMUsers_2** +| Name | Value | +|:--|:--| +| Name | MMC_ActiveDirUsersComp | +| Friendly Name | Active Directory Users and Computers | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{E355E538-1C2E-11D0-8C37-00C04FD8FE93} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ADMComputers_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMComputers_1 +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Administrative Templates (Users)* -- GP name: *MMC_ADMUsers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ADSI** +| Name | Value | +|:--|:--| +| Name | MMC_ADMComputers_1 | +| Friendly Name | Administrative Templates (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ADMComputers_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMComputers_2 +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *ADSI Edit* -- GP name: *MMC_ADSI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ActiveDirDomTrusts** +| Name | Value | +|:--|:--| +| Name | MMC_ADMComputers_2 | +| Friendly Name | Administrative Templates (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ADMUsers_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMUsers_1 +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Active Directory Domains and Trusts* -- GP name: *MMC_ActiveDirDomTrusts* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ActiveDirSitesServices** +| Name | Value | +|:--|:--| +| Name | MMC_ADMUsers_1 | +| Friendly Name | Administrative Templates (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ADMUsers_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMUsers_2 +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Active Directory Sites and Services* -- GP name: *MMC_ActiveDirSitesServices* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ActiveDirUsersComp** +| Name | Value | +|:--|:--| +| Name | MMC_ADMUsers_2 | +| Friendly Name | Administrative Templates (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ADSI - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADSI +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Active Directory Users and Computers* -- GP name: *MMC_ActiveDirUsersComp* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_AppleTalkRouting** +| Name | Value | +|:--|:--| +| Name | MMC_ADSI | +| Friendly Name | ADSI Edit | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1C5DACFA-16BA-11D2-81D0-0000F87A7AA3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_AppleTalkRouting - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_AppleTalkRouting +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *AppleTalk Routing* -- GP name: *MMC_AppleTalkRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_AuthMan** +| Name | Value | +|:--|:--| +| Name | MMC_AppleTalkRouting | +| Friendly Name | AppleTalk Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1AA7F83C-C7F5-11D0-A376-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_AuthMan - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_AuthMan +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Authorization Manager* -- GP name: *MMC_AuthMan* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_CertAuth** +| Name | Value | +|:--|:--| +| Name | MMC_AuthMan | +| Friendly Name | Authorization Manager | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1F5EEC01-1214-4D94-80C5-4BDCD2014DDD} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_CertAuth - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_CertAuth +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Certification Authority* -- GP name: *MMC_CertAuth* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_CertAuthPolSet** +| Name | Value | +|:--|:--| +| Name | MMC_CertAuth | +| Friendly Name | Certification Authority | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{de751566-4cc6-11d1-8ca0-00c04fc297eb} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_CertAuthPolSet - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_CertAuthPolSet +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Certification Authority Policy Settings* -- GP name: *MMC_CertAuthPolSet* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_Certs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_CertAuthPolSet | +| Friendly Name | Certification Authority Policy Settings | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3F276EB4-70EE-11D1-8A0F-00C04FB93753} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Certs -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Certs +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Certificates* -- GP name: *MMC_Certs* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_CertsTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Certs | +| Friendly Name | Certificates | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{53D6AB1D-2488-11D1-A28C-00C04FB94F17} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_CertsTemplate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_CertsTemplate +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Certificate Templates* -- GP name: *MMC_CertsTemplate* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ComponentServices** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_CertsTemplate | +| Friendly Name | Certificate Templates | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{A994E107-6854-4F3D-917C-E6F01670F6D3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ComponentServices -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ComponentServices +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Component Services* -- GP name: *MMC_ComponentServices* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ComputerManagement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ComponentServices | +| Friendly Name | Component Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C9BC92DF-5B9A-11D1-8F00-00C04FC2C17B} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ComputerManagement -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ComputerManagement +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Computer Management* -- GP name: *MMC_ComputerManagement* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ConnectionSharingNAT** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ComputerManagement | +| Friendly Name | Computer Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ConnectionSharingNAT -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ConnectionSharingNAT +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Connection Sharing (NAT)* -- GP name: *MMC_ConnectionSharingNAT* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_DCOMCFG** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ConnectionSharingNAT | +| Friendly Name | Connection Sharing (NAT) | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DCOMCFG -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DCOMCFG +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *DCOM Configuration Extension* -- GP name: *MMC_DCOMCFG* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_DFS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DCOMCFG | +| Friendly Name | DCOM Configuration Extension | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{9EC88934-C774-11d1-87F4-00C04FC2C17B} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DeviceManager_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DeviceManager_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Distributed File System* -- GP name: *MMC_DFS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_DHCPRelayMgmt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DeviceManager_1 | +| Friendly Name | Device Manager | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DeviceManager_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DeviceManager_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *DHCP Relay Management* -- GP name: *MMC_DHCPRelayMgmt* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_DeviceManager_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DeviceManager_2 | +| Friendly Name | Device Manager | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DFS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DFS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Device Manager* -- GP name: *MMC_DeviceManager_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_DeviceManager_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DFS | +| Friendly Name | Distributed File System | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{677A2D94-28D9-11D1-A95B-008048918FB1} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DHCPRelayMgmt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DHCPRelayMgmt +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Device Manager* -- GP name: *MMC_DeviceManager_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_DiskDefrag** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DHCPRelayMgmt | +| Friendly Name | DHCP Relay Management | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DiskDefrag -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DiskDefrag +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Disk Defragmenter* -- GP name: *MMC_DiskDefrag* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_DiskMgmt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DiskDefrag | +| Friendly Name | Disk Defragmenter | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{43668E21-2636-11D1-A1CE-0080C88593A5} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DiskMgmt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DiskMgmt +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Disk Management* -- GP name: *MMC_DiskMgmt* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_EnterprisePKI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DiskMgmt | +| Friendly Name | Disk Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EnterprisePKI -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EnterprisePKI +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Enterprise PKI* -- GP name: *MMC_EnterprisePKI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_EventViewer_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EnterprisePKI | +| Friendly Name | Enterprise PKI | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{634BDE40-E5E1-49A1-B2CD-140FFFC830F9} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EventViewer_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer* -- GP name: *MMC_EventViewer_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_EventViewer_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer_1 | +| Friendly Name | Event Viewer | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EventViewer_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer (Windows Vista)* -- GP name: *MMC_EventViewer_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_EventViewer_3** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer_2 | +| Friendly Name | Event Viewer (Windows Vista) | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EventViewer_3 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_3 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer* -- GP name: *MMC_EventViewer_3* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_EventViewer_4** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer_3 | +| Friendly Name | Event Viewer | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EventViewer_4 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_4 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer (Windows Vista)* -- GP name: *MMC_EventViewer_4* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_EventViewer_2** +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer_4 | +| Friendly Name | Event Viewer (Windows Vista) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_FailoverClusters - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FailoverClusters +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer (Windows Vista)* -- GP name: *MMC_EventViewer_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_FAXService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FailoverClusters | +| Friendly Name | Failover Clusters Manager | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{D2779945-405B-4ACE-8618-508F3E3054AC} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FAXService -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FAXService +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *FAX Service* -- GP name: *MMC_FAXService* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_FailoverClusters** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FAXService | +| Friendly Name | FAX Service | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{753EDB4D-2E1B-11D1-9064-00A0C90AB504} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FolderRedirection_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FolderRedirection_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Failover Clusters Manager* -- GP name: *MMC_FailoverClusters* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_FolderRedirection_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FolderRedirection_1 | +| Friendly Name | Folder Redirection | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FolderRedirection_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FolderRedirection_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Folder Redirection* -- GP name: *MMC_FolderRedirection_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_FolderRedirection_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FolderRedirection_2 | +| Friendly Name | Folder Redirection | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{c40d66a0-e90c-46c6-aa3b-473e38c72bf2} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FrontPageExt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FrontPageExt +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Folder Redirection* -- GP name: *MMC_FolderRedirection_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_FrontPageExt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FrontPageExt | +| Friendly Name | FrontPage Server Extensions | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{FF5903A8-78D6-11D1-92F6-006097B01056} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_GroupPolicyManagementSnapIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *FrontPage Server Extensions* -- GP name: *MMC_FrontPageExt* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_GroupPolicyManagementSnapIn | +| Friendly Name | Group Policy Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_GroupPolicySnapIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_GroupPolicySnapIn +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Group Policy Management* -- GP name: *MMC_GroupPolicyManagementSnapIn* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_GroupPolicySnapIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_GroupPolicySnapIn | +| Friendly Name | Group Policy Object Editor | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_GroupPolicyTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_GroupPolicyTab +``` + - - -This policy setting permits or prohibits the use of this snap-in. + + +Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. - -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. - -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. - -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - - - - -ADMX Info: -- GP Friendly name: *Group Policy Object Editor* -- GP name: *MMC_GroupPolicySnapIn* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* - - - - -
    - - -**ADMX_MMCSnapins/MMC_GroupPolicyTab** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. - -If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab isn't displayed in those snap-ins. - -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed. +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed. - If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users will not have access to the Group Policy tab. -To explicitly permit use of the Group Policy tab, enable this setting. If this setting isn't configured (or disabled), the Group Policy tab is inaccessible. +To explicitly permit use of the Group Policy tab, enable this setting. If this setting is not configured (or disabled), the Group Policy tab is inaccessible. - If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users will have access to the Group Policy tab. -To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting isn't configured (or enabled), the Group Policy tab is accessible. - -When the Group Policy tab is inaccessible, it doesn't appear in the site, domain, or organizational unit property sheets. - - - - -ADMX Info: -- GP Friendly name: *Group Policy tab for Active Directory Tools* -- GP name: *MMC_GroupPolicyTab* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* - - - - -
    - - -**ADMX_MMCSnapins/MMC_HRA** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - +To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting is not configured (or enabled), the Group Policy tab is accessible. + +When the Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MMC_GroupPolicyTab | +| Friendly Name | Group Policy tab for Active Directory Tools | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + + + + + + + + + +## MMC_HRA + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_HRA +``` + + + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Health Registration Authority (HRA)* -- GP name: *MMC_HRA* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IAS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_HRA | +| Friendly Name | Health Registration Authority (HRA) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{89cc9588-7628-4d29-8e4a-6550d0087059} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IAS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IAS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Authentication Service (IAS)* -- GP name: *MMC_IAS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IASLogging** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IAS | +| Friendly Name | Internet Authentication Service (IAS) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{8F8F8DC0-5713-11D1-9551-0060B0576642} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IASLogging -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IASLogging +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IAS Logging* -- GP name: *MMC_IASLogging* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IEMaintenance_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IASLogging | +| Friendly Name | IAS Logging | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{2E19B602-48EB-11d2-83CA-00104BCA42CF} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IEMaintenance_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IEMaintenance_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Maintenance* -- GP name: *MMC_IEMaintenance_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IEMaintenance_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IEMaintenance_1 | +| Friendly Name | Internet Explorer Maintenance | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IEMaintenance_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IEMaintenance_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Maintenance* -- GP name: *MMC_IEMaintenance_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IGMPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IEMaintenance_2 | +| Friendly Name | Internet Explorer Maintenance | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{d524927d-6c08-46bf-86af-391534d779d3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IGMPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IGMPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IGMP Routing* -- GP name: *MMC_IGMPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IIS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IGMPRouting | +| Friendly Name | IGMP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4508-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IIS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IIS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Information Services* -- GP name: *MMC_IIS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IIS | +| Friendly Name | Internet Information Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{A841B6C2-7577-11D0-BB1F-00A0C922E79C} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IndexingService -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IndexingService +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Routing* -- GP name: *MMC_IPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IPSecManage_GP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IndexingService | +| Friendly Name | Indexing Service | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{95AD72F0-44CE-11D0-AE29-00AA004B9986} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Security Policy Management* -- GP name: *MMC_IPSecManage_GP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IPXRIPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPRouting | +| Friendly Name | IP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4500-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IpSecManage -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IpSecManage +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IPX RIP Routing* -- GP name: *MMC_IPXRIPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IPXRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IpSecManage | +| Friendly Name | IP Security Policy Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{DEA8AFA2-CC85-11d0-9CE2-0080C7221EBD} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPSecManage_GP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPSecManage_GP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IPX Routing* -- GP name: *MMC_IPXRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IPXSAPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPSecManage_GP | +| Friendly Name | IP Security Policy Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IpSecMonitor -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IpSecMonitor +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IPX SAP Routing* -- GP name: *MMC_IPXSAPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IndexingService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IpSecMonitor | +| Friendly Name | IP Security Monitor | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{57C596D0-9370-40C0-BA0D-AB491B63255D} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPXRIPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPXRIPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Indexing Service* -- GP name: *MMC_IndexingService* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IpSecManage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPXRIPRouting | +| Friendly Name | IPX RIP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90810502-38F1-11D1-9345-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPXRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPXRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Security Policy Management* -- GP name: *MMC_IpSecManage* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_IpSecMonitor** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPXRouting | +| Friendly Name | IPX Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90810500-38F1-11D1-9345-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPXSAPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPXSAPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Security Monitor* -- GP name: *MMC_IpSecMonitor* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_LocalUsersGroups** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPXSAPRouting | +| Friendly Name | IPX SAP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90810504-38F1-11D1-9345-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_LocalUsersGroups -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_LocalUsersGroups +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Local Users and Groups* -- GP name: *MMC_LocalUsersGroups* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_LogicalMappedDrives** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_LocalUsersGroups | +| Friendly Name | Local Users and Groups | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_LogicalMappedDrives -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_LogicalMappedDrives +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Logical and Mapped Drives* -- GP name: *MMC_LogicalMappedDrives* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_NPSUI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_LogicalMappedDrives | +| Friendly Name | Logical and Mapped Drives | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{6E8E0081-19CD-11D1-AD91-00AA00B8E05A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_NapSnap -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_NapSnap +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Network Policy Server (NPS)* -- GP name: *MMC_NPSUI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_NapSnap** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_NapSnap | +| Friendly Name | NAP Client Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{a1bc4eca-66b2-44e8-9915-be02e84438ba} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_NapSnap_GP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_NapSnap_GP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *NAP Client Configuration* -- GP name: *MMC_NapSnap* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_NapSnap_GP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_NapSnap_GP | +| Friendly Name | NAP Client Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{a1bc4ecb-66b2-44e8-9915-be02e84438ba} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Net_Framework -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Net_Framework +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *NAP Client Configuration* -- GP name: *MMC_NapSnap_GP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_Net_Framework** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Net_Framework | +| Friendly Name | .Net Framework Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{18BA7139-D98B-43c2-94DA-2604E34E175D} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_NPSUI -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_NPSUI +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *.Net Framework Configuration* -- GP name: *MMC_Net_Framework* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_OCSP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_NPSUI | +| Friendly Name | Network Policy Server (NPS) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{6630f2d7-bd52-4072-bfa7-863f3d0c5da0} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_OCSP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_OCSP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Online Responder* -- GP name: *MMC_OCSP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_OSPFRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_OCSP | +| Friendly Name | Online Responder | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{6d8880af-e518-43a8-986c-1ad21c4c976e} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_OSPFRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_OSPFRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *OSPF Routing* -- GP name: *MMC_OSPFRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_PerfLogsAlerts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_OSPFRouting | +| Friendly Name | OSPF Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4506-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_PerfLogsAlerts -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_PerfLogsAlerts +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Performance Logs and Alerts* -- GP name: *MMC_PerfLogsAlerts* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_PublicKey** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_PerfLogsAlerts | +| Friendly Name | Performance Logs and Alerts | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{7478EF61-8C46-11d1-8D99-00A0C913CAD4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_PublicKey -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_PublicKey +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Public Key Policies* -- GP name: *MMC_PublicKey* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_QoSAdmission** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_PublicKey | +| Friendly Name | Public Key Policies | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{34AB8E82-C27E-11D1-A6C0-00C04FB94F17} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_QoSAdmission -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_QoSAdmission +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *QoS Admission Control* -- GP name: *MMC_QoSAdmission* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RAS_DialinUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_QoSAdmission | +| Friendly Name | QoS Admission Control | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{FD57D297-4FD9-11D1-854E-00C04FC31FD3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RAS_DialinUser -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RAS_DialinUser +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *RAS Dialin - User Node* -- GP name: *MMC_RAS_DialinUser* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RIPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RAS_DialinUser | +| Friendly Name | RAS Dialin - User Node | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RemoteAccess -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RemoteAccess +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *RIP Routing* -- GP name: *MMC_RIPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RIS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RemoteAccess | +| Friendly Name | Remote Access | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5880CD5C-8EC0-11d1-9570-0060B0576642} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RemoteDesktop -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RemoteDesktop +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Installation Services* -- GP name: *MMC_RIS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RRA** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RemoteDesktop | +| Friendly Name | Remote Desktops | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3D5D035E-7721-4B83-A645-6C07A3D403B7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RemStore -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RemStore +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Routing and Remote Access* -- GP name: *MMC_RRA* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RSM** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RemStore | +| Friendly Name | Removable Storage | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{243E20B0-48ED-11D2-97DA-00A024D77700} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ResultantSetOfPolicySnapIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Removable Storage Management* -- GP name: *MMC_RSM* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RemStore** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ResultantSetOfPolicySnapIn | +| Friendly Name | Resultant Set of Policy snap-in | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RIPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RIPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Removable Storage* -- GP name: *MMC_RemStore* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RemoteAccess** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RIPRouting | +| Friendly Name | RIP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4504-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RIS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RIS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Access* -- GP name: *MMC_RemoteAccess* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_RemoteDesktop** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RIS | +| Friendly Name | Remote Installation Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Routing -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Routing +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Desktops* -- GP name: *MMC_RemoteDesktop* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Routing | +| Friendly Name | Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{DAB1A262-4FD7-11D1-842C-00C04FB6C218} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RRA -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RRA +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Resultant Set of Policy snap-in* -- GP name: *MMC_ResultantSetOfPolicySnapIn* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_Routing** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RRA | +| Friendly Name | Routing and Remote Access | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RSM -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RSM +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Routing* -- GP name: *MMC_Routing* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SCA** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RSM | +| Friendly Name | Removable Storage Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3CB6973D-3E6F-11D0-95DB-00A024D77700} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SCA -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SCA +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Configuration and Analysis* -- GP name: *MMC_SCA* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SMTPProtocol** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SCA | +| Friendly Name | Security Configuration and Analysis | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{011BE22D-E453-11D1-945A-00C04FB984F9} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsMachine_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsMachine_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *SMTP Protocol* -- GP name: *MMC_SMTPProtocol* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SNMP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsMachine_1 | +| Friendly Name | Scripts (Startup/Shutdown) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsMachine_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsMachine_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *SNMP* -- GP name: *MMC_SNMP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ScriptsMachine_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsMachine_2 | +| Friendly Name | Scripts (Startup/Shutdown) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B66660-4972-11d1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsUser_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsUser_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Startup/Shutdown)* -- GP name: *MMC_ScriptsMachine_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ScriptsMachine_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsUser_1 | +| Friendly Name | Scripts (Logon/Logoff) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsUser_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsUser_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Startup/Shutdown)* -- GP name: *MMC_ScriptsMachine_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ScriptsUser_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsUser_2 | +| Friendly Name | Scripts (Logon/Logoff) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SecuritySettings_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SecuritySettings_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Logon/Logoff)* -- GP name: *MMC_ScriptsUser_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ScriptsUser_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SecuritySettings_1 | +| Friendly Name | Security Settings | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SecuritySettings_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SecuritySettings_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Logon/Logoff)* -- GP name: *MMC_ScriptsUser_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SecuritySettings_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SecuritySettings_2 | +| Friendly Name | Security Settings | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{fe883157-cebd-4570-b7a2-e4fe06abe626} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SecurityTemplates -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SecurityTemplates +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Settings* -- GP name: *MMC_SecuritySettings_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SecuritySettings_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SecurityTemplates | +| Friendly Name | Security Templates | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5ADF5BF6-E452-11D1-945A-00C04FB984F9} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SendConsoleMessage -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SendConsoleMessage +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Settings* -- GP name: *MMC_SecuritySettings_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SecurityTemplates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SendConsoleMessage | +| Friendly Name | Send Console Message | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ServerManager -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ServerManager +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Templates* -- GP name: *MMC_SecurityTemplates* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SendConsoleMessage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ServerManager | +| Friendly Name | Server Manager | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{18ea3f92-d6aa-41d9-a205-2023400c8fbb} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ServiceDependencies -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ServiceDependencies +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Send Console Message* -- GP name: *MMC_SendConsoleMessage* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ServerManager** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ServiceDependencies | +| Friendly Name | Service Dependencies | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{BD95BA60-2E26-AAD1-AD99-00AA00B8E05A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Services -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Services +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Server Manager* -- GP name: *MMC_ServerManager* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_ServiceDependencies** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Services | +| Friendly Name | Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C66-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SharedFolders -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SharedFolders +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Service Dependencies* -- GP name: *MMC_ServiceDependencies* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_Services** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SharedFolders | +| Friendly Name | Shared Folders | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C65-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SharedFolders_Ext -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SharedFolders_Ext +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Services* -- GP name: *MMC_Services* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SharedFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SharedFolders_Ext | +| Friendly Name | Shared Folders Ext | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C69-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SMTPProtocol -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SMTPProtocol +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Shared Folders* -- GP name: *MMC_SharedFolders* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SharedFolders_Ext** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SMTPProtocol | +| Friendly Name | SMTP Protocol | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{03f1f940-a0f2-11d0-bb77-00aa00a1eab7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SNMP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SNMP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Shared Folders Ext* -- GP name: *MMC_SharedFolders_Ext* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SNMP | +| Friendly Name | SNMP | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{7AF60DD3-4979-11D1-8A6C-00C04FC33566} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstalationComputers_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Computers)* -- GP name: *MMC_SoftwareInstalationComputers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstalationComputers_1 | +| Friendly Name | Software Installation (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{942A8E4F-A261-11D1-A760-00C04FB9603F} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstalationComputers_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Computers)* -- GP name: *MMC_SoftwareInstalationComputers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstalationComputers_2 | +| Friendly Name | Software Installation (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{7E45546F-6D52-4D10-B702-9C2E67232E62} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstallationUsers_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Users)* -- GP name: *MMC_SoftwareInstallationUsers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstallationUsers_1 | +| Friendly Name | Software Installation (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstallationUsers_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Users)* -- GP name: *MMC_SoftwareInstallationUsers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SysInfo** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstallationUsers_2 | +| Friendly Name | Software Installation (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SysInfo -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SysInfo +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *System Information* -- GP name: *MMC_SysInfo* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_SysProp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SysInfo | +| Friendly Name | System Information | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{45ac8c63-23e2-11d1-a696-00c04fd58bc3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SysProp -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SysProp +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *System Properties* -- GP name: *MMC_SysProp* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_TPMManagement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SysProp | +| Friendly Name | System Properties | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Telephony -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Telephony +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *TPM Management* -- GP name: *MMC_TPMManagement* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_Telephony** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Telephony | +| Friendly Name | Telephony | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{E26D02A0-4C1F-11D1-9AA1-00C04FC3357A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_TerminalServices -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_TerminalServices +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Telephony* -- GP name: *MMC_Telephony* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_TerminalServices** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_TerminalServices | +| Friendly Name | Remote Desktop Services Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B91B6008-32D2-11D2-9888-00A0C925F917} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_TPMManagement -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_TPMManagement +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Desktop Services Configuration* -- GP name: *MMC_TerminalServices* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_WMI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_TPMManagement | +| Friendly Name | TPM Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{7d3830aa-e69e-4e17-8bd1-1b87b97099da} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WindowsFirewall -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WindowsFirewall +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *WMI Control* -- GP name: *MMC_WMI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_WindowsFirewall** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WindowsFirewall | +| Friendly Name | Windows Firewall with Advanced Security | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{b05566ac-fe9c-4368-be02-7a4cbb7cbe11} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WindowsFirewall_GP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WindowsFirewall_GP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Windows Firewall with Advanced Security* -- GP name: *MMC_WindowsFirewall* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_WindowsFirewall_GP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WindowsFirewall_GP | +| Friendly Name | Windows Firewall with Advanced Security | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WiredNetworkPolicy -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WiredNetworkPolicy +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Windows Firewall with Advanced Security* -- GP name: *MMC_WindowsFirewall_GP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_WiredNetworkPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WiredNetworkPolicy | +| Friendly Name | Wired Network (IEEE 802.3) Policies | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{06993B16-A5C7-47EB-B61C-B1CB7EE600AC} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WirelessMon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WirelessMon +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Wired Network (IEEE 802.3) Policies* -- GP name: *MMC_WiredNetworkPolicy* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_WirelessMon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WirelessMon | +| Friendly Name | Wireless Monitor | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{23DC5869-BD9F-46fd-AADD-1F869BA64FC3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WirelessNetworkPolicy -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WirelessNetworkPolicy +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Wireless Monitor* -- GP name: *MMC_WirelessMon* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMCSnapins/MMC_WirelessNetworkPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WirelessNetworkPolicy | +| Friendly Name | Wireless Network (IEEE 802.11) Policies | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WMI -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WMI +``` + - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. + +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. + +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. + +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. + +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. + +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. + + + -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. + +**Description framework properties**: -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | MMC_WMI | +| Friendly Name | WMI Control | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5C659257-E236-11D2-8899-00104B2AFB46} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - -ADMX Info: -- GP Friendly name: *Wireless Network (IEEE 802.11) Policies* -- GP name: *MMC_WirelessNetworkPolicy* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + + + - - + + + + - + -## Related topics +## Related articles -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index a6dc221389..3e4935741b 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -1,140 +1,160 @@ --- -title: Policy CSP - ADMX_MobilePCMobilityCenter -description: Learn about Policy CSP - ADMX_MobilePCMobilityCenter. +title: ADMX_MobilePCMobilityCenter Policy CSP +description: Learn more about the ADMX_MobilePCMobilityCenter Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MobilePCMobilityCenter > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MobilePCMobilityCenter policies + +## MobilityCenterEnable_1 -
    -
    - ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 -
    -
    - ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 +``` + -
    - - -**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting turns off Windows Mobility Center. -- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file doesn't launch it. +- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. + - If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. -If you don't configure this policy setting, Windows Mobility Center is on by default. +- If you do not configure this policy setting, Windows Mobility Center is on by default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Mobility Center* -- GP name: *MobilityCenterEnable_1* -- GP path: *Windows Components\Windows Mobility Center* -- GP ADMX file name: *MobilePCMobilityCenter.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MobilityCenterEnable_1 | +| Friendly Name | Turn off Windows Mobility Center | +| Location | User Configuration | +| Path | Windows Components > Windows Mobility Center | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter | +| Registry Value Name | NoMobilityCenter | +| ADMX File Name | MobilePCMobilityCenter.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MobilityCenterEnable_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 +``` + - - + + This policy setting turns off Windows Mobility Center. -- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file doesn't launch it. +- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. + - If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. -If you don't configure this policy setting, Windows Mobility Center is on by default. +- If you do not configure this policy setting, Windows Mobility Center is on by default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Mobility Center* -- GP name: *MobilityCenterEnable_2* -- GP path: *Windows Components\Windows Mobility Center* -- GP ADMX file name: *MobilePCMobilityCenter.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | MobilityCenterEnable_2 | +| Friendly Name | Turn off Windows Mobility Center | +| Location | Computer Configuration | +| Path | Windows Components > Windows Mobility Center | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter | +| Registry Value Name | NoMobilityCenter | +| ADMX File Name | MobilePCMobilityCenter.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index 1fefcaa209..ad7d9672ac 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -1,153 +1,166 @@ --- -title: Policy CSP - ADMX_MobilePCPresentationSettings -description: Learn about Policy CSP - ADMX_MobilePCPresentationSettings. +title: ADMX_MobilePCPresentationSettings Policy CSP +description: Learn more about the ADMX_MobilePCPresentationSettings Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MobilePCPresentationSettings > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MobilePCPresentationSettings policies + +## PresentationSettingsEnable_1 -
    -
    - ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 -
    -
    - ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 +``` + - - -**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1** - - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting turns off Windows presentation settings. -If you enable this policy setting, Windows presentation settings can't be invoked. +- If you enable this policy setting, Windows presentation settings cannot be invoked. -If you disable this policy setting, Windows presentation settings can be invoked. - -The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. - -> [!NOTE] -> Users will be able to customize their system settings for presentations in Windows Mobility Center. -If you do not configure this policy setting, Windows presentation settings can be invoked. - - - - - - -ADMX Info: -- GP Friendly name: *Turn off Windows presentation settings* -- GP name: *PresentationSettingsEnable_1* -- GP path: *Windows Components\Presentation Settings* -- GP ADMX file name: *MobilePCPresentationSettings.admx* - - - -
    - - -**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off Windows presentation settings. - -If you enable this policy setting, Windows presentation settings can't be invoked. - -If you disable this policy setting, Windows presentation settings can be invoked. - -The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. +- If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. > [!NOTE] > Users will be able to customize their system settings for presentations in Windows Mobility Center. -If you do not configure this policy setting, Windows presentation settings can be invoked. +- If you do not configure this policy setting, Windows presentation settings can be invoked. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows presentation settings* -- GP name: *PresentationSettingsEnable_2* -- GP path: *Windows Components\Presentation Settings* -- GP ADMX file name: *MobilePCPresentationSettings.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | PresentationSettingsEnable_1 | +| Friendly Name | Turn off Windows presentation settings | +| Location | User Configuration | +| Path | Windows Components > Presentation Settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings | +| Registry Value Name | NoPresentationSettings | +| ADMX File Name | MobilePCPresentationSettings.admx | + + + + + + + + + +## PresentationSettingsEnable_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 +``` + + + + +This policy setting turns off Windows presentation settings. + +- If you enable this policy setting, Windows presentation settings cannot be invoked. + +- If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. + +> [!NOTE] +> Users will be able to customize their system settings for presentations in Windows Mobility Center. + +- If you do not configure this policy setting, Windows presentation settings can be invoked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PresentationSettingsEnable_2 | +| Friendly Name | Turn off Windows presentation settings | +| Location | Computer Configuration | +| Path | Windows Components > Presentation Settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings | +| Registry Value Name | NoPresentationSettings | +| ADMX File Name | MobilePCPresentationSettings.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 1c084d9952..aac8c8c118 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -1,90 +1,97 @@ --- -title: Policy CSP - ADMX_MSAPolicy -description: Learn about Policy CSP - ADMX_MSAPolicy. +title: ADMX_MSAPolicy Policy CSP +description: Learn more about the ADMX_MSAPolicy Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MSAPolicy ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MSAPolicy policies + +## MicrosoftAccount_DisableUserAuth -
    -
    - ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSAPolicy/MicrosoftAccount_DisableUserAuth +``` + -
    + + +This setting controls whether users can provide Microsoft accounts for authentication for applications or services. +- If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. +This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. +It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. +- If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. +By default, this setting is Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. + - -**ADMX_MSAPolicy/MicrosoftAccount_DisableUserAuth** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | MicrosoftAccount_DisableUserAuth | +| Friendly Name | Block all consumer Microsoft account user authentication | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft account | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftAccount | +| Registry Value Name | DisableUserAuth | +| ADMX File Name | MSAPolicy.admx | + -
    + + + - - -This policy setting controls whether users can provide Microsoft accounts for authentication, applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. + -This functionality applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user won't be affected by enabling this setting until the authentication cache expires. + + + -It's recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. + -By default, this setting is Disabled. This setting doesn't affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. +## Related articles - - - - -ADMX Info: -- GP Friendly name: *Block all consumer Microsoft account user authentication* -- GP name: *MicrosoftAccount_DisableUserAuth* -- GP path: *Windows Components\Microsoft account* -- GP ADMX file name: *MSAPolicy.admx* - - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index 8376d30476..a42f6715cd 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -1,143 +1,161 @@ --- -title: Policy CSP - ADMX_msched -description: Learn about Policy CSP - ADMX_msched. +title: ADMX_msched Policy CSP +description: Learn more about the ADMX_msched Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_msched ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_msched policies + +## ActivationBoundaryPolicy -
    -
    - ADMX_msched/ActivationBoundaryPolicy -
    -
    - ADMX_msched/RandomDelayPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_msched/ActivationBoundaryPolicy +``` + -
    + + +This policy setting allows you to configure Automatic Maintenance activation boundary. - -**ADMX_msched/ActivationBoundaryPolicy** +The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts - +- If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts. +**ADMX mapping**: -If you enable this policy setting, this scheduled time will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. +| Name | Value | +|:--|:--| +| Name | ActivationBoundaryPolicy | +| Friendly Name | Automatic Maintenance Activation Boundary | +| Location | Computer Configuration | +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| ADMX File Name | msched.admx | + -If you disable or don't configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + + - + + +## RandomDelayPolicy - -ADMX Info: -- GP Friendly name: *Automatic Maintenance Activation Boundary* -- GP name: *ActivationBoundaryPolicy* -- GP path: *Windows Components\Maintenance Scheduler* -- GP ADMX file name: *msched.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_msched/RandomDelayPolicy +``` + - -**ADMX_msched/RandomDelayPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure Automatic Maintenance activation random delay. The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary. -If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by up to this time. +- If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by upto this time. -If you don't configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. +- If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. -If you disable this policy setting, no random delay will be applied to Automatic Maintenance. +- If you disable this policy setting, no random delay will be applied to Automatic Maintenance. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Automatic Maintenance Random Delay* -- GP name: *RandomDelayPolicy* -- GP path: *Windows Components\Maintenance Scheduler* -- GP ADMX file name: *msched.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | RandomDelayPolicy | +| Friendly Name | Automatic Maintenance Random Delay | +| Location | Computer Configuration | +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| Registry Value Name | Randomized | +| ADMX File Name | msched.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 4b04ef6231..cdfeba781c 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -1,220 +1,244 @@ --- -title: Policy CSP - ADMX_MSDT -description: Learn about Policy CSP - ADMX_MSDT. +title: ADMX_MSDT Policy CSP +description: Learn more about the ADMX_MSDT Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MSDT ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MSDT policies + +## MsdtSupportProvider -
    -
    - ADMX_MSDT/MsdtSupportProvider -
    -
    - ADMX_MSDT/MsdtToolDownloadPolicy -
    -
    - ADMX_MSDT/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSDT/MsdtSupportProvider +``` + -
    - - -**ADMX_MSDT/MsdtSupportProvider** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. -If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. +- If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default, the support provider is set to Microsoft Corporation. -If you disable this policy setting, MSDT can't run in support mode, and no data can be collected or sent to the support provider. +- If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider. -If you don't configure this policy setting, MSDT support mode is enabled by default. +- If you do not configure this policy setting, MSDT support mode is enabled by default. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider* -- GP name: *MsdtSupportProvider* -- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MSDT/MsdtToolDownloadPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MsdtSupportProvider | +| Friendly Name | Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy | +| Registry Value Name | DisableQueryRemoteServer | +| ADMX File Name | MSDT.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MsdtToolDownloadPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSDT/MsdtToolDownloadPolicy +``` + - - + + This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. -Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems, MSDT may prompt the user to download additional tools for troubleshooting. -For some problems, MSDT may prompt the user to download more tools for troubleshooting. These tools are required to completely troubleshoot the problem. +These tools are required to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the root cause of the problem. -If tool download is restricted, it may not be possible to find the root cause of the problem. +- If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. +- If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading. -If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download more tools to diagnose problems on remote computers only. +- If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. -If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for more tool downloading. +- If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. -If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. - -If you don't configure this policy setting, MSDT prompts the user before downloading any extra tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. +No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. This policy setting will take effect only when MSDT is enabled. -This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + -When the service is stopped or disabled, diagnostic scenarios aren't executed. + + + -The DPS can be configured with the Services snap-in to the Microsoft Management Console. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Microsoft Support Diagnostic Tool: Restrict tool download* -- GP name: *MsdtToolDownloadPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MsdtToolDownloadPolicy | +| Friendly Name | Microsoft Support Diagnostic Tool: Restrict tool download | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5} | +| Registry Value Name | DownloadToolsEnabled | +| ADMX File Name | MSDT.admx | + - -**ADMX_MSDT/WdiScenarioExecutionPolicy** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## WdiScenarioExecutionPolicy - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSDT/WdiScenarioExecutionPolicy +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the execution level for Microsoft Support Diagnostic Tool. -Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. -If you disable this policy setting, MSDT can't gather diagnostic data. If you don't configure this policy setting, MSDT is turned on by default. +- If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +- If you disable this policy setting, MSDT cannot gather diagnostic data. + +- If you do not configure this policy setting, MSDT is turned on by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. -This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Support Diagnostic Tool: Configure execution level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Microsoft Support Diagnostic Tool: Configure execution level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5} | +| ADMX File Name | MSDT.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index bb0ca20459..637630abaf 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1,290 +1,240 @@ --- -title: Policy CSP - ADMX_MSI -description: Learn about Policy CSP - ADMX_MSI. +title: ADMX_MSI Policy CSP +description: Learn more about the ADMX_MSI Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MSI ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MSI policies + +## AllowLockdownBrowse -
    -
    - ADMX_MSI/AllowLockdownBrowse -
    -
    - ADMX_MSI/AllowLockdownMedia -
    -
    - ADMX_MSI/AllowLockdownPatch -
    -
    - ADMX_MSI/DisableAutomaticApplicationShutdown -
    -
    - ADMX_MSI/DisableBrowse -
    -
    - ADMX_MSI/DisableFlyweightPatching -
    -
    - ADMX_MSI/DisableLoggingFromPackage -
    -
    - ADMX_MSI/DisableMSI -
    -
    - ADMX_MSI/DisableMedia -
    -
    - ADMX_MSI/DisablePatch -
    -
    - ADMX_MSI/DisableRollback_1 -
    -
    - ADMX_MSI/DisableRollback_2 -
    -
    - ADMX_MSI/DisableSharedComponent -
    -
    - ADMX_MSI/MSILogging -
    -
    - ADMX_MSI/MSI_DisableLUAPatching -
    -
    - ADMX_MSI/MSI_DisablePatchUninstall -
    -
    - ADMX_MSI/MSI_DisableSRCheckPoints -
    -
    - ADMX_MSI/MSI_DisableUserInstalls -
    -
    - ADMX_MSI/MSI_EnforceUpgradeComponentRules -
    -
    - ADMX_MSI/MSI_MaxPatchCacheSize -
    -
    - ADMX_MSI/MsiDisableEmbeddedUI -
    -
    - ADMX_MSI/SafeForScripting -
    -
    - ADMX_MSI/SearchOrder -
    -
    - ADMX_MSI/TransformsSecure -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownBrowse +``` + - -**ADMX_MSI/AllowLockdownBrowse** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows users to search for installation files during privileged installations. -If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. +- If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. -Because the installation is running with elevated system privileges, users can browse through directories that their own permissions wouldn't allow. +Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow. -This policy setting doesn't affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. +This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. -If you disable or don't configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. +- If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow users to browse for source while elevated* -- GP name: *AllowLockdownBrowse* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/AllowLockdownMedia** +| Name | Value | +|:--|:--| +| Name | AllowLockdownBrowse | +| Friendly Name | Allow users to browse for source while elevated | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AllowLockdownBrowse | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowLockdownMedia - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownMedia +``` + -
    - - - + + This policy setting allows users to install programs from removable media during privileged installations. -If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. +- If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. -This policy setting doesn't affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. +This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. -If you disable or don't configure this policy setting, users can install programs from removable media by default, only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. +- If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. Also, see the "Prevent removable media source for any install" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow users to use media source while elevated* -- GP name: *AllowLockdownMedia* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/AllowLockdownPatch** +| Name | Value | +|:--|:--| +| Name | AllowLockdownMedia | +| Friendly Name | Allow users to use media source while elevated | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AllowLockdownMedia | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowLockdownPatch - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownPatch +``` + -
    - - - + + This policy setting allows users to patch elevated products. -If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. +- If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. -If you disable or don't configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. +- If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. -This policy setting doesn't affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. - +This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Allow users to patch elevated products* -- GP name: *AllowLockdownPatch* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MSI/DisableAutomaticApplicationShutdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowLockdownPatch | +| Friendly Name | Allow users to patch elevated products | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AllowLockdownPatch | +| ADMX File Name | MSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAutomaticApplicationShutdown -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableAutomaticApplicationShutdown +``` + - - + + This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. -If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. +- If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. - The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. @@ -292,1049 +242,1308 @@ If you enable this policy setting, you can use the options in the Prohibit Use o - The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. -If you disable or don't configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. +- If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. + - + + + + +**Description framework properties**: - -ADMX Info: -- GGP Friendly name: *Prohibit use of Restart Manager* -- GP name: *DisableAutomaticApplicationShutdown* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableBrowse** +| Name | Value | +|:--|:--| +| Name | DisableAutomaticApplicationShutdown | +| Friendly Name | Prohibit use of Restart Manager | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableBrowse - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableBrowse +``` + -
    - - - + + This policy setting prevents users from searching for installation files when they add features or components to an installed program. -If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. +- If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. This policy setting applies even when the installation is running in the user's security context. -If you disable or don't configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. +- If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. -This policy setting affects Windows Installer only. It doesn't prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. +This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. Also, see the "Enable user to browse for source while elevated" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove browse dialog box for new source* -- GP name: *DisableBrowse* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableFlyweightPatching** +| Name | Value | +|:--|:--| +| Name | DisableBrowse | +| Friendly Name | Remove browse dialog box for new source | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableBrowse | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableFlyweightPatching - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableFlyweightPatching +``` + -
    - - - + + This policy setting controls the ability to turn off all patch optimizations. -If you enable this policy setting, all Patch Optimization options are turned off during the installation. +- If you enable this policy setting, all Patch Optimization options are turned off during the installation. -If you disable or don't configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. +- If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit flyweight patching* -- GP name: *DisableFlyweightPatching* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableLoggingFromPackage** +| Name | Value | +|:--|:--| +| Name | DisableFlyweightPatching | +| Friendly Name | Prohibit flyweight patching | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableLoggingFromPackage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableLoggingFromPackage +``` + -
    - - - + + This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. -If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. +- If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. - The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. - The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. -If you disable or don't configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. +- If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off logging via package settings* -- GP name: *DisableLoggingFromPackage* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableMSI** +| Name | Value | +|:--|:--| +| Name | DisableLoggingFromPackage | +| Friendly Name | Turn off logging via package settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableMedia - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMedia +``` + -
    - - - -This policy setting restricts the use of Windows Installer. - -If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. - -- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. - -- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This option's induced behavior is the default behavior of Windows Installer on Windows Server 2003 family when the policy isn't configured. - -- The "Always" option indicates that Windows Installer is disabled. - -This policy setting affects Windows Installer only. It doesn't prevent users from using other methods to install and upgrade programs. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Windows Installer* -- GP name: *DisableMSI* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - -**ADMX_MSI/DisableMedia** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prevents users from installing any programs from removable media. -If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature can't be found. +- If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. This policy setting applies even when the installation is running in the user's security context. -If you disable or don't configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. +- If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent removable media source for any installation* -- GP name: *DisableMedia* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/DisablePatch** +| Name | Value | +|:--|:--| +| Name | DisableMedia | +| Friendly Name | Prevent removable media source for any installation | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableMedia | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableMSI - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMSI +``` + -
    + + +This policy setting restricts the use of Windows Installer. - - +- If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. + +- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. + +- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. + +- The "Always" option indicates that Windows Installer is disabled. + +This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableMSI | +| Friendly Name | Turn off Windows Installer | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + + + + + + + + + +## DisablePatch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisablePatch +``` + + + + This policy setting prevents users from using Windows Installer to install patches. -If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. +- If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. > [!NOTE] > This policy setting applies only to installations that run in the user's security context. -If you disable or don't configure this policy setting, by default, users who aren't system administrators can't apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. +- If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. Also, see the "Enable user to patch elevated products" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent users from using Windows Installer to install updates and upgrades* -- GP name: *DisablePatch* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableRollback_1** +| Name | Value | +|:--|:--| +| Name | DisablePatch | +| Friendly Name | Prevent users from using Windows Installer to install updates and upgrades | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisablePatch | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableRollback_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_1 +``` + -
    - - - + + This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. -If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete. +- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. -This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential. +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. -This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered to be enabled, even if it's explicitly disabled in the other folder. - +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit rollback* -- GP name: *DisableRollback_1* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MSI/DisableRollback_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRollback_1 | +| Friendly Name | Prohibit rollback | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableRollback | +| ADMX File Name | MSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableRollback_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_2 +``` + - - + + This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. -If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete. +- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. -This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential. +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. -This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered to be enabled, even if it's explicitly disabled in the other folder. +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit rollback* -- GP name: *DisableRollback_2* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableSharedComponent** +| Name | Value | +|:--|:--| +| Name | DisableRollback_2 | +| Friendly Name | Prohibit rollback | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableRollback | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableSharedComponent - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableSharedComponent +``` + -
    - - - + + This policy setting controls the ability to turn off shared components. -If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. +- If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. -If you disable or don't configure this policy setting, by default, the shared component functionality is allowed. +- If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off shared components* -- GP name: *DisableSharedComponent* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/MSILogging** +| Name | Value | +|:--|:--| +| Name | DisableSharedComponent | +| Friendly Name | Turn off shared components | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableSharedComponent | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MSI_DisableLUAPatching - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableLUAPatching +``` + -
    + + +This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. - - +Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. + +- If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. + +- If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSI_DisableLUAPatching | +| Friendly Name | Prohibit non-administrators from applying vendor signed updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableLUAPatching | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSI_DisablePatchUninstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisablePatchUninstall +``` + + + + +This policy setting controls the ability for users or administrators to remove Windows Installer based updates. + +This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators. + +- If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. + +- If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSI_DisablePatchUninstall | +| Friendly Name | Prohibit removal of updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisablePatchUninstall | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSI_DisableSRCheckPoints + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableSRCheckPoints +``` + + + + +This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. + +- If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. + +- If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSI_DisableSRCheckPoints | +| Friendly Name | Turn off creation of System Restore checkpoints | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | LimitSystemRestoreCheckpointing | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSI_DisableUserInstalls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableUserInstalls +``` + + + + +This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. + +- If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. + +- If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSI_DisableUserInstalls | +| Friendly Name | Prohibit User Installs | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSI_EnforceUpgradeComponentRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_EnforceUpgradeComponentRules +``` + + + + +This policy setting causes the Windows Installer to enforce strict rules for component upgrades. + +- If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: + +(1) Remove a component from a feature. +This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. + +(2) Add a new feature to the top or middle of an existing feature tree. +The new feature must be added as a new leaf feature to an existing feature tree. + +- If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSI_EnforceUpgradeComponentRules | +| Friendly Name | Enforce upgrade component rules | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | EnforceUpgradeComponentRules | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSI_MaxPatchCacheSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_MaxPatchCacheSize +``` + + + + +This policy controls the percentage of disk space available to the Windows Installer baseline file cache. + +The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. + +- If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache. + +If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed. + +If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache. + +- If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSI_MaxPatchCacheSize | +| Friendly Name | Control maximum size of baseline file cache | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MsiDisableEmbeddedUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MsiDisableEmbeddedUI +``` + + + + +This policy setting controls the ability to prevent embedded UI. + +- If you enable this policy setting, no packages on the system can run embedded UI. + +- If you disable or do not configure this policy setting, embedded UI is allowed to run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MsiDisableEmbeddedUI | +| Friendly Name | Prevent embedded UI | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | MsiDisableEmbeddedUI | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSILogging + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSILogging +``` + + + + Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. To disable logging, delete all of the letters from the box. -If you disable or don't configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." - - - - - -ADMX Info: -- GP Friendly name: *Specify the types of events Windows Installer records in its transaction log* -- GP name: *MSILogging* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - - -**ADMX_MSI/MSI_DisableLUAPatching** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. - -Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. - -If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. - -If you disable or don't configure this policy setting, users without administrative privileges can install non-administrator updates. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit non-administrators from applying vendor signed updates* -- GP name: *MSI_DisableLUAPatching* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - - -**ADMX_MSI/MSI_DisablePatchUninstall** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the ability for users or administrators to remove Windows Installer based updates. - -This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed can't be removed by users or administrators. - -If you enable this policy setting, updates can't be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. - -If you disable or don't configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This grant of privileges can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." - - - - - -ADMX Info: -- GP Friendly name: *Prohibit removal of updates* -- GP name: *MSI_DisablePatchUninstall* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - - -**ADMX_MSI/MSI_DisableSRCheckPoints** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users - when a problem occurs - to restore their computers to a previous state without losing personal data files. - -If you enable this policy setting, the Windows Installer doesn't generate System Restore checkpoints when installing applications. - -If you disable or don't configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. - - - - - -ADMX Info: -- GP Friendly name: *Turn off creation of System Restore checkpoints* -- GP name: *MSI_DisableSRCheckPoints* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - - -**ADMX_MSI/MSI_DisableUserInstalls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. - -If you don't configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, the per-computer installation of that same product is hidden. - -If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This behavior of the installer causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit User Installs* -- GP name: *MSI_DisableUserInstalls* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - - -**ADMX_MSI/MSI_EnforceUpgradeComponentRules** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting causes the Windows Installer to enforce strict rules for component upgrades. - -If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer, which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following steps: - -(1) Remove a component from a feature. -This removal can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. - -(2) Add a new feature to the top or middle of an existing feature tree. -The new feature must be added as a new leaf feature to an existing feature tree. - -If you disable or don't configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. - - - - - -ADMX Info: -- GP Friendly name: *Enforce upgrade component rules* -- GP name: *MSI_EnforceUpgradeComponentRules* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - -**ADMX_MSI/MSI_MaxPatchCacheSize** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the percentage of disk space available to the Windows Installer baseline file cache. - -The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. - -If you enable this policy setting, you can modify the maximum size of the Windows Installer baseline file cache. - -If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed. - -If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache. - -If you disable or don't configure this policy setting, the Windows Installer will use a default value of 10 percent for the baseline file cache maximum size. - - - - - -ADMX Info: -- GP Friendly name: *Control maximum size of baseline file cache* -- GP name: *MSI_MaxPatchCacheSize* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - -**ADMX_MSI/MsiDisableEmbeddedUI** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the ability to prevent embedded UI. - -If you enable this policy setting, no packages on the system can run embedded UI. - -If you disable or don't configure this policy setting, embedded UI is allowed to run. - - - - - -ADMX Info: -- GP Friendly name: *Prevent embedded UI* -- GP name: *MsiDisableEmbeddedUI* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - -**ADMX_MSI/SafeForScripting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSILogging | +| Friendly Name | Specify the types of events Windows Installer records in its transaction log | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + + + + + + + + + +## SafeForScripting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/SafeForScripting +``` + + + + This policy setting allows Web-based programs to install software on the computer without notifying the user. -If you disable or don't configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. +- If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. -If you enable this policy setting, the warning is suppressed and allows the installation to proceed. +- If you enable this policy setting, the warning is suppressed and allows the installation to proceed. This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Internet Explorer security prompt for Windows Installer scripts* -- GP name: *SafeForScripting* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/SearchOrder** +| Name | Value | +|:--|:--| +| Name | SafeForScripting | +| Friendly Name | Prevent Internet Explorer security prompt for Windows Installer scripts | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | SafeForScripting | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SearchOrder - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/SearchOrder +``` + -
    - - - + + This policy setting specifies the order in which Windows Installer searches for installation files. -If you disable or don't configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). +- If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). -If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: +- If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: -- "n" represents the network -- "m" represents media -- "u" represents URL, or the Internet +- "n" represents the network; + +- "m" represents media; + +- "u" represents URL, or the Internet. To exclude a file source, omit or delete the letter representing that source type. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify the order in which Windows Installer searches for installation files* -- GP name: *SearchOrder* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_MSI/TransformsSecure** +| Name | Value | +|:--|:--| +| Name | SearchOrder | +| Friendly Name | Specify the order in which Windows Installer searches for installation files | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TransformsSecure - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/TransformsSecure +``` + -
    - - - + + This policy setting saves copies of transform files in a secure location on the local computer. Transform files consist of instructions to modify or customize a program during installation. -If you enable this policy setting, the transform file is saved in a secure location on the user's computer. +- If you enable this policy setting, the transform file is saved in a secure location on the user's computer. -If you don't configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. +- If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files. -If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. +- If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. - +- If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. + + + + - -ADMX Info: -- GP Friendly name: *Save copies of transform files in a secure location on workstation* -- GP name: *TransformsSecure* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | TransformsSecure | +| Friendly Name | Save copies of transform files in a secure location on workstation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | TransformsSecure | +| ADMX File Name | MSI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index 12ddc63f8c..6875c3fba2 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -1,102 +1,109 @@ --- -title: Policy CSP - ADMX_MsiFileRecovery -description: Learn about Policy CSP - ADMX_MsiFileRecovery. +title: ADMX_MsiFileRecovery Policy CSP +description: Learn more about the ADMX_MsiFileRecovery Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MsiFileRecovery > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MsiFileRecovery policies + +## WdiScenarioExecutionPolicy -
    -
    - ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy +``` + - -**ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states: -- Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog-box when application reinstallation is required. -This behavior is the default recovery behavior on Windows client. +Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog box when application reinstallation is required. This is the default recovery behavior on Windows client. -- Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be reinstalled. This behavior is recommended for headless operation and is the default recovery behavior on Windows server. +Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recovery behavior on Windows server. -- Troubleshooting Only: Detection and verification of file corruption will be performed without UI. -Recovery isn't attempted. +Troubleshooting Only: Detection and verification of file corruption will be performed without UI. Recovery is not attempted. - If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only. - If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. -If you don't configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh. +- If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. + +No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh. > [!NOTE] > This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure MSI Corrupted File Recovery behavior* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\MSI Corrupted File Recovery* -- GP ADMX file name: *MsiFileRecovery.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure MSI Corrupted File Recovery behavior | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > MSI Corrupted File Recovery | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{54077489-683b-4762-86c8-02cf87a33423} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | Msi-FileRecovery.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md index a22c707db1..6b4d108e89 100644 --- a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md +++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md @@ -1,10 +1,10 @@ --- title: ADMX_MSS-legacy Policy CSP -description: Learn more about the ADMX_MSS-legacy Area in Policy CSP +description: Learn more about the ADMX_MSS-legacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MSS-legacy > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,7 +41,7 @@ ms.topic: reference - + @@ -61,7 +59,16 @@ Enable Automatic Logon (not recommended). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoAdminLogon | +| ADMX File Name | MSS-legacy.admx | @@ -86,7 +93,7 @@ Enable Automatic Logon (not recommended). - + @@ -104,7 +111,16 @@ Allow Windows to automatically restart after a system crash (recommended except - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoReboot | +| ADMX File Name | MSS-legacy.admx | @@ -129,7 +145,7 @@ Allow Windows to automatically restart after a system crash (recommended except - + @@ -147,7 +163,16 @@ Enable administrative shares on servers (recommended except for highly secure en - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoShareServer | +| ADMX File Name | MSS-legacy.admx | @@ -172,7 +197,7 @@ Enable administrative shares on servers (recommended except for highly secure en - + @@ -190,7 +215,16 @@ Enable administrative shares on workstations (recommended except for highly secu - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoShareWks | +| ADMX File Name | MSS-legacy.admx | @@ -215,7 +249,7 @@ Enable administrative shares on workstations (recommended except for highly secu - + @@ -232,7 +266,16 @@ Enable administrative shares on workstations (recommended except for highly secu - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_DisableSavePassword | +| ADMX File Name | MSS-legacy.admx | @@ -258,7 +301,7 @@ Prevent the dial-up password from being saved (recommended). - + @@ -276,7 +319,16 @@ Allow automatic detection of dead network gateways (could lead to DoS). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_EnableDeadGWDetect | +| ADMX File Name | MSS-legacy.admx | @@ -301,7 +353,7 @@ Allow automatic detection of dead network gateways (could lead to DoS). - + @@ -319,7 +371,16 @@ Hide Computer From the Browse List (not recommended except for highly secure env - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_HideFromBrowseList | +| ADMX File Name | MSS-legacy.admx | @@ -344,7 +405,7 @@ Hide Computer From the Browse List (not recommended except for highly secure env - + @@ -362,7 +423,16 @@ Define how often keep-alive packets are sent in milliseconds. - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_KeepAliveTime | +| ADMX File Name | MSS-legacy.admx | @@ -387,7 +457,7 @@ Define how often keep-alive packets are sent in milliseconds. - + @@ -405,7 +475,16 @@ Configure IPSec exemptions for various types of network traffic. - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_NoDefaultExempt | +| ADMX File Name | MSS-legacy.admx | @@ -430,7 +509,7 @@ Configure IPSec exemptions for various types of network traffic. - + @@ -448,7 +527,16 @@ Enable the computer to stop generating 8.3 style filenames. - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_NtfsDisable8dot3NameCreation | +| ADMX File Name | MSS-legacy.admx | @@ -473,7 +561,7 @@ Enable the computer to stop generating 8.3 style filenames. - + @@ -491,7 +579,16 @@ Enable the computer to stop generating 8.3 style filenames. - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_PerformRouterDiscovery | +| ADMX File Name | MSS-legacy.admx | @@ -516,7 +613,7 @@ Enable the computer to stop generating 8.3 style filenames. - + @@ -534,7 +631,16 @@ Enable Safe DLL search mode (recommended). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_SafeDllSearchMode | +| ADMX File Name | MSS-legacy.admx | @@ -559,7 +665,7 @@ Enable Safe DLL search mode (recommended). - + @@ -577,7 +683,16 @@ he time in seconds before the screen saver grace period expires (0 recommended). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_ScreenSaverGracePeriod | +| ADMX File Name | MSS-legacy.admx | @@ -602,7 +717,7 @@ he time in seconds before the screen saver grace period expires (0 recommended). - + @@ -620,7 +735,16 @@ Syn attack protection level (protects against DoS). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_SynAttackProtect | +| ADMX File Name | MSS-legacy.admx | @@ -645,7 +769,7 @@ Syn attack protection level (protects against DoS). - + @@ -663,7 +787,16 @@ SYN-ACK retransmissions when a connection request is not acknowledged. - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_TcpMaxConnectResponseRetransmissions | +| ADMX File Name | MSS-legacy.admx | @@ -688,7 +821,7 @@ SYN-ACK retransmissions when a connection request is not acknowledged. - + @@ -706,7 +839,16 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_TcpMaxDataRetransmissions | +| ADMX File Name | MSS-legacy.admx | @@ -731,7 +873,7 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is - + @@ -749,7 +891,16 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_TcpMaxDataRetransmissionsIPv6 | +| ADMX File Name | MSS-legacy.admx | @@ -774,7 +925,7 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is - + @@ -792,7 +943,16 @@ Percentage threshold for the security event log at which the system will generat - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_WarningLevel | +| ADMX File Name | MSS-legacy.admx | diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index a2a46c2c76..3177e932ac 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -1,446 +1,524 @@ --- -title: Policy CSP - ADMX_nca -description: Policy CSP - ADMX_nca +title: ADMX_nca Policy CSP +description: Learn more about the ADMX_nca Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_nca ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_nca policies + +## CorporateResources -
    -
    - ADMX_nca/CorporateResources -
    -
    - ADMX_nca/CustomCommands -
    -
    - ADMX_nca/DTEs -
    -
    - ADMX_nca/FriendlyName -
    -
    - ADMX_nca/LocalNamesOn -
    -
    - ADMX_nca/PassiveMode -
    -
    - ADMX_nca/ShowUI -
    -
    - ADMX_nca/SupportEmail -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/CorporateResources +``` + -
    - - -**ADMX_nca/CorporateResources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. + + +Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: -- A DNS name or IPv6 address that NCA pings. The syntax is “PING:” followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1. +- A DNS name or IPv6 address that NCA pings. The syntax is "PING:" followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1. -> [!NOTE] -> We recommend that you use FQDNs instead of IPv6 addresses wherever possible. +**Note** -> [!IMPORTANT] -> At least one of the entries must be a PING: resource. -> - A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/. -> - A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. +We recommend that you use FQDNs instead of IPv6 addresses wherever possible. + +**Important** + +At least one of the entries must be a PING: resource. + +- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP: or HTTP:https://2002:836b:1::1/. + +- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. You must configure this setting to have complete NCA functionality. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Corporate Resources* -- GP name: *CorporateResources* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_nca/CustomCommands** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CorporateResources | +| Friendly Name | Corporate Resources | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomCommands -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/CustomCommands +``` + - - -This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. + + +Specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Commands* -- GP name: *CustomCommands* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_nca/DTEs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomCommands | +| Friendly Name | Custom Commands | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\CustomCommands | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DTEs -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/DTEs +``` + - - -This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. + + +Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel. Each entry consists of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Example: PING:2002:836b:1::836b:1. You must configure this setting to have complete NCA functionality. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *IPsec Tunnel Endpoints* -- GP name: *DTEs* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_nca/FriendlyName** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DTEs | +| Friendly Name | IPsec Tunnel Endpoints | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\DTEs | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## FriendlyName -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/FriendlyName +``` + - - -This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. + + +Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify "Contoso Intranet Access" for the DirectAccess clients of the Contoso Corporation. -If this setting isn't configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. +If this setting is not configured, the string that appears for DirectAccess connectivity is "Corporate Connection". + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Friendly Name* -- GP name: *FriendlyName* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_nca/LocalNamesOn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | FriendlyName | +| Friendly Name | Friendly Name | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalNamesOn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/LocalNamesOn +``` + - - -This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. + + +Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. -If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. NCA doesn't remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. +If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. **Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. -The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection hasn't correctly determined that the DirectAccess client computer is connected to its own intranet. +The ability to disconnect allows users to specify single-label, unqualified names (such as "PRINTSVR") for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet. To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect. -> [!NOTE] -> If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT. +**Note** +If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT. -If this setting isn't configured, users don't have Connect or Disconnect options. +If this setting is not configured, users do not have Connect or Disconnect options. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prefer Local Names Allowed* -- GP name: *LocalNamesOn* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_nca/PassiveMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LocalNamesOn | +| Friendly Name | Prefer Local Names Allowed | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| Registry Value Name | NamePreferenceAllowed | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PassiveMode -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/PassiveMode +``` + - - -This policy setting specifies whether NCA service runs in Passive Mode or not. + + +Specifies whether NCA service runs in Passive Mode or not. -Set this policy setting to Disabled to keep NCA probing actively all the time. If this setting isn't configured, NCA probing is in active mode by default. - +Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. + + + + - -ADMX Info: -- GP Friendly name: *DirectAccess Passive Mode* -- GP name: *PassiveMode* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_nca/ShowUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PassiveMode | +| Friendly Name | DirectAccess Passive Mode | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| Registry Value Name | PassiveMode | +| ADMX File Name | nca.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ShowUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/ShowUI +``` + -Set this policy setting to Disabled to prevent user confusion when you're just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. + + +Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. -If this setting isn't configured, the entry for DirectAccess connectivity appears. +Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. - +If this setting is not configured, the entry for DirectAccess connectivity appears. + + + + - -ADMX Info: -- GP Friendly name: *User Interface* -- GP name: *ShowUI* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_nca/SupportEmail** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ShowUI | +| Friendly Name | User Interface | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| Registry Value Name | ShowUI | +| ADMX File Name | nca.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## SupportEmail -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/SupportEmail +``` + + + + +Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Support Email Address* -- GP name: *SupportEmail* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | SupportEmail | +| Friendly Name | Support Email Address | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| ADMX File Name | nca.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 852728fcd1..66333d0c19 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -1,364 +1,422 @@ --- -title: Policy CSP - ADMX_NCSI -description: Learn about Policy CSP - ADMX_NCSI. +title: ADMX_NCSI Policy CSP +description: Learn more about the ADMX_NCSI Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_NCSI ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_NCSI policies + +## NCSI_CorpDnsProbeContent -
    -
    - ADMX_NCSI/NCSI_CorpDnsProbeContent -
    -
    - ADMX_NCSI/NCSI_CorpDnsProbeHost -
    -
    - ADMX_NCSI/NCSI_CorpSitePrefixes -
    -
    - ADMX_NCSI/NCSI_CorpWebProbeUrl -
    -
    - ADMX_NCSI/NCSI_DomainLocationDeterminationUrl -
    -
    - ADMX_NCSI/NCSI_GlobalDns -
    -
    - ADMX_NCSI/NCSI_PassivePolling -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpDnsProbeContent +``` + -
    - - -**ADMX_NCSI/NCSI_CorpDnsProbeContent** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. + - + + + - -ADMX Info: -- GP Friendly name: *Specify corporate DNS probe host address* -- GP name: *NCSI_CorpDnsProbeContent* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NCSI/NCSI_CorpDnsProbeHost** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NCSI_CorpDnsProbeContent | +| Friendly Name | Specify corporate DNS probe host address | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## NCSI_CorpDnsProbeHost -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpDnsProbeHost +``` + + + + This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify corporate DNS probe host name* -- GP name: *NCSI_CorpDnsProbeHost* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NCSI/NCSI_CorpSitePrefixes** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NCSI_CorpDnsProbeHost | +| Friendly Name | Specify corporate DNS probe host name | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NCSI_CorpSitePrefixes -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpSitePrefixes +``` + - - -This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of the prefixes indicates corporate connectivity. + + +This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify corporate site prefix list* -- GP name: *NCSI_CorpSitePrefixes* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NCSI/NCSI_CorpWebProbeUrl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NCSI_CorpSitePrefixes | +| Friendly Name | Specify corporate site prefix list | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NCSI_CorpWebProbeUrl -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpWebProbeUrl +``` + - - + + This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify corporate Website probe URL* -- GP name: *NCSI_CorpWebProbeUrl* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -**ADMX_NCSI/NCSI_DomainLocationDeterminationUrl** +| Name | Value | +|:--|:--| +| Name | NCSI_CorpWebProbeUrl | +| Friendly Name | Specify corporate Website probe URL | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NCSI_DomainLocationDeterminationUrl - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_DomainLocationDeterminationUrl +``` + -
    + + +This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. + - - -This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (that is, whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify domain location determination URL* -- GP name: *NCSI_DomainLocationDeterminationUrl* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_NCSI/NCSI_GlobalDns** +| Name | Value | +|:--|:--| +| Name | NCSI_DomainLocationDeterminationUrl | +| Friendly Name | Specify domain location determination URL | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NCSI_GlobalDns - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_GlobalDns +``` + -
    + + +This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. +- If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. + - - -This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it's currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify global DNS* -- GP name: *NCSI_GlobalDns* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_NCSI/NCSI_PassivePolling** +| Name | Value | +|:--|:--| +| Name | NCSI_GlobalDns | +| Friendly Name | Specify global DNS | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator | +| ADMX File Name | NCSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NCSI_PassivePolling - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_PassivePolling +``` + -
    + + +This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. + - - -This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify passive polling* -- GP name: *NCSI_PassivePolling* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NCSI_PassivePolling | +| Friendly Name | Specify passive polling | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator | +| ADMX File Name | NCSI.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 22d8f1fe5a..9656e0aa10 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -1,984 +1,1015 @@ --- -title: Policy CSP - ADMX_Netlogon -description: Learn about Policy CSP - ADMX_Netlogon. +title: ADMX_Netlogon Policy CSP +description: Learn more about the ADMX_Netlogon Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/15/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Netlogon ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Netlogon policies + +## Netlogon_AddressLookupOnPingBehavior -
    -
    - ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior -
    -
    - ADMX_Netlogon/Netlogon_AddressTypeReturned -
    -
    - ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch -
    -
    - ADMX_Netlogon/Netlogon_AllowNT4Crypto -
    -
    - ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain -
    -
    - ADMX_Netlogon/Netlogon_AutoSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery -
    -
    - ADMX_Netlogon/Netlogon_AvoidPdcOnWan -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime -
    -
    - ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod -
    -
    - ADMX_Netlogon/Netlogon_DebugFlag -
    -
    - ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords -
    -
    - ADMX_Netlogon/Netlogon_DnsRefreshInterval -
    -
    - ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames -
    -
    - ADMX_Netlogon/Netlogon_DnsTtl -
    -
    - ADMX_Netlogon/Netlogon_ExpectedDialupDelay -
    -
    - ADMX_Netlogon/Netlogon_ForceRediscoveryInterval -
    -
    - ADMX_Netlogon/Netlogon_GcSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages -
    -
    - ADMX_Netlogon/Netlogon_LdapSrvPriority -
    -
    - ADMX_Netlogon/Netlogon_LdapSrvWeight -
    -
    - ADMX_Netlogon/Netlogon_MaximumLogFileSize -
    -
    - ADMX_Netlogon/Netlogon_NdncSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_NegativeCachePeriod -
    -
    - ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode -
    -
    - ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod -
    -
    - ADMX_Netlogon/Netlogon_PingUrgencyMode -
    -
    - ADMX_Netlogon/Netlogon_ScavengeInterval -
    -
    - ADMX_Netlogon/Netlogon_SiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_SiteName -
    -
    - ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode -
    -
    - ADMX_Netlogon/Netlogon_TryNextClosestSite -
    -
    - ADMX_Netlogon/Netlogon_UseDynamicDns -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior +``` + -
    + + +This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. - -**ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address doesn't map to any configured site. - -Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses that may then be used to compute a matching site for the client. +Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. The allowable values for this setting result in the following behaviors: -- 0 - DCs will never perform address lookups. -- 1 - DCs will perform an exhaustive address lookup to discover more client IP addresses. -- 2 - DCs will perform a fast, DNS-only address lookup to discover more client IP addresses. +0 - DCs will never perform address lookups. +1 - DCs will perform an exhaustive address lookup to discover additional client IP addresses. +2 - DCs will perform a fast, DNS-only address lookup to discover additional client IP addresses. To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify address lookup behavior for DC locator ping* -- GP name: *Netlogon_AddressLookupOnPingBehavior* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Netlogon/Netlogon_AddressTypeReturned** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Netlogon_AddressLookupOnPingBehavior | +| Friendly Name | Specify address lookup behavior for DC locator ping | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Netlogon_AddressTypeReturned -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AddressTypeReturned +``` + - - -This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. + + +This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. -If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator. +- If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. + +- If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail. + +- If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. + -If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail. + + + -If you don't configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Return domain controller address type* -- GP name: *Netlogon_AddressTypeReturned* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Name | Value | +|:--|:--| +| Name | Netlogon_AddressTypeReturned | +| Friendly Name | Return domain controller address type | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AddressTypeReturned | +| ADMX File Name | Netlogon.admx | + - - -
    + + + -
    + - -**ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch** + +## Netlogon_AllowDnsSuffixSearch - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch +``` + - -
    + + +This policy setting specifies whether the computers to which this setting is applied attemps DNS name resolution of single-lablel domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. + +By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. + +- If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails. + +- If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Netlogon_AllowDnsSuffixSearch | +| Friendly Name | Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled. | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowDnsSuffixSearch | +| ADMX File Name | Netlogon.admx | + -
    + + + - - -This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, isn't used if the `AllowSingleLabelDnsDomain` policy setting is enabled. + -By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the `AllowSingleLabelDnsDomain` policy setting is enabled. + +## Netlogon_AllowNT4Crypto + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name isn't used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, if DNS resolution fails. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowNT4Crypto +``` + -If you disable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers won't attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. + + +This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. + +By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. + +- If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk. + +- If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. + +- If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled.* -- GP name: *Netlogon_AllowDnsSuffixSearch* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_AllowNT4Crypto | +| Friendly Name | Allow cryptography algorithms compatible with Windows NT 4.0 | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowNT4Crypto | +| ADMX File Name | Netlogon.admx | + -
    + + + - -**ADMX_Netlogon/Netlogon_AllowNT4Crypto** + - + +## Netlogon_AllowSingleLabelDnsDomain -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain +``` + + + + +This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. + +By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. + +- If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution. + +- If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined. + +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier aren't as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Netlogon_AllowSingleLabelDnsDomain | +| Friendly Name | Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowSingleLabelDnsDomain | +| ADMX File Name | Netlogon.admx | + + + + + + + + + +## Netlogon_AutoSiteCoverage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AutoSiteCoverage +``` + + + + +This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. + +- If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. + +- If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own. + +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + + + + + -By default, Net Logon won't allow the older cryptography algorithms to be used and won't include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 won't be able to establish a connection to this domain controller. + +**Description framework properties**: -If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: -If you disable this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms. - -If you don't configure this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms. - - - - - -ADMX Info: -- GP Friendly name: *Allow cryptography algorithms compatible with Windows NT 4.0* -- GP name: *Netlogon_AllowNT4Crypto* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* - - - -
    - -
    - - -**ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain name. - -By default, the behavior specified in the `AllowDnsSuffixSearch` is used. If the `AllowDnsSuffixSearch` policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. - -If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution. - -If you disable this policy setting, computers to which this setting is applied will use the `AllowDnsSuffixSearch` policy, if it isn't disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. The computers won't use the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined. - -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. - - - - - -ADMX Info: -- GP Friendly name: *Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC* -- GP name: *Netlogon_AllowSingleLabelDnsDomain* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* - - - -
    - -
    - - -**ADMX_Netlogon/Netlogon_AutoSiteCoverage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. - -If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. - -If you disable this policy setting, the DCs won't register site-specific DC Locator DNS SRV records for any other sites but their own. - -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. - - - - - -ADMX Info: -- GP Friendly name: *Use automated site coverage by the DC Locator DNS SRV Records* -- GP name: *Netlogon_AutoSiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* - - - -
    - -
    - - -**ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +| Name | Value | +|:--|:--| +| Name | Netlogon_AutoSiteCoverage | +| Friendly Name | Use automated site coverage by the DC Locator DNS SRV Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AutoSiteCoverage | +| ADMX File Name | Netlogon.admx | + + + + + + + + + +## Netlogon_AvoidFallbackNetbiosDiscovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery +``` + + + + This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. -NetBIOS-based discovery uses a WINS server and mailslot messages but doesn't use site information. Hence it doesn't ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery isn't recommended. +NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. -> [!NOTE] -> This policy setting doesn't affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. +**Note** that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. -If you disable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This behavior is the default behavior. +- If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior. -If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. +- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails* -- GP name: *Netlogon_AvoidFallbackNetbiosDiscovery* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_AvoidPdcOnWan** +| Name | Value | +|:--|:--| +| Name | Netlogon_AvoidFallbackNetbiosDiscovery | +| Friendly Name | Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AvoidFallbackNetbiosDiscovery | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_AvoidPdcOnWan - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AvoidPdcOnWan +``` + -
    - - - + + This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. -Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. +Contacting the PDC emulator is useful in case the client's password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. -If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password. +- If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password. -If you disable this policy setting, the DCs won't attempt to verify any passwords with the PDC emulator. +- If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator. -If you don't configure this policy setting, it isn't applied to any DCs. +- If you do not configure this policy setting, it is not applied to any DCs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Contact PDC on logon failure* -- GP name: *Netlogon_AvoidPdcOnWan* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_AvoidPdcOnWan | +| Friendly Name | Contact PDC on logon failure | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AvoidPdcOnWan | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundRetryInitialPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod +``` + -
    - - - + + This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. -The default value for this setting is 10 minutes (10*60). - -The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. +The default value for this setting is 10 minutes (10*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. This setting is relevant only to those callers of DsGetDcName that have specified the DS_BACKGROUND_ONLY flag. If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used. > [!WARNING] -> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC isn't available, the traffic caused by periodic DC discoveries may be excessive. +> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use initial DC discovery retry setting for background callers* -- GP name: *Netlogon_BackgroundRetryInitialPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundRetryInitialPeriod | +| Friendly Name | Use initial DC discovery retry setting for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundRetryMaximumPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod +``` + -
    - - - -This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. + + +This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached. -The default value for this setting is 60 minutes (60*60). - -The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. +The default value for this setting is 60 minutes (60*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. If the value for this setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used. > [!WARNING] > If the value for this setting is too large, a client may take very long periods to try to find a DC. -If the value for this setting is too small and the DC isn't available, the frequent retries may produce excessive network traffic. +If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use maximum DC discovery retry interval setting for background callers* -- GP name: *Netlogon_BackgroundRetryMaximumPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime** +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundRetryMaximumPeriod | +| Friendly Name | Use maximum DC discovery retry interval setting for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundRetryQuitTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime +``` + -
    - - - + + This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. > [!WARNING] > If the value for this setting is too small, a client will stop trying to find a DC too soon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use final DC discovery retry setting for background callers* -- GP name: *Netlogon_BackgroundRetryQuitTime* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundRetryQuitTime | +| Friendly Name | Use final DC discovery retry setting for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundSuccessfulRefreshPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod +``` + -
    + + +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). + - - -This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it's applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Use positive periodic DC cache refresh for background callers* -- GP name: *Netlogon_BackgroundSuccessfulRefreshPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundSuccessfulRefreshPeriod | +| Friendly Name | Use positive periodic DC cache refresh for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - -**ADMX_Netlogon/Netlogon_DebugFlag** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Netlogon_DebugFlag - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DebugFlag +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. -If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting. +- If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting. If you specify zero for this policy setting, the default behavior occurs as described above. -If you disable this policy setting or don't configure it, the default behavior occurs as described above. +- If you disable this policy setting or do not configure it, the default behavior occurs as described above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify log file debug output level* -- GP name: *Netlogon_DebugFlag* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords** +| Name | Value | +|:--|:--| +| Name | Netlogon_DebugFlag | +| Friendly Name | Specify log file debug output level | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_DnsAvoidRegisterRecords - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords +``` + -
    + + + - - + + This policy setting determines which DC Locator DNS records aren't registered by the Net Logon service. -If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied. +- If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied. Select the mnemonics from the following table: -Select the mnemonics from the following table: + | Mnemonic | Type | DNS Record | + |------------------|-------|----------------------------------------------------------------| + | LdapIpAddress | A | `` | + | Ldap | SRV | _ldap._tcp.`` | + | LdapAtSite | SRV | _ldap._tcp.``._sites.`` | + | Pdc | SRV | _ldap._tcp.pdc._msdcs.`` | + | Gc | SRV | _ldap._tcp.gc._msdcs.`` | + | GcAtSite | SRV | _ldap._tcp.``._sites.gc._msdcs.`` | + | DcByGuid | SRV | _ldap._tcp.``.domains._msdcs.`` | + | GcIpAddress | A | gc._msdcs.`` | + | DsaCname | CNAME | ``._msdcs.`` | + | Kdc | SRV | _kerberos._tcp.dc._msdcs.`` | + | KdcAtSite | SRV | _kerberos._tcp.``._sites.dc._msdcs. | + | KdcAtSite | SRV | _kerberos._tcp.``._sites.dc._msdcs.`` | + | Dc | SRV | _ldap._tcp.dc._msdcs.`` | + | DcAtSite | SRV | _ldap._tcp.``._sites.dc._msdcs.`` | + | Rfc1510Kdc | SRV | _kerberos._tcp.`` | + | Rfc1510KdcAtSite | SRV | _kerberos._tcp.``._sites.`` | + | GenericGc | SRV | _gc._tcp.`` | + | GenericGcAtSite | SRV | _gc._tcp.``._sites.`` | + | Rfc1510UdpKdc | SRV | _kerberos._udp.`` | + | Rfc1510Kpwd | SRV | _kpasswd._tcp.`` | + | Rfc1510UdpKpwd | SRV | _kpasswd._udp.`` | -|Mnemonic|Type|DNS Record| -|--------|---------|-----------| -|LdapIpAddress|A|``| -|Ldap|SRV|_ldap._tcp.``| -|LdapAtSite|SRV|_ldap._tcp.``._sites.``| -|Pdc|SRV|_ldap._tcp.pdc._msdcs.``| -|Gc|SRV|_ldap._tcp.gc._msdcs.``| -|GcAtSite|SRV|_ldap._tcp.``._sites.gc._msdcs.``| -|DcByGuid|SRV|_ldap._tcp.``.domains._msdcs.``| -|GcIpAddress|A|gc._msdcs.``| -|DsaCname|CNAME|``._msdcs.``| -|Kdc|SRV|_kerberos._tcp.dc._msdcs.``| -|KdcAtSite|SRV|_kerberos._tcp.``._sites.dc._msdcs.| -|KdcAtSite|SRV|_kerberos._tcp.``._sites.dc._msdcs.``| -|Dc|SRV|_ldap._tcp.dc._msdcs.``| -|DcAtSite|SRV|_ldap._tcp.``._sites.dc._msdcs.``| -|Rfc1510Kdc|SRV|_kerberos._tcp.``| -|Rfc1510KdcAtSite|SRV|_kerberos._tcp.``._sites.``| -|GenericGc|SRV|_gc._tcp.``| -|GenericGcAtSite|SRV|_gc._tcp.``._sites.``| -|Rfc1510UdpKdc|SRV|_kerberos._udp.``| -|Rfc1510Kpwd|SRV|_kpasswd._tcp.``| -|Rfc1510UdpKpwd|SRV|_kpasswd._udp.``| +- If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records. -If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records. +- If you don't configure this policy setting, DCs use their local configuration. + -If you don't configure this policy setting, DCs use their local configuration. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Specify DC Locator DNS records not registered by the DCs* -- GP name: *Netlogon_DnsAvoidRegisterRecords* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsAvoidRegisterRecords | +| Friendly Name | Specify DC Locator DNS records not registered by the DCs | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + -
    + + + - -**ADMX_Netlogon/Netlogon_DnsRefreshInterval** + - + +## Netlogon_DnsRefreshInterval -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsRefreshInterval +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. -DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data hasn't changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. +DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records' data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. > [!WARNING] > If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records. To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes). -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify Refresh Interval of the DC Locator DNS records* -- GP name: *Netlogon_DnsRefreshInterval* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames** +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsRefreshInterval | +| Friendly Name | Specify Refresh Interval of the DC Locator DNS records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_DnsSrvRecordUseLowerCaseHostNames - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames +``` + -
    - - - + + This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below. @@ -989,873 +1020,1051 @@ If not configured, domain controllers will default to using their local configur The default local configuration is enabled. -A reboot isn't required for changes to this setting to take effect. - +A reboot is not required for changes to this setting to take effect. +More information is available at + - -ADMX Info: -- GP Friendly name: *Use lowercase DNS host names when registering domain controller SRV records* -- GP name: *Netlogon_DnsSrvRecordUseLowerCaseHostNames* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* + + + - - -
    + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Netlogon/Netlogon_DnsTtl** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsSrvRecordUseLowerCaseHostNames | +| Friendly Name | Use lowercase DNS host names when registering domain controller SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | DnsSrvRecordUseLowerCaseHostNames | +| ADMX File Name | Netlogon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Netlogon_DnsTtl -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they're used to locate the domain controller (DC). + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsTtl +``` + + + + +This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. - +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + + + + - -ADMX Info: -- GP Friendly name: *Set TTL in the DC Locator DNS Records* -- GP name: *Netlogon_DnsTtl* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Netlogon/Netlogon_ExpectedDialupDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsTtl | +| Friendly Name | Set TTL in the DC Locator DNS Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Netlogon_ExpectedDialupDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ExpectedDialupDelay +``` + - - -This policy setting specifies the extra time for the computer to wait for the domain controller’s (DC) response when logging on to the network. + + +This policy setting specifies the additional time for the computer to wait for the domain controller's (DC) response when logging on to the network. -To specify the expected dial-up delay at sign-in, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). +To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify expected dial-up delay on logon* -- GP name: *Netlogon_ExpectedDialupDelay* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_ForceRediscoveryInterval** +| Name | Value | +|:--|:--| +| Name | Netlogon_ExpectedDialupDelay | +| Friendly Name | Specify expected dial-up delay on logon | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_ForceRediscoveryInterval - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ForceRediscoveryInterval +``` + -
    - - - + + This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. -The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions, DC Locator will, by default, carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. +The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. -If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4,294,967,200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity. +- If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity. -If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval. +- If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval. -If you don't configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. +- If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Force Rediscovery Interval* -- GP name: *Netlogon_ForceRediscoveryInterval* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_GcSiteCoverage** +| Name | Value | +|:--|:--| +| Name | Netlogon_ForceRediscoveryInterval | +| Friendly Name | Force Rediscovery Interval | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_GcSiteCoverage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_GcSiteCoverage +``` + -
    + + +This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. - - -This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. The records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. - -The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. +The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format. -If you don't configure this policy setting, it isn't applied to any GCs, and GCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify sites covered by the GC Locator DNS SRV Records* -- GP name: *Netlogon_GcSiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages** +| Name | Value | +|:--|:--| +| Name | Netlogon_GcSiteCoverage | +| Friendly Name | Specify sites covered by the GC Locator DNS SRV Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_IgnoreIncomingMailslotMessages - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages +``` + -
    - - - + + This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). > [!NOTE] > To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. -This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name isn't required. This policy setting doesn't affect DC location based on DNS names. +This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names. -If you enable this policy setting, this DC doesn't process incoming mailslot messages that are used for NetBIOS domain name based DC location. +- If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location. -If you disable or don't configure this policy setting, this DC processes incoming mailslot messages. This hevaior is the default behavior of DC Locator. +- If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names* -- GP name: *Netlogon_IgnoreIncomingMailslotMessages* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_LdapSrvPriority** +| Name | Value | +|:--|:--| +| Name | Netlogon_IgnoreIncomingMailslotMessages | +| Friendly Name | Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | IgnoreIncomingMailslotMessages | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_LdapSrvPriority - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_LdapSrvPriority +``` + -
    - - - + + This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. -The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. +The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record's Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Priority in the DC Locator DNS SRV records* -- GP name: *Netlogon_LdapSrvPriority* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_LdapSrvWeight** +| Name | Value | +|:--|:--| +| Name | Netlogon_LdapSrvPriority | +| Friendly Name | Set Priority in the DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_LdapSrvWeight - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_LdapSrvWeight +``` + -
    - - - -This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. + + +This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Weight in the DC Locator DNS SRV records* -- GP name: *Netlogon_LdapSrvWeight* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_MaximumLogFileSize** +| Name | Value | +|:--|:--| +| Name | Netlogon_LdapSrvWeight | +| Friendly Name | Set Weight in the DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_MaximumLogFileSize - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_MaximumLogFileSize +``` + -
    - - - + + This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. -By default, the maximum size of the log file is 20 MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached, the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. +By default, the maximum size of the log file is 20MB. +- If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. -If you disable or don't configure this policy setting, the default behavior occurs as indicated above. +- If you disable or do not configure this policy setting, the default behavior occurs as indicated above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify maximum log file size* -- GP name: *Netlogon_MaximumLogFileSize* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_NdncSiteCoverage** +| Name | Value | +|:--|:--| +| Name | Netlogon_MaximumLogFileSize | +| Friendly Name | Specify maximum log file size | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_NdncSiteCoverage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NdncSiteCoverage +``` + -
    - - - + + This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. -The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. +The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify sites covered by the application directory partition DC Locator DNS SRV records* -- GP name: *Netlogon_NdncSiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_NegativeCachePeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_NdncSiteCoverage | +| Friendly Name | Specify sites covered by the application directory partition DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_NegativeCachePeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NegativeCachePeriod +``` + -
    + + +This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. - - -This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) couldn't be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. - -The default value for this setting is 45 seconds. The maximum value for this setting is seven days (7*24*60*60). The minimum value for this setting is 0. +The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. > [!WARNING] -> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. +> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify negative DC Discovery cache setting* -- GP name: *Netlogon_NegativeCachePeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode** +| Name | Value | +|:--|:--| +| Name | Netlogon_NegativeCachePeriod | +| Friendly Name | Specify negative DC Discovery cache setting | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_NetlogonShareCompatibilityMode - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode +``` + -
    - - - + + This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. -If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. +- If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. -If you disable or don't configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. +- If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested. > [!NOTE] > The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased. -If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator. +- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Netlogon share compatibility* -- GP name: *Netlogon_NetlogonShareCompatibilityMode* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_NetlogonShareCompatibilityMode | +| Friendly Name | Set Netlogon share compatibility | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowExclusiveScriptsShareAccess | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_NonBackgroundSuccessfulRefreshPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod +``` + -
    + + +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. - - -This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that don't periodically attempt to locate DCs, and it's applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that haven't specified the DS_BACKGROUND_ONLY flag. +The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). + -The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify positive periodic DC Cache refresh for non-background callers* -- GP name: *Netlogon_NonBackgroundSuccessfulRefreshPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_NonBackgroundSuccessfulRefreshPeriod | +| Friendly Name | Specify positive periodic DC Cache refresh for non-background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - -**ADMX_Netlogon/Netlogon_PingUrgencyMode** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Netlogon_PingUrgencyMode - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_PingUrgencyMode +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). -When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in more network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. +When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. The allowable values for this setting result in the following behaviors: -- 1 - Computers will ping DCs at the normal frequency. -- 2 - Computers will ping DCs at the higher frequency. +1 - Computers will ping DCs at the normal frequency. +2 - Computers will ping DCs at the higher frequency. To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2. -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use urgent mode when pinging domain controllers* -- GP name: *Netlogon_PingUrgencyMode* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_ScavengeInterval** +| Name | Value | +|:--|:--| +| Name | Netlogon_PingUrgencyMode | +| Friendly Name | Use urgent mode when pinging domain controllers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_ScavengeInterval - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ScavengeInterval +``` + -
    - - - + + This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. -- On the domain controllers (DC), discovers a DC that hasn't been discovered. +- On the domain controllers (DC), discovers a DC that has not been discovered. -- On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn’t already been successfully added. +- On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn't already been successfully added. -None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (for example, ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain. +None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain. To enable the setting, click Enabled, and then specify the interval in seconds. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set scavenge interval* -- GP name: *Netlogon_ScavengeInterval* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_SiteCoverage** +| Name | Value | +|:--|:--| +| Name | Netlogon_ScavengeInterval | +| Friendly Name | Set scavenge interval | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_SiteCoverage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SiteCoverage +``` + -
    - - - + + This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. -The DC Locator DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. +The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify sites covered by the DC Locator DNS SRV records* -- GP name: *Netlogon_SiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_SiteName** +| Name | Value | +|:--|:--| +| Name | Netlogon_SiteCoverage | +| Friendly Name | Specify sites covered by the DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_SiteName - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SiteName +``` + -
    - - - + + This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. -To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs isn't specified, the computer automatically discovers its site from Active Directory. +To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory. -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify site name* -- GP name: *Netlogon_SiteName* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode** +| Name | Value | +|:--|:--| +| Name | Netlogon_SiteName | +| Friendly Name | Specify site name | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_SysvolShareCompatibilityMode - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode +``` + -
    - - - + + This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -1867,129 +2076,177 @@ By default, the SYSVOL share will grant shared read access to files on the share > [!NOTE] > The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased. -If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator. +- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set SYSVOL share compatibility* -- GP name: *Netlogon_SysvolShareCompatibilityMode* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_TryNextClosestSite** +| Name | Value | +|:--|:--| +| Name | Netlogon_SysvolShareCompatibilityMode | +| Friendly Name | Set SYSVOL share compatibility | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowExclusiveSysvolShareAccess | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_TryNextClosestSite - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_TryNextClosestSite +``` + -
    + + +This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. - - -This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site isn't found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. +The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. -The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none is found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. +- If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer. -If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer. +- If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored. -If you disable this policy setting, Try Next Closest Site DC Location won't be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored. +- If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. + -If you don't configure this policy setting, Try Next Closest Site DC Location won't be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Try Next Closest Site* -- GP name: *Netlogon_TryNextClosestSite* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_TryNextClosestSite | +| Friendly Name | Try Next Closest Site | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | TryNextClosestSite | +| ADMX File Name | Netlogon.admx | + - -**ADMX_Netlogon/Netlogon_UseDynamicDns** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Netlogon_UseDynamicDns - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_UseDynamicDns +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. -If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. +- If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. -If you disable this policy setting, DCs won't register DC Locator DNS resource records. +- If you disable this policy setting, DCs will not register DC Locator DNS resource records. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify dynamic registration of the DC Locator DNS Records* -- GP name: *Netlogon_UseDynamicDns* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Netlogon_UseDynamicDns | +| Friendly Name | Specify dynamic registration of the DC Locator DNS Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | UseDynamicDns | +| ADMX File Name | Netlogon.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index c027b216d6..f59fcc9805 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -1,152 +1,55 @@ --- -title: Policy CSP - ADMX_NetworkConnections -description: Learn about Policy CSP - ADMX_NetworkConnections. +title: ADMX_NetworkConnections Policy CSP +description: Learn more about the ADMX_NetworkConnections Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_NetworkConnections ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_NetworkConnections policies + +## NC_AddRemoveComponents -
    -
    - ADMX_NetworkConnections/NC_AddRemoveComponents -
    -
    - ADMX_NetworkConnections/NC_AdvancedSettings -
    -
    - ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig -
    -
    - ADMX_NetworkConnections/NC_ChangeBindState -
    -
    - ADMX_NetworkConnections/NC_DeleteAllUserConnection -
    -
    - ADMX_NetworkConnections/NC_DeleteConnection -
    -
    - ADMX_NetworkConnections/NC_DialupPrefs -
    -
    - ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon -
    -
    - ADMX_NetworkConnections/NC_EnableAdminProhibits -
    -
    - ADMX_NetworkConnections/NC_ForceTunneling -
    -
    - ADMX_NetworkConnections/NC_IpStateChecking -
    -
    - ADMX_NetworkConnections/NC_LanChangeProperties -
    -
    - ADMX_NetworkConnections/NC_LanConnect -
    -
    - ADMX_NetworkConnections/NC_LanProperties -
    -
    - ADMX_NetworkConnections/NC_NewConnectionWizard -
    -
    - ADMX_NetworkConnections/NC_PersonalFirewallConfig -
    -
    - ADMX_NetworkConnections/NC_RasAllUserProperties -
    -
    - ADMX_NetworkConnections/NC_RasChangeProperties -
    -
    - ADMX_NetworkConnections/NC_RasConnect -
    -
    - ADMX_NetworkConnections/NC_RasMyProperties -
    -
    - ADMX_NetworkConnections/NC_RenameAllUserRasConnection -
    -
    - ADMX_NetworkConnections/NC_RenameConnection -
    -
    - ADMX_NetworkConnections/NC_RenameLanConnection -
    -
    - ADMX_NetworkConnections/NC_RenameMyRasConnection -
    -
    - ADMX_NetworkConnections/NC_ShowSharedAccessUI -
    -
    - ADMX_NetworkConnections/NC_Statistics -
    -
    - ADMX_NetworkConnections/NC_StdDomainUserSetLocation -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_AddRemoveComponents +``` + -
    + + +Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. - -**ADMX_NetworkConnections/NC_AddRemoveComponents** +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. - +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators aren't permitted to access network components in the Windows Components Wizard. - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. +- If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button). @@ -154,1448 +57,1856 @@ The Install and Uninstall buttons appear in the properties dialog box for connec > [!NOTE] > When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked. -> + +> [!NOTE] > Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit adding and removing components for a LAN or remote access connection* -- GP name: *NC_AddRemoveComponents* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_AdvancedSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_AddRemoveComponents | +| Friendly Name | Prohibit adding and removing components for a LAN or remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AddRemoveComponents | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_AdvancedSettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_AdvancedSettings +``` + - - -This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. + + +Determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Advanced Settings item is enabled for administrators. +- If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators. > [!NOTE] > Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit access to the Advanced Settings item on the Advanced menu* -- GP name: *NC_AdvancedSettings* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_AdvancedSettings | +| Friendly Name | Prohibit access to the Advanced Settings item on the Advanced menu | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AdvancedSettings | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_AllowAdvancedTCPIPConfig -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig +``` + - - -This policy setting determines whether users can configure advanced TCP/IP settings. + + +Determines whether users can configure advanced TCP/IP settings. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users can't open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. - -This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users can't gain access to the Advanced button for TCP/IP configuration. - -Changing this setting from Enabled to Not Configured doesn't enable the Advanced button until the user signs out. +- If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. > [!NOTE] -> Nonadministrators (excluding Network Configuration Operators) don't have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. +> This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration. + +> [!NOTE] +> Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. > [!TIP] -> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. +> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. - +> [!NOTE] +> Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit TCP/IP advanced configuration* -- GP name: *NC_AllowAdvancedTCPIPConfig* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_ChangeBindState** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_AllowAdvancedTCPIPConfig | +| Friendly Name | Prohibit TCP/IP advanced configuration | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AllowAdvancedTCPIPConfig | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_ChangeBindState -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting Determines whether administrators can enable and disable the components used by LAN connections. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ChangeBindState +``` + -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators can't enable or disable the components that a connection uses. + + +Determines whether administrators can enable and disable the components used by LAN connections. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. -If you disable this setting or don't configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +- If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. > [!NOTE] > When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection. -> + +> [!NOTE] > Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit Enabling/Disabling components of a LAN connection* -- GP name: *NC_ChangeBindState* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_DeleteAllUserConnection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_ChangeBindState | +| Friendly Name | Prohibit Enabling/Disabling components of a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_ChangeBindState | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_DeleteAllUserConnection -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DeleteAllUserConnection +``` + - - -This policy setting determines whether users can delete all user remote access connections. + + +Determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. -If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. +- If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) can't delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you don't configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. +- If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. -When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) can't delete any remote access connections, and this setting is ignored. +> [!IMPORTANT] +> When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored. > [!NOTE] -> LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You can't use the Network Connections folder to create or delete a LAN connection. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. - - - - - -ADMX Info: -- GP Friendly name: *Ability to delete all user remote access connections* -- GP name: *NC_DeleteAllUserConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_DeleteConnection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether users can delete remote access connections. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) can't delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, all users can delete their private remote access connections. Private connections are those connections that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) - -When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users can't delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. +> LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. > [!NOTE] -> LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You can't use the Network Connections folder to create or delete a LAN connection. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit deletion of remote access connections* -- GP name: *NC_DeleteConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_DialupPrefs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_DeleteAllUserConnection | +| Friendly Name | Ability to delete all user remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DeleteAllUserConnection | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_DeleteConnection -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DeleteConnection +``` + - - -This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. + + +Determines whether users can delete remote access connections. -The Remote Access Preferences item lets users create and change connections before signing in and configure automatic dialing and callback features. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +- If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) -If you disable this setting or don't configure it, the Remote Access Preferences item is enabled for all users. +> [!IMPORTANT] +> When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. - +> [!NOTE] +> LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + - -ADMX Info: -- GP Friendly name: *Prohibit access to the Remote Access Preferences item on the Advanced menu* -- GP name: *NC_DialupPrefs* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NC_DeleteConnection | +| Friendly Name | Prohibit deletion of remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DeleteConnection | +| ADMX File Name | NetworkConnections.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## NC_DialupPrefs - - -This policy setting specifies whether or not the "local access only" network icon will be shown. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DialupPrefs +``` + + + + +Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled. + +The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. + +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). + +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +- If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_DialupPrefs | +| Friendly Name | Prohibit access to the Remote Access Preferences item on the Advanced menu | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DialupPrefs | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_DoNotShowLocalOnlyIcon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon +``` + + + + +Specifies whether or not the "local access only" network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. -If you disable this setting or don't configure it, the "local access only" icon will be used when a user is connected to a network with local access only. +- If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not show the "local access only" network icon* -- GP name: *NC_DoNotShowLocalOnlyIcon* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_EnableAdminProhibits** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_DoNotShowLocalOnlyIcon | +| Friendly Name | Do not show the "local access only" network icon | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DoNotShowLocalOnlyIcon | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_EnableAdminProhibits -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_EnableAdminProhibits +``` + - - -This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. + + +Determines whether settings that existed in Windows 2000 Server family will apply to Administrators. The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. -By default, Network Connections group settings in Windows don't have the ability to prohibit the use of features from Administrators. +By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. -If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows behave the same for administrators. +- If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. -If you disable this setting or don't configure it, Windows settings that existed in Windows 2000 won't apply to administrators. +- If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. +> [!NOTE] +> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Enable Windows 2000 Network Connections settings for Administrators* -- GP name: *NC_EnableAdminProhibits* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_NetworkConnections/NC_ForceTunneling** +| Name | Value | +|:--|:--| +| Name | NC_EnableAdminProhibits | +| Friendly Name | Enable Windows 2000 Network Connections settings for Administrators | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_EnableAdminProhibits | +| ADMX File Name | NetworkConnections.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NC_ForceTunneling - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ForceTunneling +``` + -
    - - - -This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. + + +This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. -If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network. +- If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network. -If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet isn't routed through the internal network. +- If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. -If you don't configure this policy setting, traffic between remote client computers running DirectAccess and the Internet isn't routed through the internal network. +- If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Route all traffic through the internal network* -- GP name: *NC_ForceTunneling* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_IpStateChecking** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_ForceTunneling | +| Friendly Name | Route all traffic through the internal network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_IpStateChecking -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_IpStateChecking +``` + - - -This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This retrieval failure is often signified by the assignment of an automatic private IP address"(that is, an IP address in the range 169.254.*.*). This assignment indicates that a DHCP server couldn't be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. + + +This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. -If you enable this policy setting, this condition won't be reported as an error to the user. +- If you enable this policy setting, this condition will not be reported as an error to the user. -If you disable or don't configure this policy setting, a DHCP-configured connection that hasn't been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. +- If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off notifications when a connection has only limited or no connectivity* -- GP name: *NC_IpStateChecking* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_LanChangeProperties** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_IpStateChecking | +| Friendly Name | Turn off notifications when a connection has only limited or no connectivity | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_IpStateChecking | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_LanChangeProperties -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_LanChangeProperties +``` + - - -This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. + + +Determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. This setting determines whether the Properties button for components of a LAN connection is enabled. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting doesn't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Properties button is enabled for administrators and Network Configuration Operators. +- If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators. The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. > [!NOTE] -> Not all network components have configurable properties. For components that aren't configurable, the Properties button is always disabled. -> +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. + +> [!NOTE] > When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components. -> + +> [!NOTE] > Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users. -> + +> [!NOTE] > Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit access to properties of components of a LAN connection* -- GP name: *NC_LanChangeProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_LanConnect** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_LanChangeProperties | +| Friendly Name | Prohibit access to properties of components of a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_LanChangeProperties | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_LanConnect -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_LanConnect +``` + - - -This policy setting determines whether users can enable/disable LAN connections. + + +Determines whether users can enable/disable LAN connections. -If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. +- If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators). +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you don't configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. +- If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. > [!NOTE] > Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Ability to Enable/Disable a LAN connection* -- GP name: *NC_LanConnect* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_LanProperties** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_LanConnect | +| Friendly Name | Ability to Enable/Disable a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_LanConnect | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_LanProperties -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_LanProperties +``` + - - -This policy setting determines whether users can change the properties of a LAN connection. + + +Determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users can't open the Local Area Connection Properties dialog box. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. +- If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. + +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. +- If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. > [!NOTE] -> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. -> > Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit access to properties of a LAN connection* -- GP name: *NC_LanProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_NewConnectionWizard** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_LanProperties | +| Friendly Name | Prohibit access to properties of a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_LanProperties | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_NewConnectionWizard -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_NewConnectionWizard +``` + - - -This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. + + +Determines whether users can use the New Connection Wizard, which creates new network connections. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon doesn't appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) can't start the New Connection Wizard. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. +- If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. > [!NOTE] -> Changing this setting from Enabled to Not Configured doesn't restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon doesn't appear or disappear in the Network Connections folder until the folder is refreshed. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed. - +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit access to the New Connection Wizard* -- GP name: *NC_NewConnectionWizard* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_PersonalFirewallConfig** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_NewConnectionWizard | +| Friendly Name | Prohibit access to the New Connection Wizard | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_NewConnectionWizard | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## NC_PersonalFirewallConfig -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_PersonalFirewallConfig +``` + + + + +Prohibits use of Internet Connection Firewall on your DNS domain network. Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. > [!IMPORTANT] -> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply. +> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats. -If you enable this setting, Internet Connection Firewall can't be enabled or configured by users (including administrators), and the Internet Connection Firewall service can't run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall isn't enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. +- If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. -If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. +> [!NOTE] +> If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. -If you disable this setting or don't configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. +- If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit use of Internet Connection Firewall on your DNS domain network* -- GP name: *NC_PersonalFirewallConfig* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_RasAllUserProperties** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_PersonalFirewallConfig | +| Friendly Name | Prohibit use of Internet Connection Firewall on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_PersonalFirewallConfig | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_RasAllUserProperties -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasAllUserProperties +``` + - - -This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. + + +Determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users. -If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu. +- If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) can't open the remote access connection properties dialog box. +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you don't configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. +- If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. > [!NOTE] -> This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. +- If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. - +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + - -ADMX Info: -- GP Friendly name: *Ability to change properties of an all user remote access connection* -- GP name: *NC_RasAllUserProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_RasChangeProperties** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RasAllUserProperties | +| Friendly Name | Ability to change properties of an all user remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasAllUserProperties | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_RasChangeProperties -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasChangeProperties +``` + + + + +Determines whether users can view and change the properties of components used by a private or all-user remote access connection. This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators). +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting doesn't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Properties button is enabled for all users. +- If you disable this setting or do not configure it, the Properties button is enabled for all users. The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. > [!NOTE] -> Not all network components have configurable properties. For components that aren't configurable, the Properties button is always disabled. -> +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. + +> [!NOTE] > When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. - +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit access to properties of components of a remote access connection* -- GP name: *NC_RasChangeProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_RasConnect** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RasChangeProperties | +| Friendly Name | Prohibit access to properties of components of a remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasChangeProperties | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_RasConnect -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether users can connect and disconnect remote access connections. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasConnect +``` + -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). + + +Determines whether users can connect and disconnect remote access connections. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). -If you disable this setting or don't configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. - +- If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit connecting and disconnecting a remote access connection* -- GP name: *NC_RasConnect* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_RasMyProperties** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RasConnect | +| Friendly Name | Prohibit connecting and disconnecting a remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasConnect | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_RasMyProperties -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether users can view and change the properties of their private remote access connections. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasMyProperties +``` + + + + +Determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a private connection is available to users. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. +- If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. > [!NOTE] -> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. +- If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. - +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit changing properties of a private remote access connection* -- GP name: *NC_RasMyProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_RenameAllUserRasConnection** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RasMyProperties | +| Friendly Name | Prohibit changing properties of a private remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasMyProperties | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_RenameAllUserRasConnection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether nonadministrators can rename all-user remote access connections. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameAllUserRasConnection +``` + + + + +Determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. -If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu. +- If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu. -If you disable this setting, the Rename option is disabled for nonadministrators only. +- If you disable this setting, the Rename option is disabled for nonadministrators only. -If you don't configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. +If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. > [!NOTE] -> This setting doesn't apply to Administrators. +> This setting does not apply to Administrators -When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting doesn't apply. +> [!NOTE] +> When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply. -This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Ability to rename all user remote access connections* -- GP name: *NC_RenameAllUserRasConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_RenameConnection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_RenameAllUserRasConnection | +| Friendly Name | Ability to rename all user remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameAllUserRasConnection | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_RenameConnection -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameConnection +``` + - - -This policy setting Determines whether users can rename LAN or all user remote access connections. + + +Determines whether users can rename LAN or all user remote access connections. -If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. +- If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators). +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If this setting isn't configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections. +If this setting is not configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections. > [!NOTE] > When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to rename remote access connections. - - - - - -ADMX Info: -- GP Friendly name: *Ability to rename LAN connections or remote access connections available to all users* -- GP name: *NC_RenameConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_RenameLanConnection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether nonadministrators can rename a LAN connection. - -If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. - -If you disable this setting, the Rename option is disabled for nonadministrators only. - -If you don't configure this setting, only Administrators and Network Configuration Operators can rename LAN connections > [!NOTE] -> This setting doesn't apply to Administrators. +> This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. + -When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting doesn't apply. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Ability to rename LAN connections* -- GP name: *NC_RenameLanConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_NetworkConnections/NC_RenameMyRasConnection** +| Name | Value | +|:--|:--| +| Name | NC_RenameConnection | +| Friendly Name | Ability to rename LAN connections or remote access connections available to all users | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameConnection | +| ADMX File Name | NetworkConnections.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NC_RenameLanConnection - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameLanConnection +``` + -
    + + +Determines whether nonadministrators can rename a LAN connection. - - -This policy setting determines whether users can rename their private remote access connections. +- If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. -Private connections are those connections that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. +- If you disable this setting, the Rename option is disabled for nonadministrators only. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators). - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. +- If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections > [!NOTE] -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> This setting does not apply to Administrators. - +> [!NOTE] +> When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit renaming private remote access connections* -- GP name: *NC_RenameMyRasConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_ShowSharedAccessUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RenameLanConnection | +| Friendly Name | Ability to rename LAN connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameLanConnection | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## NC_RenameMyRasConnection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameMyRasConnection +``` + + + + +Determines whether users can rename their private remote access connections. + +Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. + +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators). + +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +- If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. + +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_RenameMyRasConnection | +| Friendly Name | Prohibit renaming private remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameMyRasConnection | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_ShowSharedAccessUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ShowSharedAccessUI +``` + + + + +Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. -If you enable this setting, ICS can't be enabled or configured by administrators, and the ICS service can't run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. +- If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. -If you disable this setting or don't configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. +- If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) -By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When administrators are running the New Connection Wizard or Network Setup Wizard, they can choose to enable ICS. +By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. > [!NOTE] > Internet Connection Sharing is only available when two or more network connections are present. -When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. -Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. +> [!NOTE] +> Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. -Disabling this setting doesn't prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. +> [!NOTE] +> Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit use of Internet Connection Sharing on your DNS domain network* -- GP name: *NC_ShowSharedAccessUI* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_Statistics** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_ShowSharedAccessUI | +| Friendly Name | Prohibit use of Internet Connection Sharing on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_ShowSharedAccessUI | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_Statistics -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_Statistics +``` + - - -This policy setting determines whether users can view the status for an active connection. + + +Determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. -If you enable this setting, the connection status taskbar icon and Status dialog box aren't available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users can't choose to show the connection icon in the taskbar from the Connection Properties dialog box. +- If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the connection status taskbar icon and Status dialog box are available to all users. +- If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit viewing of status for an active connection* -- GP name: *NC_Statistics* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_NetworkConnections/NC_StdDomainUserSetLocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_Statistics | +| Friendly Name | Prohibit viewing of status for an active connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_Statistics | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_StdDomainUserSetLocation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_StdDomainUserSetLocation +``` + - - + + This policy setting determines whether to require domain users to elevate when setting a network's location. -If you enable this policy setting, domain users must elevate when setting a network's location. +- If you enable this policy setting, domain users must elevate when setting a network's location. -If you disable or don't configure this policy setting, domain users can set a network's location without elevating. +- If you disable or do not configure this policy setting, domain users can set a network's location without elevating. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Require domain users to elevate when setting a network's location* -- GP name: *NC_StdDomainUserSetLocation* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | NC_StdDomainUserSetLocation | +| Friendly Name | Require domain users to elevate when setting a network's location | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_StdDomainUserSetLocation | +| ADMX File Name | NetworkConnections.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 3105a17fd2..a4d11fa601 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,1515 +1,1652 @@ --- -title: Policy CSP - ADMX_OfflineFiles -description: Learn about Policy CSP - ADMX_OfflineFiles. +title: ADMX_OfflineFiles Policy CSP +description: Learn more about the ADMX_OfflineFiles Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_OfflineFiles ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_OfflineFiles policies + +## Pol_AlwaysPinSubFolders -
    -
    - ADMX_OfflineFiles/Pol_AlwaysPinSubFolders -
    -
    - ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 -
    -
    - ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2 -
    -
    - ADMX_OfflineFiles/Pol_BackgroundSyncSettings -
    -
    - ADMX_OfflineFiles/Pol_CacheSize -
    -
    - ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 -
    -
    - ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2 -
    -
    - ADMX_OfflineFiles/Pol_DefCacheSize -
    -
    - ADMX_OfflineFiles/Pol_Enabled -
    -
    - ADMX_OfflineFiles/Pol_EncryptOfflineFiles -
    -
    - ADMX_OfflineFiles/Pol_EventLoggingLevel_1 -
    -
    - ADMX_OfflineFiles/Pol_EventLoggingLevel_2 -
    -
    - ADMX_OfflineFiles/Pol_ExclusionListSettings -
    -
    - ADMX_OfflineFiles/Pol_ExtExclusionList -
    -
    - ADMX_OfflineFiles/Pol_GoOfflineAction_1 -
    -
    - ADMX_OfflineFiles/Pol_GoOfflineAction_2 -
    -
    - ADMX_OfflineFiles/Pol_NoCacheViewer_1 -
    -
    - ADMX_OfflineFiles/Pol_NoCacheViewer_2 -
    -
    - ADMX_OfflineFiles/Pol_NoConfigCache_1 -
    -
    - ADMX_OfflineFiles/Pol_NoConfigCache_2 -
    -
    - ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 -
    -
    - ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2 -
    -
    - ADMX_OfflineFiles/Pol_NoPinFiles_1 -
    -
    - ADMX_OfflineFiles/Pol_NoPinFiles_2 -
    -
    - ADMX_OfflineFiles/Pol_NoReminders_1 -
    -
    - ADMX_OfflineFiles/Pol_NoReminders_2 -
    -
    - ADMX_OfflineFiles/Pol_OnlineCachingSettings -
    -
    - ADMX_OfflineFiles/Pol_PurgeAtLogoff -
    -
    - ADMX_OfflineFiles/Pol_QuickAdimPin -
    -
    - ADMX_OfflineFiles/Pol_ReminderFreq_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderFreq_2 -
    -
    - ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderInitTimeout_2 -
    -
    - ADMX_OfflineFiles/Pol_ReminderTimeout_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderTimeout_2 -
    -
    - ADMX_OfflineFiles/Pol_SlowLinkSettings -
    -
    - ADMX_OfflineFiles/Pol_SlowLinkSpeed -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogoff_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogoff_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogon_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogon_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtSuspend_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtSuspend_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncOnCostedNetwork -
    -
    - ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1 -
    -
    - ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AlwaysPinSubFolders +``` + -
    + + +Makes subfolders available offline whenever their parent folder is made available offline. - -**ADMX_OfflineFiles/Pol_AlwaysPinSubFolders** +This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. - +- If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting makes subfolders available offline whenever their parent folder is made available offline. +**ADMX mapping**: -This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users don't have the option of excluding subfolders. +| Name | Value | +|:--|:--| +| Name | Pol_AlwaysPinSubFolders | +| Friendly Name | Subfolders always available offline | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | AlwaysPinSubFolders | +| ADMX File Name | OfflineFiles.admx | + -If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized. + + + -If you disable this setting or don't configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. + - + +## Pol_AssignedOfflineFiles_1 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Subfolders always available offline* -- GP name: *Pol_AlwaysPinSubFolders* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 +``` + - - -
    + + +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. - -**ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1** +- If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. - +- If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting lists network files and folders that are always available for offline use. Activation of this policy setting ensures that the specified files and folders are available offline to users of the computer. - -If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. - -If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted. And, no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). - -If you don't configure this policy setting, no files or folders are made available for offline use by Group Policy. +- If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify administratively assigned Offline Files* -- GP name: *Pol_AssignedOfflineFiles_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_AssignedOfflineFiles_1 | +| Friendly Name | Specify administratively assigned Offline Files | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_AssignedOfflineFiles_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2 +``` + - - -This policy setting lists network files and folders that are always available for offline use. Activation of this policy setting ensures that the specified files and folders are available offline to users of the computer. + + +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. -If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. +- If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. -If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted. And, no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). +- If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). -If you don't configure this policy setting, no files or folders are made available for offline use by Group Policy. +- If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify administratively assigned Offline Files* -- GP name: *Pol_AssignedOfflineFiles_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_BackgroundSyncSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_AssignedOfflineFiles_2 | +| Friendly Name | Specify administratively assigned Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_BackgroundSyncSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_BackgroundSyncSettings +``` + - - -This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who signs in to the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. + + +This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. -If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server regularly. +- If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. You can also configure Background Sync for network shares that are in user selected Work Offline mode. This mode is in effect when a user selects the Work Offline button for a specific share. When selected, all configured settings will apply to shares in user selected Work Offline mode as well. -If you disable or don't configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval, with the start of the sync varying between 0 and 60 extra minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. +- If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Background Sync* -- GP name: *Pol_BackgroundSyncSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_CacheSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_BackgroundSyncSettings | +| Friendly Name | Configure Background Sync | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | BackgroundSyncEnabled | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_CacheSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CacheSize +``` + - - -This policy setting limits the volume of disk space that can be used to store offline files. This volume includes the space used by automatically cached files and files that are made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. + + +This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. -This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This disablement prevents users from trying to change the option while a policy setting controls it. +This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. -If you enable this policy setting, you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can be used by automatically cached files. +- If you enable this policy setting, you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can be used by automatically cached files. -If you disable this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. +- If you disable this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. -If you don't configure this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. However, the users can change these values using the Offline Files control applet. +- If you do not configure this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. However, the users can change these values using the Offline Files control applet. -If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache, and that drive is the system drive, the total size limit is automatically adjusted downward to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive, the limit is automatically adjusted downward to 100 percent of the size of the drive. +- If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache, and that drive is the system drive, the total size limit is automatically adjusted downward to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive, the limit is automatically adjusted downward to 100 percent of the size of the drive. -If you enable this setting and specify a total size limit less than the amount of space currently used by the Offline Files cache, the total size limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full. +- If you enable this setting and specify a total size limit less than the amount of space currently used by the Offline Files cache, the total size limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full. -If you enable this setting and specify an auto-cached space limit greater than the total size limit, the auto-cached limit is automatically adjusted downward to equal the total size limit. +- If you enable this setting and specify an auto-cached space limit greater than the total size limit, the auto-cached limit is automatically adjusted downward to equal the total size limit. This setting replaces the Default Cache Size setting used by pre-Windows Vista systems. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit disk space used by Offline Files* -- GP name: *Pol_CacheSize* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_CacheSize | +| Friendly Name | Limit disk space used by Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_CustomGoOfflineActions_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 +``` + - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. + + +Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are disconnected from this server, or type "1" if they cannot. -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - -- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. -- "Never go offline" indicates that network files aren't available while the server is inaccessible. - -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. - -If you don't configure this setting, users can work offline by default, but they can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. > [!TIP] -> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. +> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. + -Also, see the "Non-default server disconnect actions" setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_CustomGoOfflineActions_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2** +| Name | Value | +|:--|:--| +| Name | Pol_CustomGoOfflineActions_1 | +| Friendly Name | Non-default server disconnect actions | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Pol_CustomGoOfflineActions_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2 +``` + -
    + + +Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are disconnected from this server, or type "1" if they cannot. -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. - -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - -- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. -- "Never go offline" indicates that network files aren't available while the server is inaccessible. - -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. - -If you don't configure this setting, users can work offline by default, but they can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. > [!TIP] -> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. +> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. + -Also, see the "Non-default server disconnect actions" setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_CustomGoOfflineActions_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_OfflineFiles/Pol_DefCacheSize** +| Name | Value | +|:--|:--| +| Name | Pol_CustomGoOfflineActions_2 | +| Friendly Name | Non-default server disconnect actions | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Pol_DefCacheSize - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_DefCacheSize +``` + -
    - - - + + Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. -This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. Automatic caching can be set on any network share. When a user opens a file on the share, the system automatically stores a copy of the file on the user's computer. -This setting doesn't limit the disk space available for files that user's make available offline manually. +This setting does not limit the disk space available for files that user's make available offline manually. -If you enable this setting, you can specify an automatic-cache disk space limit. +- If you enable this setting, you can specify an automatic-cache disk space limit. -If you disable this setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the system drive. +- If you disable this setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the system drive. -If you don't configure this setting, disk space for automatically cached files is limited to 10 percent of the system drive by default, but users can change it. +- If you do not configure this setting, disk space for automatically cached files is limited to 10 percent of the system drive by default, but users can change it. > [!TIP] > To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Default cache size* -- GP name: *Pol_DefCacheSize* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_Enabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_DefCacheSize | +| Friendly Name | Default cache size | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_Enabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_Enabled +``` + - - -This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer isn't connected to the network. + + +This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. -If you enable this policy setting, Offline Files is enabled and users can't disable it. +- If you enable this policy setting, Offline Files is enabled and users cannot disable it. -If you disable this policy setting, Offline Files is disabled and users can't enable it. +- If you disable this policy setting, Offline Files is disabled and users cannot enable it. -If you don't configure this policy setting, Offline Files is enabled on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. +- If you do not configure this policy setting, Offline Files is enabled on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. > [!NOTE] -> Changes to this policy setting don't take effect until the affected computer is restarted. +> Changes to this policy setting do not take effect until the affected computer is restarted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of the Offline Files feature* -- GP name: *Pol_Enabled* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_EncryptOfflineFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_Enabled | +| Friendly Name | Allow or Disallow use of the Offline Files feature | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | Enabled | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_EncryptOfflineFiles -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EncryptOfflineFiles +``` + - - + + This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. -If you enable this policy setting, all files in the Offline Files cache are encrypted. These files include existing files and files added later. The cached copy on the local computer is affected, but the associated network copy isn't. The user can't unencrypt Offline Files through the user interface. +- If you enable this policy setting, all files in the Offline Files cache are encrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface. -If you disable this policy setting, all files in the Offline Files cache are unencrypted. These files include existing files and files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on the server. The cached copy on the local computer is affected, but the associated network copy isn't. The user can't encrypt Offline Files through the user interface. +- If you disable this policy setting, all files in the Offline Files cache are unencrypted. This includes existing files as well as files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on the server. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot encrypt Offline Files through the user interface. -If you don't configure this policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it's fully encrypted. The cache doesn't return to the unencrypted state. The user must be an administrator on the local computer to encrypt or decrypt the Offline Files cache. +- If you do not configure this policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local computer to encrypt or decrypt the Offline Files cache. > [!NOTE] > By default, this cache is protected on NTFS partitions by ACLs. -This setting is applied at user sign-in. If this setting is changed after user sign-in, then user sign-out and sign-in is required for this setting to take effect. - +This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this setting to take effect. + + + + - -ADMX Info: -- GP Friendly name: *Encrypt the Offline Files cache* -- GP name: *Pol_EncryptOfflineFiles* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_OfflineFiles/Pol_EventLoggingLevel_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Pol_EncryptOfflineFiles | +| Friendly Name | Encrypt the Offline Files cache | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | EncryptCache | +| ADMX File Name | OfflineFiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Pol_EventLoggingLevel_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines which events the Offline Files feature records in the event log. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EventLoggingLevel_1 +``` + -Offline Files records events in the Application login Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record. + + +Determines which events the Offline Files feature records in the event log. + +Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels. -- "0" records an error when the offline storage cache is corrupted. +"0" records an error when the offline storage cache is corrupted. -- "1" also records an event when the server hosting the offline file is disconnected from the network. +"1" also records an event when the server hosting the offline file is disconnected from the network. -- "2" also records events when the local computer is connected and disconnected from the network. +"2" also records events when the local computer is connected and disconnected from the network. -- "3" also records an event when the server hosting the offline file is reconnected to the network. +"3" also records an event when the server hosting the offline file is reconnected to the network. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Event logging level* -- GP name: *Pol_EventLoggingLevel_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_EventLoggingLevel_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_EventLoggingLevel_1 | +| Friendly Name | Event logging level | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_EventLoggingLevel_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EventLoggingLevel_2 +``` + - - -This policy setting determines which events the Offline Files feature records in the event log. + + +Determines which events the Offline Files feature records in the event log. -Offline Files records events in the Application login Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record. +Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels. -- "0" records an error when the offline storage cache is corrupted. -- "1" also records an event when the server hosting the offline file is disconnected from the network. -- "2" also records events when the local computer is connected and disconnected from the network. -- "3" also records an event when the server hosting the offline file is reconnected to the network. +"0" records an error when the offline storage cache is corrupted. + +"1" also records an event when the server hosting the offline file is disconnected from the network. + +"2" also records events when the local computer is connected and disconnected from the network. + +"3" also records an event when the server hosting the offline file is reconnected to the network. > [!NOTE] > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Event logging level* -- GP name: *Pol_EventLoggingLevel_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ExclusionListSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_EventLoggingLevel_2 | +| Friendly Name | Event logging level | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ExclusionListSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ExclusionListSettings +``` + - - + + This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. -If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. +- If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. -If you disable or don't configure this policy setting, a user can create a file of any type in the folders that have been made available offline. +- If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable file screens* -- GP name: *Pol_ExclusionListSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ExtExclusionList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ExclusionListSettings | +| Friendly Name | Enable file screens | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ExtExclusionList -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ExtExclusionList +``` + - - -Lists types of files that can't be used offline. + + +Lists types of files that cannot be used offline. -This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system doesn't cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type can't be made available offline." +This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline." -This setting is designed to protect files that can't be separated, such as database components. +This setting is designed to protect files that cannot be separated, such as database components. To use this setting, type the file name extension in the "Extensions" box. To type more than one extension, separate the extensions with a semicolon (;). > [!NOTE] > To make changes to this setting effective, you must log off and log on again. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Files not cached* -- GP name: *Pol_ExtExclusionList* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_GoOfflineAction_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ExtExclusionList | +| Friendly Name | Files not cached | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_GoOfflineAction_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_GoOfflineAction_1 +``` + - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. + + +Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. +- If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. -- "Never go offline" indicates that network files aren't available while the server is inaccessible. +- "Never go offline" indicates that network files are not available while the server is inaccessible. -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. +- If you disable this setting or select the "Work offline" option, users can work offline if disconnected. -If you don't configure this setting, users can work offline by default, but they can change this option. +- If you do not configure this setting, users can work offline by default, but they can change this option. -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. Also, see the "Non-default server disconnect actions" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_GoOfflineAction_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_GoOfflineAction_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_GoOfflineAction_1 | +| Friendly Name | Action on server disconnect | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_GoOfflineAction_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_GoOfflineAction_2 +``` + - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. + + +Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. +- If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. -- "Never go offline" indicates that network files aren't available while the server is inaccessible. +- "Never go offline" indicates that network files are not available while the server is inaccessible. -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. +- If you disable this setting or select the "Work offline" option, users can work offline if disconnected. -If you don't configure this setting, users can work offline by default, but they can change this option. +- If you do not configure this setting, users can work offline by default, but they can change this option. -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. Also, see the "Non-default server disconnect actions" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_GoOfflineAction_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_NoCacheViewer_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_GoOfflineAction_2 | +| Friendly Name | Action on server disconnect | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_NoCacheViewer_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoCacheViewer_1 +``` + - - -This policy setting disables the Offline Files folder. + + +Disables the Offline Files folder. -This setting disables the "View Files" button on the Offline Files tab. As a result, users can't use the Offline Files folder to view or open copies of network files stored on their computer. Also, they can't use the folder to view characteristics of offline files, such as their server status, type, or location. +This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. -This setting doesn't prevent users from working offline or from saving local copies of files available offline. Also, it doesn't prevent them from using other programs, such as Windows Explorer, to view their offline files. +This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent use of Offline Files folder* -- GP name: *Pol_NoCacheViewer_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_NoCacheViewer_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_NoCacheViewer_1 | +| Friendly Name | Prevent use of Offline Files folder | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoCacheViewer | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_NoCacheViewer_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoCacheViewer_2 +``` + - - -This policy setting disables the Offline Files folder. + + +Disables the Offline Files folder. -This setting disables the "View Files" button on the Offline Files tab. As a result, users can't use the Offline Files folder to view or open copies of network files stored on their computer. Also, they can't use the folder to view characteristics of offline files, such as their server status, type, or location. +This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. -This setting doesn't prevent users from working offline or from saving local copies of files available offline. Also, it doesn't prevent them from using other programs, such as Windows Explorer, to view their offline files. +This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent use of Offline Files folder* -- GP name: *Pol_NoCacheViewer_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_NoConfigCache_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_NoCacheViewer_2 | +| Friendly Name | Prevent use of Offline Files folder | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoCacheViewer | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_NoConfigCache_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoConfigCache_1 +``` + - - -This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. + + +Prevents users from enabling, disabling, or changing the configuration of Offline Files. -This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users can't view or change the options on the Offline Files tab or Offline Files dialog box. +This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. -This setting is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. +This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] -> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You don't have to disable any other settings in this folder. +> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit user configuration of Offline Files* -- GP name: *Pol_NoConfigCache_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_NoConfigCache_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_NoConfigCache_1 | +| Friendly Name | Prohibit user configuration of Offline Files | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoConfigCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_NoConfigCache_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoConfigCache_2 +``` + - - -This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. + + +Prevents users from enabling, disabling, or changing the configuration of Offline Files. -This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users can't view or change the options on the Offline Files tab or Offline Files dialog box. +This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. -This setting is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. +This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] -> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You don't have to disable any other settings in this folder. +> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit user configuration of Offline Files* -- GP name: *Pol_NoConfigCache_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_NoConfigCache_2 | +| Friendly Name | Prohibit user configuration of Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoConfigCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_NoMakeAvailableOffline_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 +``` + - - + + This policy setting prevents users from making network files and folders available offline. -If you enable this policy setting, users can't designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. +- If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. -If you disable or don't configure this policy setting, users can manually specify files and folders that they want to make available offline. +- If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. +**Note**: - +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. + - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" command* -- GP name: *Pol_NoMakeAvailableOffline_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Pol_NoMakeAvailableOffline_1 | +| Friendly Name | Remove "Make Available Offline" command | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoMakeAvailableOffline | +| ADMX File Name | OfflineFiles.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## Pol_NoMakeAvailableOffline_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2 +``` + + + + This policy setting prevents users from making network files and folders available offline. -If you enable this policy setting, users can't designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. +- If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. -If you disable or don't configure this policy setting, users can manually specify files and folders that they want to make available offline. +- If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. +**Note**: - +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. + - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" command* -- GP name: *Pol_NoMakeAvailableOffline_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_OfflineFiles/Pol_NoPinFiles_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Pol_NoMakeAvailableOffline_2 | +| Friendly Name | Remove "Make Available Offline" command | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoMakeAvailableOffline | +| ADMX File Name | OfflineFiles.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## Pol_NoPinFiles_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoPinFiles_1 +``` + + + + This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. -If you enable this policy setting, the "Make Available Offline" command isn't available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. +- If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. -If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. +- If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. -If you don't configure this policy setting, the "Make Available Offline" command is available for all files and folders. +- If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> - This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. -> - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. +**Note**: - +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" for these files and folders* -- GP name: *Pol_NoPinFiles_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. - - -
    +If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. + - -**ADMX_OfflineFiles/Pol_NoPinFiles_2** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | Pol_NoPinFiles_1 | +| Friendly Name | Remove "Make Available Offline" for these files and folders | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -
    + + + - - + + + +## Pol_NoPinFiles_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoPinFiles_2 +``` + + + + This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. -If you enable this policy setting, the "Make Available Offline" command isn't available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. +- If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. -If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. +- If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. -If you don't configure this policy setting, the "Make Available Offline" command is available for all files and folders. +- If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> - This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. -> - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. +**Note**: - +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" for these files and folders* -- GP name: *Pol_NoPinFiles_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. - - -
    +If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. + - -**ADMX_OfflineFiles/Pol_NoReminders_1** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | Pol_NoPinFiles_2 | +| Friendly Name | Remove "Make Available Offline" for these files and folders | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -
    + + + - - + + + +## Pol_NoReminders_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoReminders_1 +``` + + + + Hides or displays reminder balloons, and prevents users from changing the setting. -Reminder balloons appear above the Offline Files icon in the notification area to notify users when they've lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. +Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. -If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. +- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. -If this setting isn't configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. +If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab @@ -1517,57 +1654,70 @@ This setting appears in the Computer Configuration and User Configuration folder > [!TIP] > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off reminder balloons* -- GP name: *Pol_NoReminders_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_NoReminders_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_NoReminders_1 | +| Friendly Name | Turn off reminder balloons | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoReminders | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_NoReminders_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoReminders_2 +``` + - - + + Hides or displays reminder balloons, and prevents users from changing the setting. -Reminder balloons appear above the Offline Files icon in the notification area to notify users when they've lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. +Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. -If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. +- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. -If this setting isn't configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. +If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab @@ -1575,1089 +1725,1314 @@ This setting appears in the Computer Configuration and User Configuration folder > [!TIP] > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off reminder balloons* -- GP name: *Pol_NoReminders_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_OnlineCachingSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_NoReminders_2 | +| Friendly Name | Turn off reminder balloons | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoReminders | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_OnlineCachingSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_OnlineCachingSettings +``` + - - -This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This read-action improves end-user response times and decreases bandwidth consumption over WAN links. + + +This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. -The cached files are temporary and aren't available to the user when offline. The cached files aren't kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. +The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. -This policy setting is triggered by the configured round trip network latency value. We recommend using this policy setting when the network connection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network is less than 60 ms, reads to remote files won't be cached. +This policy setting is triggered by the configured round trip network latency value. We recommend using this policy setting when the network connection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network is less than 60ms, reads to remote files will not be cached. -If you enable this policy setting, transparent caching is enabled and configurable. +- If you enable this policy setting, transparent caching is enabled and configurable. -If you disable or don't configure this policy setting, remote files won't be transparently cached on client computers. +- If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Transparent Caching* -- GP name: *Pol_OnlineCachingSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_AlwaysPinSubFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_OnlineCachingSettings | +| Friendly Name | Enable Transparent Caching | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_PurgeAtLogoff -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_PurgeAtLogoff +``` + - - -This policy setting makes subfolders available offline whenever their parent folder is made available offline. + + +Deletes local copies of the user's offline files when the user logs off. -This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users don't have the option of excluding subfolders. +This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. -If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized. - -If you disable this setting or don't configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. - - - - - -ADMX Info: -- GP Friendly name: *Subfolders always available offline* -- GP name: *Pol_AlwaysPinSubFolders* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_PurgeAtLogoff** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting deletes local copies of the user's offline files when the user signs out. - -This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user signs out, the system deletes all local copies of offline files. - -If you disable this setting or don't configure it, automatically and manually cached copies are retained on the user's computer for later offline use. +- If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use. > [!CAUTION] -> Files aren't synchronized before they're deleted. Any changes to local files since the last synchronization are lost. +> Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *At logoff, delete local copy of user’s offline files* -- GP name: *Pol_PurgeAtLogoff* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_QuickAdimPin** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_PurgeAtLogoff | +| Friendly Name | At logoff, delete local copy of user’s offline files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | PurgeAtLogoff | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_QuickAdimPin -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_QuickAdimPin +``` + - - + + This policy setting allows you to turn on economical application of administratively assigned Offline Files. -If you enable or don't configure this policy setting, only new files and folders in administratively assigned folders are synchronized at sign-in. Files and folders that are already available offline are skipped and are synchronized later. +- If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. -If you disable this policy setting, all administratively assigned folders are synchronized at logon. +- If you disable this policy setting, all administratively assigned folders are synchronized at logon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on economical application of administratively assigned Offline Files* -- GP name: *Pol_QuickAdimPin* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ReminderFreq_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_QuickAdimPin | +| Friendly Name | Turn on economical application of administratively assigned Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | EconomicalAdminPinning | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ReminderFreq_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderFreq_1 +``` + - - -This policy setting determines how often reminder balloon updates appear. + + +Determines how often reminder balloon updates appear. -If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. +- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reminder balloon frequency* -- GP name: *Pol_ReminderFreq_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ReminderFreq_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ReminderFreq_1 | +| Friendly Name | Reminder balloon frequency | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ReminderFreq_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderFreq_2 +``` + - - -This policy setting determines how often reminder balloon updates appear. + + +Determines how often reminder balloon updates appear. -If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. +- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reminder balloon frequency* -- GP name: *Pol_ReminderFreq_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ReminderInitTimeout_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ReminderFreq_2 | +| Friendly Name | Reminder balloon frequency | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ReminderInitTimeout_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 +``` + - - -This policy setting determines how long the first reminder balloon for a network status change is displayed. + + +Determines how long the first reminder balloon for a network status change is displayed. -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Initial reminder balloon lifetime* -- GP name: *Pol_ReminderInitTimeout_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ReminderInitTimeout_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ReminderInitTimeout_1 | +| Friendly Name | Initial reminder balloon lifetime | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ReminderInitTimeout_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderInitTimeout_2 +``` + - - -This policy setting determines how long the first reminder balloon for a network status change is displayed. + + +Determines how long the first reminder balloon for a network status change is displayed. -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Initial reminder balloon lifetime* -- GP name: *Pol_ReminderInitTimeout_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ReminderTimeout_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ReminderInitTimeout_2 | +| Friendly Name | Initial reminder balloon lifetime | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ReminderTimeout_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderTimeout_1 +``` + - - -This policy setting determines how long updated reminder balloons are displayed. + + +Determines how long updated reminder balloons are displayed. -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reminder balloon lifetime* -- GP name: *Pol_ReminderTimeout_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_ReminderTimeout_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ReminderTimeout_1 | +| Friendly Name | Reminder balloon lifetime | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ReminderTimeout_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderTimeout_2 +``` + - - -This policy setting determines how long updated reminder balloons are displayed. + + +Determines how long updated reminder balloons are displayed. -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reminder balloon lifetime* -- GP name: *Pol_ReminderTimeout_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_SlowLinkSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ReminderTimeout_2 | +| Friendly Name | Reminder balloon lifetime | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SlowLinkSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SlowLinkSettings +``` + - - -This policy setting controls the network latency and throughput thresholds that will cause a client computer to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data isn't degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This scenario is similar to a user working offline. + + +This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. -If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. +- If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. -You can configure the slow-link mode by specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recommend that you always specify a value for Latency, since the round-trip network latency detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you don't specify a Latency or Throughput value, computers running Windows Vista or Windows Server 2008 won't use the slow-link mode. +You can configure the slow-link mode by specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recommend that you always specify a value for Latency, since the round-trip network latency detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you do not specify a Latency or Throughput value, computers running Windows Vista or Windows Server 2008 will not use the slow-link mode. -If you don't configure this policy setting, computers running Windows Vista or Windows Server 2008 won't transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network latency. +- If you do not configure this policy setting, computers running Windows Vista or Windows Server 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network latency. In Windows Vista or Windows Server 2008, once transitioned to slow-link mode, users will continue to operate in slow-link mode until the user clicks the Work Online button on the toolbar in Windows Explorer. Data will only be synchronized to the server if the user manually initiates synchronization by using Sync Center. In Windows 7, Windows Server 2008 R2, Windows 8 or Windows Server 2012, when operating in slow-link mode Offline Files synchronizes the user's files in the background at regular intervals, or as configured by the "Configure Background Sync" policy. While in slow-link mode, Windows periodically checks the connection to the folder and brings the folder back online if network speeds improve. -In Windows 8 or Windows Server 2012, set the Latency threshold to 1 m to keep users always working offline in slow-link mode. +In Windows 8 or Windows Server 2012, set the Latency threshold to 1ms to keep users always working offline in slow-link mode. -If you disable this policy setting, computers won't use the slow-link mode. +- If you disable this policy setting, computers will not use the slow-link mode. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure slow-link mode* -- GP name: *Pol_SlowLinkSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_SlowLinkSpeed** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SlowLinkSettings | +| Friendly Name | Configure slow-link mode | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SlowLinkEnabled | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SlowLinkSpeed -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SlowLinkSpeed +``` + - - -This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. + + +Configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. -When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and won't automatically reconnect to a server when the presence of a server is detected. +When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. -If you enable this setting, you can configure the threshold value that will be used to determine a slow network connection. +- If you enable this setting, you can configure the threshold value that will be used to determine a slow network connection. -If this setting is disabled or not configured, the default threshold value of 64,000 bps is used to determine if a network connection is considered to be slow. +- If this setting is disabled or not configured, the default threshold value of 64,000 bps is used to determine if a network connection is considered to be slow. > [!NOTE] > Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Slow link speed* -- GP name: *Pol_SlowLinkSpeed* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_OfflineFiles/Pol_SyncAtLogoff_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Pol_SlowLinkSpeed | +| Friendly Name | Configure Slow link speed | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Pol_SyncAtLogoff_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether offline files are fully synchronized when users sign out. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogoff_1 +``` + -This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. + + +Determines whether offline files are fully synchronized when users log off. -If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. +This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but doesn't ensure that they're current. +- If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. -If you don't configure this setting, the system performs a quick synchronization by default, but users can change this option. +- If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. + +- If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize all offline files before logging off* -- GP name: *Pol_SyncAtLogoff_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_SyncAtLogoff_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogoff_1 | +| Friendly Name | Synchronize all offline files before logging off | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogoff | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SyncAtLogoff_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogoff_2 +``` + - - -This policy setting determines whether offline files are fully synchronized when users sign out. + + +Determines whether offline files are fully synchronized when users log off. -This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. +- If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. -If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but doesn't ensure that they're current. +- If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. -If you don't configure this setting, the system performs a quick synchronization by default, but users can change this option. +- If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize all offline files before logging off* -- GP name: *Pol_SyncAtLogoff_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_SyncAtLogon_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogoff_2 | +| Friendly Name | Synchronize all offline files before logging off | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogoff | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SyncAtLogon_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogon_1 +``` + - - -This policy setting determines whether offline files are fully synchronized when users sign in. + + +Determines whether offline files are fully synchronized when users log on. -This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you enable this setting, offline files are fully synchronized at sign-in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. +- If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. -If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but doesn't ensure that they're current. +- If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. -If you don't configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. +- If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize all offline files when logging on* -- GP name: *Pol_SyncAtLogon_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_OfflineFiles/Pol_SyncAtLogon_2** +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogon_1 | +| Friendly Name | Synchronize all offline files when logging on | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogon | +| ADMX File Name | OfflineFiles.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Pol_SyncAtLogon_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogon_2 +``` + -
    + + +Determines whether offline files are fully synchronized when users log on. - - -This policy setting determines whether offline files are fully synchronized when users sign in. +This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +- If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. -If you enable this setting, offline files are fully synchronized at sign-in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. +- If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. -If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but doesn't ensure that they're current. - -If you don't configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default. However, users can change this option. +- If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize all offline files when logging on* -- GP name: *Pol_SyncAtLogon_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_SyncAtSuspend_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogon_2 | +| Friendly Name | Synchronize all offline files when logging on | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogon | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SyncAtSuspend_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtSuspend_1 +``` + - - -This policy setting determines whether offline files are synchronized before a computer is suspended. + + +Determines whether offline files are synchonized before a computer is suspended. -If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. +- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. -If you disable or don't configure this setting, files aren't synchronized when the computer is suspended. +If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. > [!NOTE] -> If the computer is suspended by closing the display on a portable computer, files aren't synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization isn't performed. +> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize offline files before suspend* -- GP name: *Pol_SyncAtSuspend_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_SyncAtSuspend_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtSuspend_1 | +| Friendly Name | Synchronize offline files before suspend | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SyncAtSuspend_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtSuspend_2 +``` + - - -This policy setting determines whether offline files are synchronized before a computer is suspended. + + +Determines whether offline files are synchonized before a computer is suspended. -If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. +- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. -If you disable or don't configure this setting, files aren't synchronized when the computer is suspended. +If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. > [!NOTE] -> If the computer is suspended by closing the display on a portable computer, files aren't synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization isn't performed. +> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize offline files before suspend* -- GP name: *Pol_SyncAtSuspend_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_SyncOnCostedNetwork** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtSuspend_2 | +| Friendly Name | Synchronize offline files before suspend | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SyncOnCostedNetwork -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncOnCostedNetwork +``` + - - + + This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. -If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This synchronization may result in extra charges on cell phone or broadband plans. +- If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. -If this setting is disabled or not configured, synchronization won't run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. +- If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable file synchronization on costed networks* -- GP name: *Pol_SyncOnCostedNetwork* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncOnCostedNetwork | +| Friendly Name | Enable file synchronization on costed networks | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncEnabledForCostedNetwork | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_WorkOfflineDisabled_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1 +``` + - - + + This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. -If you enable this policy setting, the "Work offline" command isn't displayed in File Explorer. +- If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. -If you disable or don't configure this policy setting, the "Work offline" command is displayed in File Explorer. +- If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove "Work offline" command* -- GP name: *Pol_WorkOfflineDisabled_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_WorkOfflineDisabled_1 | +| Friendly Name | Remove "Work offline" command | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | WorkOfflineDisabled | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_WorkOfflineDisabled_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 +``` + - - + + This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. -If you enable this policy setting, the "Work offline" command isn't displayed in File Explorer. +- If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. -If you disable or don't configure this policy setting, the "Work offline" command is displayed in File Explorer. +- If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove "Work offline" command* -- GP name: *Pol_WorkOfflineDisabled_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_WorkOfflineDisabled_2 | +| Friendly Name | Remove "Work offline" command | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | WorkOfflineDisabled | +| ADMX File Name | OfflineFiles.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 1efbbae1cd..936802cf55 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -1,380 +1,435 @@ --- -title: Policy CSP - ADMX_pca -description: Learn about Policy CSP - ADMX_pca. +title: ADMX_pca Policy CSP +description: Learn more about the ADMX_pca Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_pca > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_pca policies + +## DetectBlockedDriversPolicy -
    -
    - ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy -
    -
    - ADMX_pca/DetectDeprecatedComponentFailuresPolicy -
    -
    - ADMX_pca/DetectInstallFailuresPolicy -
    -
    - ADMX_pca/DetectUndetectedInstallersPolicy -
    -
    - ADMX_pca/DetectUpdateFailuresPolicy -
    -
    - ADMX_pca/DisablePcaUIPolicy -
    -
    - ADMX_pca/DetectBlockedDriversPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectBlockedDriversPolicy +``` + -
    + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + - -**ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DetectBlockedDriversPolicy | +| Friendly Name | Notify blocked drivers | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{affc81e2-612a-4f70-6fb2-916ff5c7e3f8} | +| ADMX File Name | pca.admx | + -
    + + + - - + + + +## DetectDeprecatedCOMComponentFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectDeprecatedCOMComponentFailuresPolicy | +| Friendly Name | Detect application failures caused by deprecated COM objects | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{88D69CE1-577A-4dd9-87AE-AD36D3CD9643} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectDeprecatedComponentFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectDeprecatedComponentFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectDeprecatedComponentFailuresPolicy | +| Friendly Name | Detect application failures caused by deprecated Windows DLLs | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{659F08FB-2FAB-42a7-BD4F-566CFA528769} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectInstallFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectInstallFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectInstallFailuresPolicy | +| Friendly Name | Detect application install failures | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{acfd1ca6-18b6-4ccf-9c07-580cdb6eded4} | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectUndetectedInstallersPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectUndetectedInstallersPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectUndetectedInstallersPolicy | +| Friendly Name | Detect application installers that need to be run as administrator | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{D113E4AA-2D07-41b1-8D9B-C065194A791D} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectUpdateFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectUpdateFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectUpdateFailuresPolicy | +| Friendly Name | Detect applications unable to launch installers under UAC | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{081D3213-48AA-4533-9284-D98F01BDC8E6} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DisablePcaUIPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DisablePcaUIPolicy +``` + + + + This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. -If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. +- If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. -If you disable this policy setting, the PCA doesn't detect compatibility issues for applications and drivers. +- If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers. -If you don't configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. +- If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. > [!NOTE] -> This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. +> This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + -The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Detect compatibility issues for applications and drivers* -- GP name: *DetectDeprecatedCOMComponentFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: -**ADMX_pca/DetectDeprecatedComponentFailuresPolicy** +| Name | Value | +|:--|:--| +| Name | DisablePcaUIPolicy | +| Friendly Name | Detect compatibility issues for applications and drivers | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePcaUI | +| ADMX File Name | pca.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device +## Related articles -
    - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative -Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application install failures* -- GP name: *DetectDeprecatedComponentFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - - -
    - -**ADMX_pca/DetectInstallFailuresPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - -ADMX Info: -- GP Friendly name: *Detect applications unable to launch installers under UAC* -- GP name: *DetectInstallFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DetectUndetectedInstallersPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application failures caused by deprecated Windows DLLs* -- GP name: *DetectUndetectedInstallersPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DetectUpdateFailuresPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application failures caused by deprecated COM objects* -- GP name: *DetectUpdateFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DisablePcaUIPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application installers that need to be run as administrator* -- GP name: *DisablePcaUIPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DetectBlockedDriversPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Notify blocked drivers* -- GP name: *DetectBlockedDriversPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index b3727a7219..dea0b08208 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -1,209 +1,204 @@ --- -title: Policy CSP - ADMX_PeerToPeerCaching -description: Learn about Policy CSP - ADMX_PeerToPeerCaching. +title: ADMX_PeerToPeerCaching Policy CSP +description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PeerToPeerCaching ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PeerToPeerCaching policies + +## EnableWindowsBranchCache -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB -
    -
    - ADMX_PeerToPeerCaching/SetCachePercent -
    -
    - ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge -
    -
    - ADMX_PeerToPeerCaching/SetDowngrading -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache +``` + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following policy settings: + + +This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cache mode + - Set BranchCache Hosted Cache mode + - Configure Hosted Cache Servers -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. -- Enabled: With this selection, BranchCache is turned on for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache is turned off for all client computers where the policy is applied. +Select one of the following: -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. - +- Enabled. With this selection, BranchCache is turned on for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client computers to which the policy is applied. +- Disabled. With this selection, BranchCache is turned off for all client computers where the policy is applied. - -ADMX Info: -- GP Friendly name: *Turn on BranchCache* -- GP name: *EnableWindowsBranchCache* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - - -
    + + + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | EnableWindowsBranchCache | +| Friendly Name | Turn on BranchCache | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\Service | +| Registry Value Name | Enable | +| ADMX File Name | PeerToPeerCaching.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## EnableWindowsBranchCache_Distributed + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed +``` + + + + This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. -- Enabled: With this selection, BranchCache distributed cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache distributed cache mode is turned off for all client computers where the policy is applied. +Select one of the following: -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. - +- Enabled. With this selection, BranchCache distributed cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all domain member client computers to which the policy is applied. +- Disabled. With this selection, BranchCache distributed cache mode is turned off for all client computers where the policy is applied. - -ADMX Info: -- GP Friendly name: *Set BranchCache Distributed Cache mode* -- GP name: *EnableWindowsBranchCache_Distributed* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - - -
    + + + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | EnableWindowsBranchCache_Distributed | +| Friendly Name | Set BranchCache Distributed Cache mode | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\CooperativeCaching | +| Registry Value Name | Enable | +| ADMX File Name | PeerToPeerCaching.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## EnableWindowsBranchCache_Hosted + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted +``` + + + + This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. -When a client computer is configured as a hosted cache mode client, it's able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. +When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. -- Enabled: With this selection, BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache hosted cache mode is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache hosted cache mode is turned off for all client computers where the policy is applied. +Select one of the following: + +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. + +- Enabled. With this selection, BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache hosted cache mode is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache hosted cache mode is turned off for all client computers where the policy is applied. In circumstances where this setting is enabled, you can also select and configure the following option: @@ -211,379 +206,500 @@ In circumstances where this setting is enabled, you can also select and configur Hosted cache clients must trust the server certificate that is issued to the hosted cache server. Ensure that the issuing CA certificate is installed in the Trusted Root Certification Authorities certificate store on all hosted cache client computers. -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set BranchCache Hosted Cache mode* -- GP name: *EnableWindowsBranchCache_Hosted* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableWindowsBranchCache_Hosted | +| Friendly Name | Set BranchCache Hosted Cache mode | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Connection | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableWindowsBranchCache_HostedCacheDiscovery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery +``` + - - -This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. + + +This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. +- If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. -If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they don't detect hosted cache servers, hosted cache mode isn't turned on, and the client uses any other configuration that is specified manually or by Group Policy. +- If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. -When this policy setting is applied, the client computer performs or doesn't perform automatically hosted cache server discovery under the following circumstances: +When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances: -If no other BranchCache mode-based policy settings are applied, the client computer performs automatically hosted cache server discovery. If one or more hosted cache servers is found, the client computer self-configures for hosted cache mode. +If no other BranchCache mode-based policy settings are applied, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers is found, the client computer self-configures for hosted cache mode. -If the policy setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy, the client computer performs automatically hosted cache server discovery. If one or more hosted cache servers are found, the client computer self-configures for hosted cache mode only. +If the policy setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers are found, the client computer self-configures for hosted cache mode only. -If the policy setting "Set BranchCache Hosted Cache Mode" is applied, the client computer doesn't perform automatically hosted cache discovery. This restriction is also true in cases where the policy setting "Configure Hosted Cache Servers" is applied. +If the policy setting "Set BranchCache Hosted Cache Mode" is applied, the client computer does not perform automatic hosted cache discovery. This is also true in cases where the policy setting "Configure Hosted Cache Servers" is applied. This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. -If you disable, or don't configure this setting, a client won't attempt to discover hosted cache servers by service connection point. +If you disable, or do not configure this setting, a client will not attempt to discover hosted cache servers by service connection point. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy setting, and client computers don't perform hosted cache server discovery. -- Enabled: With this selection, the policy setting is applied to client computers, which perform automatically hosted cache server discovery and which are configured as hosted cache mode clients. -- Disabled: With this selection, this policy isn't applied to client computers. +Select one of the following: - +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting, and client computers do not perform hosted cache server discovery. +- Enabled. With this selection, the policy setting is applied to client computers, which perform automatic hosted cache server discovery and which are configured as hosted cache mode clients. - -ADMX Info: -- GP Friendly name: *Enable Automatic Hosted Cache Discovery by Service Connection Point* -- GP name: *EnableWindowsBranchCache_HostedCacheDiscovery* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +- Disabled. With this selection, this policy is not applied to client computers. + - - -
    + + + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | EnableWindowsBranchCache_HostedCacheDiscovery | +| Friendly Name | Enable Automatic Hosted Cache Discovery by Service Connection Point | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Discovery | +| Registry Value Name | SCPDiscoveryEnabled | +| ADMX File Name | PeerToPeerCaching.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## EnableWindowsBranchCache_HostedMultipleServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers +``` + + + + This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. -If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. +- If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. -This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and don't use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode". +This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode." -If you don't configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. +- If you do not configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy setting. -- Enabled: With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers." -- Disabled: With this selection, this policy isn't applied to client computers. +Select one of the following: + +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. + +- Enabled. With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers." + +- Disabled. With this selection, this policy is not applied to client computers. In circumstances where this setting is enabled, you can also select and configure the following option: - Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Hosted Cache Servers* -- GP name: *EnableWindowsBranchCache_HostedMultipleServers* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableWindowsBranchCache_HostedMultipleServers | +| Friendly Name | Configure Hosted Cache Servers | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\MultipleServers | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableWindowsBranchCache_SMB -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB +``` + - - -This policy setting is used only when you've deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients don't cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. + + +This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache latency settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache latency setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache latency settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the latency setting that you use on individual client computers. -- Enabled: With this selection, the BranchCache maximum round trip latency setting is enabled for all client computers where the policy is applied. For example, if Configure BranchCache for network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache client computers use the default latency setting of 80 milliseconds. +Select one of the following: + +- Not Configured. With this selection, BranchCache latency settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache latency setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache latency settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the latency setting that you use on individual client computers. + +- Enabled. With this selection, the BranchCache maximum round trip latency setting is enabled for all client computers where the policy is applied. For example, if Configure BranchCache for network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache client computers use the default latency setting of 80 milliseconds. In circumstances where this policy setting is enabled, you can also select and configure the following option: - Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure BranchCache for network files* -- GP name: *EnableWindowsBranchCache_SMB* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PeerToPeerCaching/SetCachePercent** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableWindowsBranchCache_SMB | +| Friendly Name | Configure BranchCache for network files | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetCachePercent -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/SetCachePercent +``` + - - + + This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. -If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. +- If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. -If you disable or don't configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer. +- If you disable or do not configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache client computer cache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache client computer cache setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the client computer cache setting that you use on individual client computers. -- Enabled: With this selection, the BranchCache client computer cache setting is enabled for all client computers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is enabled in domain Group Policy, the BranchCache client computer cache setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache client computers use the default client computer cache setting of five percent of the total disk space on the client computer. +Select one of the following: + +- Not Configured. With this selection, BranchCache client computer cache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client computer cache setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache setting that you use on individual client computers. + +- Enabled. With this selection, the BranchCache client computer cache setting is enabled for all client computers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is enabled in domain Group Policy, the BranchCache client computer cache setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache client computers use the default client computer cache setting of five percent of the total disk space on the client computer. In circumstances where this setting is enabled, you can also select and configure the following option: - Specify the percentage of total disk space allocated for the cache. Specifies an integer that is the percentage of total client computer disk space to use for the BranchCache client computer cache. -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set percentage of disk space used for client computer cache* -- GP name: *SetCachePercent* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SetCachePercent | +| Friendly Name | Set percentage of disk space used for client computer cache | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Republication | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetDataCacheEntryMaxAge -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge +``` + - - + + This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. -If you enable this policy setting, you can configure the age for segments in the data cache. +- If you enable this policy setting, you can configure the age for segments in the data cache. -If you disable or don't configure this policy setting, the age is set to 28 days. +- If you disable or do not configure this policy setting, the age is set to 28 days. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache client computer cache age settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the client computer cache age setting that you use on individual client computers. -- Enabled: With this selection, the BranchCache client computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache client computers use the default client computer cache age setting of 28 days on the client computer. +Select one of the following: + +- Not Configured. With this selection, BranchCache client computer cache age settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache age setting that you use on individual client computers. + +- Enabled. With this selection, the BranchCache client computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache client computers use the default client computer cache age setting of 28 days on the client computer. In circumstances where this setting is enabled, you can also select and configure the following option: - Specify the age in days for which segments in the data cache are valid. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set age for segments in the data cache* -- GP name: *SetDataCacheEntryMaxAge* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PeerToPeerCaching/SetDowngrading** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SetDataCacheEntryMaxAge | +| Friendly Name | Set age for segments in the data cache | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\Retrieval | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetDowngrading -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/SetDowngrading +``` + - - -This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers don't use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. + + +This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. -If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." +- If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." -If you don't configure this setting, all clients will use the version of BranchCache that matches their operating system. +- If you do not configure this setting, all clients will use the version of BranchCache that matches their operating system. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, this policy setting isn't applied to client computers, and the clients run the version of BranchCache that is included with their operating system. -- Enabled: With this selection, this policy setting is applied to client computers based on the value of the option setting "Select from the following versions" that you specify. -- Disabled: With this selection, this policy setting isn't applied to client computers, and the clients run the version of BranchCache that is included with their operating system. +Select one of the following: + +- Not Configured. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system. + +- Enabled. With this selection, this policy setting is applied to client computers based on the value of the option setting "Select from the following versions" that you specify. + +- Disabled. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system. In circumstances where this setting is enabled, you can also select and configure the following option: Select from the following versions - Windows Vista with BITS 4.0 installed, Windows 7, or Windows Server 2008 R2. If you select this version, later versions of Windows run the version of BranchCache that is included in these operating systems rather than later versions of BranchCache. + - Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Client BranchCache Version Support* -- GP name: *SetDowngrading* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SetDowngrading | +| Friendly Name | Configure Client BranchCache Version Support | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\Service\Versioning | +| ADMX File Name | PeerToPeerCaching.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index b097ae7f99..bc3212ef5a 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -1,138 +1,156 @@ --- -title: Policy CSP - ADMX_PenTraining -description: Learn about Policy CSP - ADMX_PenTraining. +title: ADMX_PenTraining Policy CSP +description: Learn more about the ADMX_PenTraining Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PenTraining > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PenTraining policies + +## PenTrainingOff_1 -
    -
    - ADMX_PenTraining/PenTrainingOff_1 -
    -
    - ADMX_PenTraining/PenTrainingOff_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PenTraining/PenTrainingOff_1 +``` + - -**ADMX_PenTraining/PenTrainingOff_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Turns off Tablet PC Pen Training. -- If you enable this policy setting, users can't open Tablet PC Pen Training. +- If you enable this policy setting, users cannot open Tablet PC Pen Training. -- If you disable or don't configure this policy setting, users can open Tablet PC Pen Training. +- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC Pen Training* -- GP name: *PenTrainingOff_1* -- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training* -- GP ADMX file name: *PenTraining.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PenTraining/PenTrainingOff_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PenTrainingOff_1 | +| Friendly Name | Turn off Tablet PC Pen Training | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Tablet PC Pen Training | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PenTraining | +| Registry Value Name | DisablePenTraining | +| ADMX File Name | PenTraining.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PenTrainingOff_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PenTraining/PenTrainingOff_2 +``` + - - + + Turns off Tablet PC Pen Training. -- If you enable this policy setting, users can't open Tablet PC Pen Training. +- If you enable this policy setting, users cannot open Tablet PC Pen Training. -- If you disable or don't configure this policy setting, users can open Tablet PC Pen Training. +- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC Pen Training* -- GP name: *PenTrainingOff_2* -- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training* -- GP ADMX file name: *PenTraining.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | PenTrainingOff_2 | +| Friendly Name | Turn off Tablet PC Pen Training | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Tablet PC Pen Training | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PenTraining | +| Registry Value Name | DisablePenTraining | +| ADMX File Name | PenTraining.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index e3cb20c6c1..f422307fe0 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -1,274 +1,308 @@ --- -title: Policy CSP - ADMX_PerformanceDiagnostics -description: Learn about Policy CSP - ADMX_PerformanceDiagnostics. +title: ADMX_PerformanceDiagnostics Policy CSP +description: Learn more about the ADMX_PerformanceDiagnostics Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PerformanceDiagnostics ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PerformanceDiagnostics policies + +## WdiScenarioExecutionPolicy_1 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1 +``` + -
    + + +Determines the execution level for Windows Boot Performance Diagnostics. - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1** +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. - +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, the DPS will enable Windows Boot Performance for resolution by default. - -
    +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +No system restart or service restart is required for this policy to take effect: changes take effect immediately. -> [!div class = "checklist"] -> * Device +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + -
    + + + - - -This policy setting determines the execution level for Windows Boot Performance Diagnostics. + +**Description framework properties**: -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you don't configure this policy setting, the DPS will enable Windows Boot Performance for resolution by default. +**ADMX mapping**: -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy_1 | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Boot Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + ->[!Note] ->No system restart or service restart is required for this policy to take effect; changes take effect immediately. + + + -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + +## WdiScenarioExecutionPolicy_2 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_1* -- GP path: *System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2 +``` + - - -
    + + +Determines the execution level for Windows System Responsiveness Diagnostics. - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2** +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows System Responsiveness problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows System Responsiveness problems and indicate to the user that assisted resolution is available. - +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows System Responsiveness problems that are handled by the DPS. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, the DPS will enable Windows System Responsiveness for resolution by default. - -
    +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +No system restart or service restart is required for this policy to take effect: changes take effect immediately. -> [!div class = "checklist"] -> * Device +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + -
    + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy_2 | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows System Responsiveness Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + + + + + + + + + +## WdiScenarioExecutionPolicy_3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3 +``` + + + + +Determines the execution level for Windows Shutdown Performance Diagnostics. + +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS. + +- If you do not configure this policy setting, the DPS will enable Windows Shutdown Performance for resolution by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +No system restart or service restart is required for this policy to take effect: changes take effect immediately. + +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy_3 | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Shutdown Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + + + + + + + + + +## WdiScenarioExecutionPolicy_4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4 +``` + + + + Determines the execution level for Windows Standby/Resume Performance Diagnostics. -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. -If you don't configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. +- If you do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_2* -- GP path: *System\Troubleshooting and Diagnostics\Windows System Responsiveness Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy_4 | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Standby/Resume Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. - -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. - -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS. - -If you don't configure this policy setting, the DPS will enable Windows Shutdown Performance for resolution by default. - -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. - -No system restart or service restart is required for this policy to take effect: changes take effect immediately. - -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. - - - - - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_3* -- GP path: *System\Troubleshooting and Diagnostics\Windows Shutdown Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* - - - -
    - - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Determines the execution level for Windows Standby/Resume Performance Diagnostics. - -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. - -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. - -If you don't configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. - -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. - -No system restart or service restart is required for this policy to take effect: changes take effect immediately. - -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. - - - - - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_4* -- GP path: *System\Troubleshooting and Diagnostics\Windows Standby/Resume Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* - - - -
    - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index e43327ec72..8d39627171 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1,1330 +1,1555 @@ --- -title: Policy CSP - ADMX_Power -description: Learn about Policy CSP - ADMX_Power. +title: ADMX_Power Policy CSP +description: Learn more about the ADMX_Power Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Power ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Power policies + +## ACConnectivityInStandby_2 -
    -
    - ADMX_Power/ACConnectivityInStandby_2 -
    -
    - ADMX_Power/ACCriticalSleepTransitionsDisable_2 -
    -
    - ADMX_Power/ACStartMenuButtonAction_2 -
    -
    - ADMX_Power/AllowSystemPowerRequestAC -
    -
    - ADMX_Power/AllowSystemPowerRequestDC -
    -
    - ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC -
    -
    - ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC -
    -
    - ADMX_Power/CustomActiveSchemeOverride_2 -
    -
    - ADMX_Power/DCBatteryDischargeAction0_2 -
    -
    - ADMX_Power/DCBatteryDischargeAction1_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel0_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel1UINotification_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel1_2 -
    -
    - ADMX_Power/DCConnectivityInStandby_2 -
    -
    - ADMX_Power/DCCriticalSleepTransitionsDisable_2 -
    -
    - ADMX_Power/DCStartMenuButtonAction_2 -
    -
    - ADMX_Power/DiskACPowerDownTimeOut_2 -
    -
    - ADMX_Power/DiskDCPowerDownTimeOut_2 -
    -
    - ADMX_Power/Dont_PowerOff_AfterShutdown -
    -
    - ADMX_Power/EnableDesktopSlideShowAC -
    -
    - ADMX_Power/EnableDesktopSlideShowDC -
    -
    - ADMX_Power/InboxActiveSchemeOverride_2 -
    -
    - ADMX_Power/PW_PromptPasswordOnResume -
    -
    - ADMX_Power/PowerThrottlingTurnOff -
    -
    - ADMX_Power/ReserveBatteryNotificationLevel -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACConnectivityInStandby_2 +``` + -
    - - -**ADMX_Power/ACConnectivityInStandby_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. -If you enable this policy setting, network connectivity will be maintained in standby. +- If you enable this policy setting, network connectivity will be maintained in standby. -If you disable this policy setting, network connectivity in standby isn't guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. +- If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. -If you don't configure this policy setting, users control this setting. +- If you do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow network connectivity during connected-standby (plugged in)* -- GP name: *ACConnectivityInStandby_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/ACCriticalSleepTransitionsDisable_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACConnectivityInStandby_2 | +| Friendly Name | Allow network connectivity during connected-standby (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ACCriticalSleepTransitionsDisable_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACCriticalSleepTransitionsDisable_2 +``` + - - + + This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. -If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). +- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on the ability for applications to prevent sleep transitions (plugged in)* -- GP name: *ACCriticalSleepTransitionsDisable_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/ACStartMenuButtonAction_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACCriticalSleepTransitionsDisable_2 | +| Friendly Name | Turn on the ability for applications to prevent sleep transitions (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ACStartMenuButtonAction_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACStartMenuButtonAction_2 +``` + - - + + This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: +-Sleep +-Hibernate +-Shut down -- Sleep -- Hibernate -- Shut down +- If you disable this policy or do not configure this policy setting, users control this setting. + -If you disable this policy or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Select the Start menu Power button action (plugged in)* -- GP name: *ACStartMenuButtonAction_2* -- GP path: *System\Power Management\Button Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_Power/AllowSystemPowerRequestAC** +| Name | Value | +|:--|:--| +| Name | ACStartMenuButtonAction_2 | +| Friendly Name | Select the Start menu Power button action (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowSystemPowerRequestAC - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemPowerRequestAC +``` + -
    - - - + + This policy setting allows applications and services to prevent automatic sleep. -If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. +- If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. -If you disable or don't configure this policy setting, applications, services, or drivers don't prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. +- If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow applications to prevent automatic sleep (plugged in)* -- GP name: *AllowSystemPowerRequestAC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/AllowSystemPowerRequestDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemPowerRequestAC | +| Friendly Name | Allow applications to prevent automatic sleep (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSystemPowerRequestDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemPowerRequestDC +``` + - - + + This policy setting allows applications and services to prevent automatic sleep. -If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. +- If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. -If you disable or don't configure this policy setting, applications, services, or drivers don't prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. +- If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow applications to prevent automatic sleep (on battery)* -- GP name: *AllowSystemPowerRequestDC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemPowerRequestDC | +| Friendly Name | Allow applications to prevent automatic sleep (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSystemSleepWithRemoteFilesOpenAC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC +``` + - - + + This policy setting allows you to manage automatic sleep with open network files. -If you enable this policy setting, the computer automatically sleeps when network files are open. +- If you enable this policy setting, the computer automatically sleeps when network files are open. -If you disable or don't configure this policy setting, the computer doesn't automatically sleep when network files are open. +- If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow automatic sleep with Open Network Files (plugged in)* -- GP name: *AllowSystemSleepWithRemoteFilesOpenAC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemSleepWithRemoteFilesOpenAC | +| Friendly Name | Allow automatic sleep with Open Network Files (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSystemSleepWithRemoteFilesOpenDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC +``` + - - + + This policy setting allows you to manage automatic sleep with open network files. -If you enable this policy setting, the computer automatically sleeps when network files are open. +- If you enable this policy setting, the computer automatically sleeps when network files are open. -If you disable or don't configure this policy setting, the computer doesn't automatically sleep when network files are open. +- If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow automatic sleep with Open Network Files (on battery)* -- GP name: *AllowSystemSleepWithRemoteFilesOpenDC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/CustomActiveSchemeOverride_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemSleepWithRemoteFilesOpenDC | +| Friendly Name | Allow automatic sleep with Open Network Files (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomActiveSchemeOverride_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/CustomActiveSchemeOverride_2 +``` + - - -This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using `powercfg`, the power configuration command line tool. + + +This policy setting specifies the active power plan from a specified power plan's GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. -If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. +- If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. -If you disable or don't configure this policy setting, users can see and change this setting. +- If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify a custom active power plan* -- GP name: *CustomActiveSchemeOverride_2* -- GP path: *System\Power Management* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/DCBatteryDischargeAction0_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomActiveSchemeOverride_2 | +| Friendly Name | Specify a custom active power plan | +| Location | Computer Configuration | +| Path | System > Power Management | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCBatteryDischargeAction0_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeAction0_2 +``` + - - + + This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: +-Take no action +-Sleep +-Hibernate +-Shut down -- Take no action -- Sleep -- Hibernate -- Shut down +- If you disable or do not configure this policy setting, users control this setting. + -If you disable or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Critical battery notification action* -- GP name: *DCBatteryDischargeAction0_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_Power/DCBatteryDischargeAction1_2** +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeAction0_2 | +| Friendly Name | Critical battery notification action | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\637EA02F-BBCB-4015-8E2C-A1C7B9C0B546 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DCBatteryDischargeAction1_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeAction1_2 +``` + -
    - - - + + This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: +-Take no action +-Sleep +-Hibernate +-Shut down -- Take no action -- Sleep -- Hibernate -- Shut down +- If you disable or do not configure this policy setting, users control this setting. + -If you disable or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Low battery notification action* -- GP name: *DCBatteryDischargeAction1_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_Power/DCBatteryDischargeLevel0_2** +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeAction1_2 | +| Friendly Name | Low battery notification action | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DCBatteryDischargeLevel0_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeLevel0_2 +``` + -
    - - - + + This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. -If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. +- If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. To set the action that is triggered, see the "Critical Battery Notification Action" policy setting. -If you disable this policy setting or don't configure it, users control this setting. +- If you disable this policy setting or do not configure it, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Critical battery notification level* -- GP name: *DCBatteryDischargeLevel0_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/DCBatteryDischargeLevel1UINotification_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeLevel0_2 | +| Friendly Name | Critical battery notification level | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\9A66D8D7-4FF7-4EF9-B5A2-5A326CA2A469 | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCBatteryDischargeLevel1_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeLevel1_2 +``` + - - -This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. - -If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. - -To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. - -The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". - -If you disable or don't configure this policy setting, users can control this setting. - - - - - -ADMX Info: -- GP Friendly name: *Turn off low battery user notification* -- GP name: *DCBatteryDischargeLevel1UINotification_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* - - - -
    - - -**ADMX_Power/DCBatteryDischargeLevel1_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. -If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. +- If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. To set the action that is triggered, see the "Low Battery Notification Action" policy setting. -If you disable this policy setting or don't configure it, users control this setting. +- If you disable this policy setting or do not configure it, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Low battery notification level* -- GP name: *DCBatteryDischargeLevel1_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/DCConnectivityInStandby_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeLevel1_2 | +| Friendly Name | Low battery notification level | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\8183ba9a-e910-48da-8769-14ae6dc1170a | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCBatteryDischargeLevel1UINotification_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeLevel1UINotification_2 +``` + - - + + +This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. + +- If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. + +The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". + +- If you disable or do not configure this policy setting, users can control this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeLevel1UINotification_2 | +| Friendly Name | Turn off low battery user notification | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\bcded951-187b-4d05-bccc-f7e51960c258 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + + + + + + + + + +## DCConnectivityInStandby_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCConnectivityInStandby_2 +``` + + + + This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. -If you enable this policy setting, network connectivity will be maintained in standby. +- If you enable this policy setting, network connectivity will be maintained in standby. -If you disable this policy setting, network connectivity in standby isn't guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. +- If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. -If you don't configure this policy setting, users control this setting. +- If you do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow network connectivity during connected-standby (on battery)* -- GP name: *DCConnectivityInStandby_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/DCCriticalSleepTransitionsDisable_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCConnectivityInStandby_2 | +| Friendly Name | Allow network connectivity during connected-standby (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCCriticalSleepTransitionsDisable_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCCriticalSleepTransitionsDisable_2 +``` + - - + + This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. -If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). +- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on the ability for applications to prevent sleep transitions (on battery)* -- GP name: *DCCriticalSleepTransitionsDisable_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/DCStartMenuButtonAction_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCCriticalSleepTransitionsDisable_2 | +| Friendly Name | Turn on the ability for applications to prevent sleep transitions (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCStartMenuButtonAction_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCStartMenuButtonAction_2 +``` + - - + + This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: +-Sleep +-Hibernate +-Shut down -- Sleep -- Hibernate -- Shut down +- If you disable this policy or do not configure this policy setting, users control this setting. + -If you disable this policy or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Select the Start menu Power button action (on battery)* -- GP name: *DCStartMenuButtonAction_2* -- GP path: *System\Power Management\Button Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_Power/DiskACPowerDownTimeOut_2** +| Name | Value | +|:--|:--| +| Name | DCStartMenuButtonAction_2 | +| Friendly Name | Select the Start menu Power button action (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DiskACPowerDownTimeOut_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DiskACPowerDownTimeOut_2 +``` + -
    - - - + + This policy setting specifies the period of inactivity before Windows turns off the hard disk. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. -If you disable or don't configure this policy setting, users can see and change this setting. +- If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn Off the hard disk (plugged in)* -- GP name: *DiskACPowerDownTimeOut_2* -- GP path: *System\Power Management\Hard Disk Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/DiskDCPowerDownTimeOut_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DiskACPowerDownTimeOut_2 | +| Friendly Name | Turn Off the hard disk (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Hard Disk Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DiskDCPowerDownTimeOut_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DiskDCPowerDownTimeOut_2 +``` + - - + + This policy setting specifies the period of inactivity before Windows turns off the hard disk. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. -If you disable or don't configure this policy setting, users can see and change this setting. +- If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn Off the hard disk (on battery)* -- GP name: *DiskDCPowerDownTimeOut_2* -- GP path: *System\Power Management\Hard Disk Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/Dont_PowerOff_AfterShutdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DiskDCPowerDownTimeOut_2 | +| Friendly Name | Turn Off the hard disk (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Hard Disk Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Dont_PowerOff_AfterShutdown -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/Dont_PowerOff_AfterShutdown +``` + - - -This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. - -This setting doesn't affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. - -Applications such as UPS software may rely on Windows shutdown behavior. + + +This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. Applications such as UPS software may rely on Windows shutdown behavior. This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown(). -If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. +- If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. -If you disable or don't configure this policy setting, the computer system safely shuts down to a fully powered-off state. +- If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not turn off system power after a Windows system shutdown has occurred.* -- GP name: *Dont_PowerOff_AfterShutdown* -- GP path: *System* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/EnableDesktopSlideShowAC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Dont_PowerOff_AfterShutdown | +| Friendly Name | Do not turn off system power after a Windows system shutdown has occurred. | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT | +| Registry Value Name | DontPowerOffAfterShutdown | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableDesktopSlideShowAC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/EnableDesktopSlideShowAC +``` + - - + + This policy setting allows you to specify if Windows should enable the desktop background slideshow. -If you enable this policy setting, desktop background slideshow is enabled. +- If you enable this policy setting, desktop background slideshow is enabled. -If you disable this policy setting, the desktop background slideshow is disabled. +- If you disable this policy setting, the desktop background slideshow is disabled. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on desktop background slideshow (plugged in)* -- GP name: *EnableDesktopSlideShowAC* -- GP path: *System\Power Management\Video and Display Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/EnableDesktopSlideShowDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableDesktopSlideShowAC | +| Friendly Name | Turn on desktop background slideshow (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableDesktopSlideShowDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/EnableDesktopSlideShowDC +``` + - - + + This policy setting allows you to specify if Windows should enable the desktop background slideshow. -If you enable this policy setting, desktop background slideshow is enabled. +- If you enable this policy setting, desktop background slideshow is enabled. -If you disable this policy setting, the desktop background slideshow is disabled. +- If you disable this policy setting, the desktop background slideshow is disabled. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on desktop background slideshow (on battery)* -- GP name: *EnableDesktopSlideShowDC* -- GP path: *System\Power Management\Video and Display Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/InboxActiveSchemeOverride_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableDesktopSlideShowDC | +| Friendly Name | Turn on desktop background slideshow (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InboxActiveSchemeOverride_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/InboxActiveSchemeOverride_2 +``` + - - + + This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. -If you enable this policy setting, specify a power plan from the Active Power Plan list. +- If you enable this policy setting, specify a power plan from the Active Power Plan list. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Select an active power plan* -- GP name: *InboxActiveSchemeOverride_2* -- GP path: *System\Power Management* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/PW_PromptPasswordOnResume** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | InboxActiveSchemeOverride_2 | +| Friendly Name | Select an active power plan | +| Location | Computer Configuration | +| Path | System > Power Management | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PowerThrottlingTurnOff -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/PowerThrottlingTurnOff +``` + - - -This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. - -If you enable this policy setting, the client computer is locked and prompted for a password when it's resumed from a suspend or hibernate state. - -If you disable or don't configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. - - - - - -ADMX Info: -- GP Friendly name: *Prompt for password on resume from hibernate/suspend* -- GP name: *PW_PromptPasswordOnResume* -- GP path: *System\Power Management* -- GP ADMX file name: *Power.admx* - - - -
    - - -**ADMX_Power/PowerThrottlingTurnOff** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn off Power Throttling. -If you enable this policy setting, Power Throttling will be turned off. +- If you enable this policy setting, Power Throttling will be turned off. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Power Throttling* -- GP name: *PowerThrottlingTurnOff* -- GP path: *System\Power Management\Power Throttling Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Power/ReserveBatteryNotificationLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PowerThrottlingTurnOff | +| Friendly Name | Turn off Power Throttling | +| Location | Computer Configuration | +| Path | System > Power Management > Power Throttling Settings | +| Registry Key Name | System\CurrentControlSet\Control\Power\PowerThrottling | +| Registry Value Name | PowerThrottlingOff | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PW_PromptPasswordOnResume -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Power/PW_PromptPasswordOnResume +``` + - - + + +This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. + +- If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. + +- If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PW_PromptPasswordOnResume | +| Friendly Name | Prompt for password on resume from hibernate/suspend | +| Location | User Configuration | +| Path | System > Power Management | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Power | +| Registry Value Name | PromptPasswordOnResume | +| ADMX File Name | Power.admx | + + + + + + + + + +## ReserveBatteryNotificationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ReserveBatteryNotificationLevel +``` + + + + This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. -If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. +- If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. -If you disable or don't configure this policy setting, users can see and change this setting. +- If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reserve battery notification level* -- GP name: *ReserveBatteryNotificationLevel* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ReserveBatteryNotificationLevel | +| Friendly Name | Reserve battery notification level | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F00 | +| ADMX File Name | Power.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 5659a2f23c..0c13746a26 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -1,263 +1,323 @@ --- -title: Policy CSP - ADMX_PowerShellExecutionPolicy -description: Learn about Policy CSP - ADMX_PowerShellExecutionPolicy. +title: ADMX_PowerShellExecutionPolicy Policy CSP +description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PowerShellExecutionPolicy ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PowerShellExecutionPolicy policies + +## EnableModuleLogging -
    -
    - ADMX_PowerShellExecutionPolicy/EnableModuleLogging -
    -
    - ADMX_PowerShellExecutionPolicy/EnableScripts -
    -
    - ADMX_PowerShellExecutionPolicy/EnableTranscripting -
    -
    - ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableModuleLogging +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableModuleLogging +``` + - -**ADMX_PowerShellExecutionPolicy/EnableModuleLogging** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting allows you to turn on logging for Windows PowerShell modules. -If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell login Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. +- If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. -If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting isn't configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. +- If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. + +- If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. > [!NOTE] > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Module Logging* -- GP name: *EnableModuleLogging* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PowerShellExecutionPolicy/EnableScripts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableModuleLogging | +| Friendly Name | Turn on Module Logging | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging | +| Registry Value Name | EnableModuleLogging | +| ADMX File Name | PowerShellExecutionPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableScripts -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableScripts +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableScripts +``` + + + + This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. -If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they're signed by a trusted publisher. +- If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. -The "Allow local scripts and remote signed scripts" policy setting allows any local scripts to run. And, the scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run. +The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. -If you disable this policy setting, no scripts are allowed to run. +The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher. + +The "Allow all scripts" policy setting allows all scripts to run. + +- If you disable this policy setting, no scripts are allowed to run. > [!NOTE] -> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that isn't configured is "No scripts allowed." +> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." - +- If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." + + + + - -ADMX Info: -- GP Friendly name: *Turn on Script Execution* -- GP name: *EnableScripts* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_PowerShellExecutionPolicy/EnableTranscripting** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableScripts | +| Friendly Name | Turn on Script Execution | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell | +| Registry Value Name | EnableScripts | +| ADMX File Name | PowerShellExecutionPolicy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## EnableTranscripting -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableTranscripting +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableTranscripting +``` + + + + This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. -If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications that use the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. +- If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other +applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents +directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent +to calling the Start-Transcript cmdlet on each Windows PowerShell session. -If you disable this policy setting, transcription of PowerShell-based applications is disabled by default, although transcription can still be enabled through the Start-Transcript cmdlet. +- If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled +through the Start-Transcript cmdlet. -If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers. +If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users +from viewing the transcripts of other users or computers. > [!NOTE] > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on PowerShell Transcription* -- GP name: *EnableTranscripting* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableTranscripting | +| Friendly Name | Turn on PowerShell Transcription | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\Transcription | +| Registry Value Name | EnableTranscripting | +| ADMX File Name | PowerShellExecutionPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableUpdateHelpDefaultSourcePath -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +``` + + + + This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. -If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. +- If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. -If this policy setting is disabled or not configured, this policy setting doesn't set a default value for the SourcePath parameter of the Update-Help cmdlet. +- If this policy setting is disabled or not configured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet. > [!NOTE] > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the default source path for Update-Help* -- GP name: *EnableUpdateHelpDefaultSourcePath* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | EnableUpdateHelpDefaultSourcePath | +| Friendly Name | Set the default source path for Update-Help | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp | +| Registry Value Name | EnableUpdateHelpDefaultSourcePath | +| ADMX File Name | PowerShellExecutionPolicy.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index 4f35241526..c2aa223837 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -1,444 +1,780 @@ --- -title: Policy CSP - ADMX_PreviousVersions -description: Policy CSP - ADMX_PreviousVersions +title: ADMX_PreviousVersions Policy CSP +description: Learn more about the ADMX_PreviousVersions Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PreviousVersions -## ADMX_PreviousVersions policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - + +## DisableBackupRestore_1 -
    -
    - ADMX_PreviousVersions/DisableLocalPage_1 -
    -
    - ADMX_PreviousVersions/DisableLocalPage_2 -
    -
    - ADMX_PreviousVersions/DisableRemotePage_1 -
    -
    - ADMX_PreviousVersions/DisableRemotePage_2 -
    -
    - ADMX_PreviousVersions/HideBackupEntries_1 -
    -
    - ADMX_PreviousVersions/HideBackupEntries_2 -
    -
    - ADMX_PreviousVersions/DisableLocalRestore_1 -
    -
    - ADMX_PreviousVersions/DisableLocalRestore_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableBackupRestore_1 +``` + -
    + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. - -**ADMX_PreviousVersions/DisableLocalPage_1** +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. - +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableBackupRestore_1 | +| Friendly Name | Prevent restoring previous versions from backups | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableBackupRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableBackupRestore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableBackupRestore_2 +``` + + + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableBackupRestore_2 | +| Friendly Name | Prevent restoring previous versions from backups | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableBackupRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableLocalPage_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalPage_1 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. + +- If you enable this policy setting, users cannot list or restore previous versions of files on local disks. + +- If you disable this policy setting, users cannot list and restore previous versions of files on local disks. + +- If you do not configure this policy setting, it defaults to disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocalPage_1 | +| Friendly Name | Hide previous versions list for local files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalPage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableLocalPage_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalPage_2 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. + +- If you enable this policy setting, users cannot list or restore previous versions of files on local disks. + +- If you disable this policy setting, users cannot list and restore previous versions of files on local disks. + +- If you do not configure this policy setting, it defaults to disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocalPage_2 | +| Friendly Name | Hide previous versions list for local files | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalPage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableLocalRestore_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalRestore_1 +``` + + + + This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. - If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. -- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a local file. - +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + - -ADMX Info: -- GP Friendly name: *Prevent restoring local previous versions* -- GP name: *DisableLocalPage_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/DisableLocalPage_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableLocalRestore_1 | +| Friendly Name | Prevent restoring local previous versions | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalRestore | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableLocalRestore_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalRestore_2 +``` + + + + This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. - If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. -- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a local file. - +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + - -ADMX Info: -- GP Friendly name: *Prevent restoring local previous versions* -- GP name: *DisableLocalPage_2* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/DisableRemotePage_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableLocalRestore_2 | +| Friendly Name | Prevent restoring local previous versions | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalRestore | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableRemotePage_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemotePage_1 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. + +- If you enable this policy setting, users cannot list or restore previous versions of files on file shares. + +- If you disable this policy setting, users can list and restore previous versions of files on file shares. + +- If you do not configure this policy setting, it is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemotePage_1 | +| Friendly Name | Hide previous versions list for remote files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemotePage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableRemotePage_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemotePage_2 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. + +- If you enable this policy setting, users cannot list or restore previous versions of files on file shares. + +- If you disable this policy setting, users can list and restore previous versions of files on file shares. + +- If you do not configure this policy setting, it is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemotePage_2 | +| Friendly Name | Hide previous versions list for remote files | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemotePage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableRemoteRestore_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemoteRestore_1 +``` + + + + This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. - If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. - +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableRemotePage_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/DisableRemotePage_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableRemoteRestore_1 | +| Friendly Name | Prevent restoring remote previous versions | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemoteRestore | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableRemoteRestore_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemoteRestore_2 +``` + + + + This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. - If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. - +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableRemotePage_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_PreviousVersions/HideBackupEntries_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableRemoteRestore_2 | +| Friendly Name | Prevent restoring remote previous versions | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemoteRestore | +| ADMX File Name | PreviousVersions.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideBackupEntries_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/HideBackupEntries_1 +``` + + + + This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. -- If you enable this policy setting, users can't see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. -- If you disable this policy setting, users can see previous versions corresponding to backup copies and previous versions corresponding to on-disk restore points. -- If you don't configure this policy setting, it's disabled by default. +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. - +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. +- If you do not configure this policy setting, it is disabled by default. + - -ADMX Info: -- GP Friendly name: *Hide previous versions of files on backup location* -- GP name: *HideBackupEntries_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/HideBackupEntries_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | HideBackupEntries_1 | +| Friendly Name | Hide previous versions of files on backup location | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | HideBackupEntries | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## HideBackupEntries_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/HideBackupEntries_2 +``` + + + + This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. -- If you enable this policy setting, users can't see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. -- If you disable this policy setting, users can see previous versions corresponding to backup copies and previous versions corresponding to on-disk restore points. -- If you don't configure this policy setting, it's disabled by default. +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. - +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. +- If you do not configure this policy setting, it is disabled by default. + - -ADMX Info: -- GP Friendly name: *Hide previous versions of files on backup location* -- GP name: *HideBackupEntries_2* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/DisableLocalRestore_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | HideBackupEntries_2 | +| Friendly Name | Hide previous versions of files on backup location | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | HideBackupEntries | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + + + - - -This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. +## Related articles - - - - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableLocalRestore_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* - - - - -
    - -**ADMX_PreviousVersions/DisableLocalRestore_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. - -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. - - - - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableLocalRestore_2* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 3728163906..b85780257a 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1,1070 +1,1210 @@ --- -title: Policy CSP - ADMX_Printing -description: Learn about Policy CSP - ADMX_Printing. +title: ADMX_Printing Policy CSP +description: Learn more about the ADMX_Printing Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/15/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Printing ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Printing policies + +## AllowWebPrinting -
    -
    - ADMX_Printing/AllowWebPrinting -
    -
    - ADMX_Printing/ApplicationDriverIsolation -
    -
    - ADMX_Printing/CustomizedSupportUrl -
    -
    - ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate -
    -
    - ADMX_Printing/DomainPrinters -
    -
    - ADMX_Printing/DownlevelBrowse -
    -
    - ADMX_Printing/EMFDespooling -
    -
    - ADMX_Printing/ForceSoftwareRasterization -
    -
    - ADMX_Printing/IntranetPrintersUrl -
    -
    - ADMX_Printing/KMPrintersAreBlocked -
    -
    - ADMX_Printing/LegacyDefaultPrinterMode -
    -
    - ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS -
    -
    - ADMX_Printing/NoDeletePrinter -
    -
    - ADMX_Printing/NonDomainPrinters -
    -
    - ADMX_Printing/PackagePointAndPrintOnly -
    -
    - ADMX_Printing/PackagePointAndPrintOnly_Win7 -
    -
    - ADMX_Printing/PackagePointAndPrintServerList -
    -
    - ADMX_Printing/PackagePointAndPrintServerList_Win7 -
    -
    - ADMX_Printing/PhysicalLocation -
    -
    - ADMX_Printing/PhysicalLocationSupport -
    -
    - ADMX_Printing/PrintDriverIsolationExecutionPolicy -
    -
    - ADMX_Printing/PrintDriverIsolationOverrideCompat -
    -
    - ADMX_Printing/PrinterDirectorySearchScope -
    -
    - ADMX_Printing/PrinterServerThread -
    -
    - ADMX_Printing/ShowJobTitleInEventLogs -
    -
    - ADMX_Printing/V4DriverDisallowPrinterExtension -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/AllowWebPrinting +``` + -
    - - -**ADMX_Printing/AllowWebPrinting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. -If you enable this policy setting, Internet printing is activated on this server. +- If you enable this policy setting, Internet printing is activated on this server. -If you disable this policy setting or don't configure it, Internet printing isn't activated. +- If you disable this policy setting or do not configure it, Internet printing is not activated. Internet printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, and printing support and this setting must be enabled. > [!NOTE] -> This setting affects the server side of Internet printing only. It doesn't prevent the print client on the computer from printing across the Internet. +> This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Activate Internet printing* -- GP name: *AllowWebPrinting* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/ApplicationDriverIsolation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowWebPrinting | +| Friendly Name | Activate Internet printing | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableWebPrinting | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ApplicationDriverIsolation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/ApplicationDriverIsolation +``` + - - + + Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. -Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they're configured for it. +Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. -If you enable or don't configure this policy setting, then applications that are configured to support driver isolation will be isolated. +- If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated. -If you disable this policy setting, then print drivers will be loaded within all associated application processes. +- If you disable this policy setting, then print drivers will be loaded within all associated application processes. -> [!NOTE] -> - This policy setting applies only to applications opted into isolation. -> - This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler aren't affected. -> - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. +**Note**: +-This policy setting applies only to applications opted into isolation. +-This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected. +-This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Isolate print drivers from applications* -- GP name: *ApplicationDriverIsolation* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/CustomizedSupportUrl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ApplicationDriverIsolation | +| Friendly Name | Isolate print drivers from applications | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ApplicationDriverIsolation | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomizedSupportUrl -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/CustomizedSupportUrl +``` + - - + + By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. -If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. +- If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. -If you disable this setting or don't configure it, or if you don't enter an alternate Internet address, the default link will appear in the Printers folder. +- If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder. > [!NOTE] -> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. -> To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders." +> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.") Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom support URL in the Printers folder's left pane* -- GP name: *CustomizedSupportUrl* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomizedSupportUrl | +| Friendly Name | Custom support URL in the Printers folder's left pane | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DomainPrinters -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/DomainPrinters +``` + - - -This policy setting allows you to manage where client computers search for Point and Printer drivers. + + +- If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) -If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. +- If this policy setting is disabled, the network scan page will not be displayed. -If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it's unable to find a compatible driver, then the Point and Print connection will fail. - -This policy setting isn't configured by default, and the behavior depends on the version of Windows that you're using. - - - - -ADMX Info: -- GP Friendly name: *Extend Point and Print connection to search Windows Update* -- GP name: *DoNotInstallCompatibleDriverFromWindowsUpdate* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/DomainPrinters** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, for example, a domain-joined laptop on a corporate network.) - -If this policy setting is disabled, the network scan page won't be displayed. - -If this policy setting isn't configured, the Add Printer wizard will display the default number of printers of each type: - -- Directory printers: 20 -- TCP/IP printers: 0 -- Web Services printers: 0 -- Bluetooth printers: 10 -- Shared printers: 0 +- If this policy setting is not configured, the Add Printer wizard will display the default number of printers of each type: +Directory printers: 20 +TCP/IP printers: 0 +Web Services printers: 0 +Bluetooth printers: 10 +Shared printers: 0 In order to view available Web Services printers on your network, ensure that network discovery is turned on. To turn on network discovery, click "Start", click "Control Panel", and then click "Network and Internet". On the "Network and Internet" page, click "Network and Sharing Center". On the Network and Sharing Center page, click "Change advanced sharing settings". On the Advanced sharing settings page, click the arrow next to "Domain" arrow, click "turn on network discovery", and then click "Save changes". If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. -In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or don't configure this policy setting, the default limit is applied. +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. +- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. -In Windows 8 and later, Bluetooth printers aren't shown so its limit doesn't apply to those versions of Windows. +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add Printer wizard - Network scan page (Managed network)* -- GP name: *DomainPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/DownlevelBrowse** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DomainPrinters | +| Friendly Name | Add Printer wizard - Network scan page (Managed network) | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | DomainDisplayPrinters_State | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotInstallCompatibleDriverFromWindowsUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate +``` + - - + + +This policy setting allows you to manage where client computers search for Point and Printer drivers. + +- If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. + +- If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail. + +This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. +By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotInstallCompatibleDriverFromWindowsUpdate | +| Friendly Name | Extend Point and Print connection to search Windows Update | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DoNotInstallCompatibleDriverFromWindowsUpdate | +| ADMX File Name | Printing.admx | + + + + + + + + + +## DownlevelBrowse + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/DownlevelBrowse +``` + + + + Allows users to use the Add Printer Wizard to search the network for shared printers. -If you enable this setting or don't configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and don't specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. +- If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. -If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users can't search the network but must type a printer name. +- If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name. > [!NOTE] -> This setting affects the Add Printer Wizard only. It doesn't prevent users from using other programs to search for shared printers or to connect to network printers. +> This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Browse the network to find printers* -- GP name: *DownlevelBrowse* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/EMFDespooling** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DownlevelBrowse | +| Friendly Name | Browse the network to find printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | Downlevel Browse | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EMFDespooling -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/EMFDespooling +``` + - - -When printing is being done through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. + + +When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. -This policy setting only affects printing to a Windows print server. +This policy setting only effects printing to a Windows print server. -If you enable this policy setting on a client machine, the client spooler won't process print jobs before sending them to the print server, thereby decreasing the workload on the client at the expense of increasing the load on the server. +- If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server. -If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will pass the commands to the printer. This process increases the workload of the client while decreasing the load on the server. +- If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server. -If you don't enable this policy setting, the behavior is the same as disabling it. +If you do not enable this policy setting, the behavior is the same as disabling it. > [!NOTE] -> This policy doesn't determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. -> -> Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server doesn't support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting doesn't override this behavior. -> -> In cases where the client print driver doesn't match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. +> This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. - +> [!NOTE] +> Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavior. +> [!NOTE] +> In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. + - -ADMX Info: -- GP Friendly name: *Always render print jobs on the server* -- GP name: *EMFDespooling* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Printing/ForceSoftwareRasterization** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | EMFDespooling | +| Friendly Name | Always render print jobs on the server | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ForceCSREMFDespooling | +| ADMX File Name | Printing.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## ForceSoftwareRasterization - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/ForceSoftwareRasterization +``` + + + + Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. -This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. +This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine's GPU. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Always rasterize content to be printed using a software rasterizer* -- GP name: *ForceSoftwareRasterization* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/IntranetPrintersUrl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForceSoftwareRasterization | +| Friendly Name | Always rasterize content to be printed using a software rasterizer | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ForceSoftwareRasterization | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetPrintersUrl -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/IntranetPrintersUrl +``` + - - + + Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a Web page from which they can install printers. -If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers. +- If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers. This setting makes it easy for users to find the printers you want them to add. Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Browse a common web site to find printers* -- GP name: *IntranetPrintersUrl* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/KMPrintersAreBlocked** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IntranetPrintersUrl | +| Friendly Name | Browse a common web site to find printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## KMPrintersAreBlocked -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/KMPrintersAreBlocked +``` + - - -Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly written kernel-mode drivers can cause stop errors. + + +Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. +- If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. -If you don't configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. +- If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. -If you enable this setting, installation of a printer using a kernel-mode driver won't be allowed. +- If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. > [!NOTE] -> This policy doesn't apply to 64-bit kernel-mode printer drivers as they can't be installed and associated with a print queue. +> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disallow installation of printers using kernel-mode drivers* -- GP name: *KMPrintersAreBlocked* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/LegacyDefaultPrinterMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | KMPrintersAreBlocked | +| Friendly Name | Disallow installation of printers using kernel-mode drivers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | KMPrintersAreBlocked | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LegacyDefaultPrinterMode -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/LegacyDefaultPrinterMode +``` + - - + + This preference allows you to change default printer management. -If you enable this setting, Windows won't manage the default printer. +- If you enable this setting, Windows will not manage the default printer. -If you disable this setting, Windows will manage the default printer. +- If you disable this setting, Windows will manage the default printer. -If you don't configure this setting, default printer management won't change. +- If you do not configure this setting, default printer management will not change. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows default printer management* -- GP name: *LegacyDefaultPrinterMode* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LegacyDefaultPrinterMode | +| Friendly Name | Turn off Windows default printer management | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows NT\CurrentVersion\Windows | +| Registry Value Name | LegacyDefaultPrinterMode | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MXDWUseLegacyOutputFormatMSXPS -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS +``` + - - -Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. + + +Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022. -If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). +- If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). -If you disable or don't configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). +- If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)* -- GP name: *MXDWUseLegacyOutputFormatMSXPS* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/NoDeletePrinter** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MXDWUseLegacyOutputFormatMSXPS | +| Friendly Name | Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps) | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | MXDWUseLegacyOutputFormatMSXPS | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoDeletePrinter -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/NoDeletePrinter +``` + - - -If this policy setting is enabled, it prevents users from deleting local and network printers. + + +- If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. -This setting doesn't prevent users from running other programs to delete a printer. +This setting does not prevent users from running other programs to delete a printer. If this policy is disabled, or not configured, users can delete printers using the methods described above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent deletion of printers* -- GP name: *NoDeletePrinter* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/NonDomainPrinters** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDeletePrinter | +| Friendly Name | Prevent deletion of printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDeletePrinter | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NonDomainPrinters -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/NonDomainPrinters +``` + - - -This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer isn't able to reach a domain controller, for example, a domain-joined laptop on a home network.) + + +This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) -If this setting is disabled, the network scan page won't be displayed. +- If this setting is disabled, the network scan page will not be displayed. -If this setting isn't configured, the Add Printer wizard will display the default number of printers of each type: - -- TCP/IP printers: 50 -- Web Services printers: 50 -- Bluetooth printers: 10 -- Shared printers: 50 +If this setting is not configured, the Add Printer wizard will display the default number of printers of each type: +TCP/IP printers: 50 +Web Services printers: 50 +Bluetooth printers: 10 +Shared printers: 50 If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. -In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or don't configure this policy setting, the default limit is applied. +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. +- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. -In Windows 8 and later, Bluetooth printers aren't shown so its limit doesn't apply to those versions of Windows. +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add Printer wizard - Network scan page (Unmanaged network)* -- GP name: *NonDomainPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PackagePointAndPrintOnly** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NonDomainPrinters | +| Friendly Name | Add Printer wizard - Network scan page (Unmanaged network) | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | NonDomainDisplayPrinters_State | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PackagePointAndPrintOnly -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintOnly +``` + - - + + This policy restricts clients computers to use package point and print only. -If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. +- If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. -If this setting is disabled, or not configured, users won't be restricted to package-aware point and print only. +- If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Only use Package Point and print* -- GP name: *PackagePointAndPrintOnly* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PackagePointAndPrintOnly_Win7** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintOnly | +| Friendly Name | Only use Package Point and print | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintOnly | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PackagePointAndPrintOnly_Win7 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintOnly_Win7 +``` + - - + + This policy restricts clients computers to use package point and print only. -If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. +- If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. -If this setting is disabled, or not configured, users won't be restricted to package-aware point and print only. +- If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Only use Package Point and print* -- GP name: *PackagePointAndPrintOnly_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PackagePointAndPrintServerList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintOnly_Win7 | +| Friendly Name | Only use Package Point and print | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintOnly | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PackagePointAndPrintServerList -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintServerList +``` + - - + + Restricts package point and print to approved servers. -This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. -If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. +- If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. -If this setting is disabled, or not configured, package point and print won't be restricted to specific print servers. +- If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Package Point and print - Approved servers* -- GP name: *PackagePointAndPrintServerList* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PackagePointAndPrintServerList_Win7** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintServerList | +| Friendly Name | Package Point and print - Approved servers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintServerList | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PackagePointAndPrintServerList_Win7 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintServerList_Win7 +``` + - - + + Restricts package point and print to approved servers. -This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. -If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. +- If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. -If this setting is disabled, or not configured, package point and print won't be restricted to specific print servers. +- If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Package Point and print - Approved servers* -- GP name: *PackagePointAndPrintServerList_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PhysicalLocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintServerList_Win7 | +| Friendly Name | Package Point and print - Approved servers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintServerList | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PhysicalLocation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PhysicalLocation +``` + - - -If this policy setting is enabled, it specifies the default location criteria used when searching for printers. + + +- If this policy setting is enabled, it specifies the default location criteria used when searching for printers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. @@ -1072,380 +1212,495 @@ When Location Tracking is enabled, the system uses the specified location as a c Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use. -If you disable this setting or don't configure it, and the user doesn't type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. +- If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Computer location* -- GP name: *PhysicalLocation* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PhysicalLocationSupport** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PhysicalLocation | +| Friendly Name | Computer location | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PhysicalLocationSupport -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PhysicalLocationSupport +``` + - - + + Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. -If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. +- If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. -If you disable this setting or don't configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). +- If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Pre-populate printer search location text* -- GP name: *PhysicalLocationSupport* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PrintDriverIsolationExecutionPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PhysicalLocationSupport | +| Friendly Name | Pre-populate printer search location text | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PhysicalLocationSupport | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PrintDriverIsolationExecutionPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PrintDriverIsolationExecutionPolicy +``` + - - -This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure won't cause the print spooler service to fail. + + +This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. -If you enable or don't configure this policy setting, the print spooler will execute print drivers in an isolated process by default. +- If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. -If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. +- If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. -> [!NOTE] -> - Other system or driver policy settings may alter the process in which a print driver is executed. -> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications aren't affected. -> - This policy setting takes effect without restarting the print spooler service. +**Note**: +-Other system or driver policy settings may alter the process in which a print driver is executed. +-This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +-This policy setting takes effect without restarting the print spooler service. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Execute print drivers in isolated processes* -- GP name: *PrintDriverIsolationExecutionPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PrintDriverIsolationOverrideCompat** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PrintDriverIsolationExecutionPolicy | +| Friendly Name | Execute print drivers in isolated processes | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PrintDriverIsolationExecutionPolicy | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PrintDriverIsolationOverrideCompat -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PrintDriverIsolationOverrideCompat +``` + - - -This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This policy setting enables executing print drivers in an isolated process, even if the driver doesn't report compatibility. + + +This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. -If you enable this policy setting, the print spooler isolates all print drivers that don't explicitly opt out of Driver Isolation. +- If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. -If you disable or don't configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. +- If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. -> [!NOTE] -> - Other system or driver policy settings may alter the process in which a print driver is executed. -> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications aren't affected. -> - This policy setting takes effect without restarting the print spooler service. +**Note**: +-Other system or driver policy settings may alter the process in which a print driver is executed. +-This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +-This policy setting takes effect without restarting the print spooler service. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Override print driver execution compatibility setting reported by print driver* -- GP name: *PrintDriverIsolationOverrideCompat* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PrinterDirectorySearchScope** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PrintDriverIsolationOverrideCompat | +| Friendly Name | Override print driver execution compatibility setting reported by print driver | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PrintDriverIsolationOverrideCompat | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PrinterDirectorySearchScope -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PrinterDirectorySearchScope +``` + - - + + Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. -If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. +- If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. -This setting only provides a starting point for Active Directory searches for printers. It doesn't restrict user searches through Active Directory. +This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Default Active Directory path when searching for printers* -- GP name: *PrinterDirectorySearchScope* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/PrinterServerThread** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PrinterDirectorySearchScope | +| Friendly Name | Default Active Directory path when searching for printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PrinterServerThread -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PrinterServerThread +``` + - - -Announces the presence of shared printers to print browse main servers for the domain. + + +Announces the presence of shared printers to print servers for the domain. -On domains with Active Directory, shared printer resources are available in Active Directory and aren't announced. +On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. -If you enable this setting, the print spooler announces shared printers to the print browse main servers. +- If you enable this setting, the print spooler announces shared printers to the print servers. -If you disable this setting, shared printers aren't announced to print browse main servers, even if Active Directory isn't available. +- If you disable this setting, shared printers are not announced to print servers, even if Active Directory is not available. -If you don't configure this setting, shared printers are announced to browse main servers only when Active Directory isn't available. +- If you do not configure this setting, shared printers are announced to servers only when Active Directory is not available. > [!NOTE] > A client license is used each time a client computer announces a printer to a print browse master on the domain. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Printer browsing* -- GP name: *PrinterServerThread* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/ShowJobTitleInEventLogs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PrinterServerThread | +| Friendly Name | Printer browsing | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ServerThread | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowJobTitleInEventLogs -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/ShowJobTitleInEventLogs +``` + - - + + This policy controls whether the print job name will be included in print event logs. -If you disable or don't configure this policy setting, the print job name won't be included. +- If you disable or do not configure this policy setting, the print job name will not be included. -If you enable this policy setting, the print job name will be included in new log entries. +- If you enable this policy setting, the print job name will be included in new log entries. > [!NOTE] -> This setting doesn't apply to Branch Office Direct Printing jobs. +> This setting does not apply to Branch Office Direct Printing jobs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow job name in event logs* -- GP name: *ShowJobTitleInEventLogs* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing/V4DriverDisallowPrinterExtension** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowJobTitleInEventLogs | +| Friendly Name | Allow job name in event logs | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ShowJobTitleInEventLogs | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## V4DriverDisallowPrinterExtension -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/V4DriverDisallowPrinterExtension +``` + - - + + This policy determines if v4 printer drivers are allowed to run printer extensions. -V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but these extensions may not be appropriate for all enterprises. +V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. -If you enable this policy setting, then all printer extensions won't be allowed to run. +- If you enable this policy setting, then all printer extensions will not be allowed to run. -If you disable this policy setting or don't configure it, then all printer extensions that have been installed will be allowed to run. +- If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow v4 printer drivers to show printer extensions* -- GP name: *V4DriverDisallowPrinterExtension* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | V4DriverDisallowPrinterExtension | +| Friendly Name | Do not allow v4 printer drivers to show printer extensions | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | V4DriverDisallowPrinterExtension | +| ADMX File Name | Printing.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 0b8ff6c5be..dd69376114 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -1,540 +1,624 @@ --- -title: Policy CSP - ADMX_Printing2 -description: Learn about Policy CSP - ADMX_Printing2. +title: ADMX_Printing2 Policy CSP +description: Learn more about the ADMX_Printing2 Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/15/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Printing2 ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Printing2 policies + +## AutoPublishing -
    -
    - ADMX_Printing2/AutoPublishing -
    -
    - ADMX_Printing2/ImmortalPrintQueue -
    -
    - ADMX_Printing2/PruneDownlevel -
    -
    - ADMX_Printing2/PruningInterval -
    -
    - ADMX_Printing2/PruningPriority -
    -
    - ADMX_Printing2/PruningRetries -
    -
    - ADMX_Printing2/PruningRetryLog -
    -
    - ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint -
    -
    - ADMX_Printing2/VerifyPublishedState -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/AutoPublishing +``` + -
    - - -**ADMX_Printing2/AutoPublishing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. -If you enable this setting or don't configure it, the Add Printer Wizard automatically publishes all shared printers. +- If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. -If you disable this setting, the Add Printer Wizard doesn't automatically publish printers. However, you can publish shared printers manually. +- If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually. The default behavior is to automatically publish shared printers in Active Directory. > [!NOTE] > This setting is ignored if the "Allow printers to be published" setting is disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Automatically publish new printers in Active Directory* -- GP name: *AutoPublishing* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing2/ImmortalPrintQueue** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AutoPublishing | +| Friendly Name | Automatically publish new printers in Active Directory | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | Auto Publishing | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ImmortalPrintQueue -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/ImmortalPrintQueue +``` + - - + + Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. -By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them doesn't respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. +By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. -If you enable this setting or don't configure it, the domain controller prunes this computer's printers when the computer doesn't respond. +- If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond. -If you disable this setting, the domain controller doesn't prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. +- If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. > [!NOTE] > You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow pruning of published printers* -- GP name: *ImmortalPrintQueue* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing2/PruneDownlevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ImmortalPrintQueue | +| Friendly Name | Allow pruning of published printers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | Immortal | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruneDownlevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruneDownlevel +``` + - - -This policy setting determines whether the pruning service on a domain controller prunes printer objects that aren't automatically republished whenever the host computer doesn't respond, just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. + + +Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. -The Windows pruning service prunes printer objects from Active Directory when the computer that published them doesn't respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains can't republish printers in Active Directory automatically, by default, the system never prunes their printer objects. +The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects. You can enable this setting to change the default behavior. To use this setting, select one of the following options from the "Prune non-republishing printers" box: -- "Never" specifies that printer objects that aren't automatically republished are never pruned. "Never" is the default. +- "Never" specifies that printer objects that are not automatically republished are never pruned. "Never" is the default. -- "Only if Print Server is found" prunes printer objects that aren't automatically republished only when the print server responds, but the printer is unavailable. +- "Only if Print Server is found" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable. -- "Whenever printer is not found" prunes printer objects that aren't automatically republished whenever the host computer doesn't respond, just as it does with Windows 2000 printers. +- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers. > [!NOTE] -> This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It doesn't apply to printers published by using Printers in Control Panel. +> This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. > [!TIP] > If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prune printers that are not automatically republished* -- GP name: *PruneDownlevel* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing2/PruningInterval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PruneDownlevel | +| Friendly Name | Prune printers that are not automatically republished | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruningInterval -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningInterval +``` + - - + + Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. -The pruning service periodically contacts computers that have published printers. If a computer doesn't respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. +The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. By default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active Directory. -If you enable this setting, you can change the interval between contact attempts. +- If you enable this setting, you can change the interval between contact attempts. -If you don't configure or disable this setting, the default values will be used. +If you do not configure or disable this setting the default values will be used. > [!NOTE] > This setting is used only on domain controllers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Directory pruning interval* -- GP name: *PruningInterval* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing2/PruningPriority** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PruningInterval | +| Friendly Name | Directory pruning interval | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruningPriority -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningPriority +``` + - - + + Sets the priority of the pruning thread. -The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object doesn't respond to contact attempts. This process keeps printer information in Active Directory current. +The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current. -The thread priority influences the order in which the thread receives processor time and determines how likely it's to be preempted by higher priority threads. +The thread priority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority threads. By default, the pruning thread runs at normal priority. However, you can adjust the priority to improve the performance of this service. > [!NOTE] > This setting is used only on domain controllers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Directory pruning priority* -- GP name: *PruningPriority* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing2/PruningRetries** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PruningPriority | +| Friendly Name | Directory pruning priority | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruningRetries -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningRetries +``` + - - + + Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. -The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer doesn't respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. By default, the pruning service contacts computers every eight hours and allows two retries before deleting printers from Active Directory. You can use this setting to change the number of retries. -If you enable this setting, you can change the interval between attempts. +- If you enable this setting, you can change the interval between attempts. -If you don't configure or disable this setting, the default values are used. +If you do not configure or disable this setting, the default values are used. > [!NOTE] > This setting is used only on domain controllers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Directory pruning retry* -- GP name: *PruningRetries* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing2/PruningRetryLog** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PruningRetries | +| Friendly Name | Directory pruning retry | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruningRetryLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningRetryLog +``` + - - + + Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. -The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer doesn't respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer hasn't responded by the last contact attempt, its printers are pruned from the directory. +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. -If you enable this policy setting, the contact events are recorded in the event log. +- If you enable this policy setting, the contact events are recorded in the event log. -If you disable or don't configure this policy setting, the contact events aren't recorded in the event log. +- If you disable or do not configure this policy setting, the contact events are not recorded in the event log. > [!NOTE] -> This setting doesn't affect the logging of pruning events; the actual pruning of a printer is always logged. This setting is used only on domain controllers. +> This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged. - +> [!NOTE] +> This setting is used only on domain controllers. + + + + - -ADMX Info: -- GP Friendly name: *Log directory pruning retry events* -- GP name: *PruningRetryLog* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PruningRetryLog | +| Friendly Name | Log directory pruning retry events | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PruningRetryLog | +| ADMX File Name | Printing2.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RegisterSpoolerRemoteRpcEndPoint -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint +``` + + + + This policy controls whether the print spooler will accept client connections. -When the policy isn't configured or enabled, the spooler will always accept client connections. +When the policy is unconfigured or enabled, the spooler will always accept client connections. -When the policy is disabled, the spooler won't accept client connections nor allow users to share printers. All printers currently shared will continue to be shared. +When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared. The spooler must be restarted for changes to this policy to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Print Spooler to accept client connections* -- GP name: *RegisterSpoolerRemoteRpcEndPoint* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Printing2/VerifyPublishedState** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RegisterSpoolerRemoteRpcEndPoint | +| Friendly Name | Allow Print Spooler to accept client connections | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | RegisterSpoolerRemoteRpcEndPoint | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## VerifyPublishedState -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/VerifyPublishedState +``` + - - + + Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. -To enable this extra verification, enable this setting, and then select a verification interval. +To enable this additional verification, enable this setting, and then select a verification interval. To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Check published state* -- GP name: *VerifyPublishedState* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerifyPublishedState | +| Friendly Name | Check published state | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 228cd52bf6..1d7a70b423 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -1,412 +1,478 @@ --- -title: Policy CSP - ADMX_Programs -description: Learn about Policy CSP - ADMX_Programs. +title: ADMX_Programs Policy CSP +description: Learn more about the ADMX_Programs Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Programs ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Programs policies + +## NoDefaultPrograms -
    -
    - ADMX_Programs/NoDefaultPrograms -
    -
    - ADMX_Programs/NoGetPrograms -
    -
    - ADMX_Programs/NoInstalledUpdates -
    -
    - ADMX_Programs/NoProgramsAndFeatures -
    -
    - ADMX_Programs/NoProgramsCPL -
    -
    - ADMX_Programs/NoWindowsFeatures -
    -
    - ADMX_Programs/NoWindowsMarketplace -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoDefaultPrograms +``` + -
    - - -**ADMX_Programs/NoDefaultPrograms** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users can't view or change the associated page. + + +This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. -If this setting is disabled or not configured, the "Set Program Access and Defaults" button is available to all users. +- If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. -This setting doesn't prevent users from using other tools and methods to change program access or defaults. +This setting does not prevent users from using other tools and methods to change program access or defaults. -This setting doesn't prevent the Default Programs icon from appearing on the Start menu. +This setting does not prevent the Default Programs icon from appearing on the Start menu. + - + + + - -ADMX Info: -- GP Friendly name: *Hide "Set Program Access and Computer Defaults" page* -- GP name: *NoDefaultPrograms* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Programs/NoGetPrograms** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoDefaultPrograms | +| Friendly Name | Hide "Set Program Access and Computer Defaults" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoDefaultPrograms | +| ADMX File Name | Programs.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoGetPrograms -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoGetPrograms +``` + + + + Prevents users from viewing or installing published programs from the network. -This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. +This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the netowrk" task. The "Get Programs" page lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files. -If this setting is enabled, users can't view the programs that have been published by the system administrator, and they can't use the "Get Programs" page to install published programs. Enabling this feature doesn't prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. +- If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. -If this setting is disabled or isn't configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. +- If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. > [!NOTE] > If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Get Programs" page* -- GP name: *NoGetPrograms* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Programs/NoInstalledUpdates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoGetPrograms | +| Friendly Name | Hide "Get Programs" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoGetPrograms | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoInstalledUpdates -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoInstalledUpdates +``` + - - + + This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. "Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. -If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. +- If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. -This setting doesn't prevent users from using other tools and methods to install or uninstall programs. +This setting does not prevent users from using other tools and methods to install or uninstall programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Installed Updates" page* -- GP name: *NoInstalledUpdates* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Programs/NoProgramsAndFeatures** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoInstalledUpdates | +| Friendly Name | Hide "Installed Updates" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoInstalledUpdates | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoProgramsAndFeatures -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoProgramsAndFeatures +``` + - - + + This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. -If this setting is disabled or not configured, "Programs and Features" will be available to all users. +- If this setting is disabled or not configured, "Programs and Features" will be available to all users. -This setting doesn't prevent users from using other tools and methods to view or uninstall programs. It also doesn't prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. +This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Programs and Features" page* -- GP name: *NoProgramsAndFeatures* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Programs/NoProgramsCPL** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoProgramsAndFeatures | +| Friendly Name | Hide "Programs and Features" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoProgramsAndFeatures | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoProgramsCPL -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoProgramsCPL +``` + - - + + This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. -If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. +- If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. When enabled, this setting takes precedence over the other settings in this folder. -This setting doesn't prevent users from using other tools and methods to install or uninstall programs. +This setting does not prevent users from using other tools and methods to install or uninstall programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide the Programs Control Panel* -- GP name: *NoProgramsCPL* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Programs/NoWindowsFeatures** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoProgramsCPL | +| Friendly Name | Hide the Programs Control Panel | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoProgramsCPL | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWindowsFeatures -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoWindowsFeatures +``` + - - -This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users can't view, enable, or disable various Windows features and services. + + +This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. -If this setting is disabled or isn't configured, the "Turn Windows features on or off" task will be available to all users. +- If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. -This setting doesn't prevent users from using other tools and methods to configure services or enable or disable program components. +This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Windows Features"* -- GP name: *NoWindowsFeatures* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Programs/NoWindowsMarketplace** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWindowsFeatures | +| Friendly Name | Hide "Windows Features" | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoWindowsFeatures | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWindowsMarketplace -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoWindowsMarketplace +``` + - - + + This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. -Enabling this feature doesn't prevent users from navigating to Windows Marketplace using other methods. +Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. -If this feature is disabled or isn't configured, the "Get new programs from Windows Marketplace" task link will be available to all users. +If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users. > [!NOTE] > If the "Hide Programs control Panel" setting is enabled, this setting is ignored. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Windows Marketplace"* -- GP name: *NoWindowsMarketplace* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NoWindowsMarketplace | +| Friendly Name | Hide "Windows Marketplace" | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoWindowsMarketplace | +| ADMX File Name | Programs.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index 3efeeafc81..a2094c9c4e 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -1,83 +1,92 @@ --- -title: Policy CSP - ADMX_PushToInstall -description: Learn about Policy CSP - ADMX_PushToInstall. +title: ADMX_PushToInstall Policy CSP +description: Learn more about the ADMX_PushToInstall Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PushToInstall > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PushToInstall policies + +## DisablePushToInstall -
    -
    - ADMX_PushToInstall/DisablePushToInstall -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PushToInstall/DisablePushToInstall +``` + -
    + + +- If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. + - -**ADMX_PushToInstall/DisablePushToInstall** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DisablePushToInstall | +| Friendly Name | Turn off Push To Install service | +| Location | Computer Configuration | +| Path | Windows Components > Push To Install | +| Registry Key Name | Software\Policies\Microsoft\PushToInstall | +| Registry Value Name | DisablePushToInstall | +| ADMX File Name | PushToInstall.admx | + -
    + + + - - -If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Push To Install service* -- GP name: *DisablePushToInstall* -- GP path: *Windows Components\Push To Install* -- GP ADMX file name: *PushToInstall.admx* + - - +## Related articles - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md index 615fe1f468..d81a28a193 100644 --- a/windows/client-management/mdm/policy-csp-admx-qos.md +++ b/windows/client-management/mdm/policy-csp-admx-qos.md @@ -1,10 +1,10 @@ --- title: ADMX_QOS Policy CSP -description: Learn more about the ADMX_QOS Area in Policy CSP +description: Learn more about the ADMX_QOS Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_QOS > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,15 +41,17 @@ ms.topic: reference + Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls below this limit. "Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapter for transmission, but which have not yet been sent. -If you enable this setting, you can limit the number of outstanding packets. +- If you enable this setting, you can limit the number of outstanding packets. -If you disable this setting or do not configure it, then the setting has no effect on the system. +- If you disable this setting or do not configure it, then the setting has no effect on the system. -Important: If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -68,6 +68,9 @@ Important: If the maximum number of outstanding packets is specified in the regi +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -102,15 +105,17 @@ Important: If the maximum number of outstanding packets is specified in the regi + Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservations of all programs running on the system. By default, the Packet Scheduler limits the system to 80 percent of the bandwidth of a connection, but you can use this setting to override the default. -If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve. +- If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve. -If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connection. +- If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connection. -Important: If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter. @@ -127,6 +132,9 @@ Important: If a bandwidth limit is set for a particular network adapter in the r +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -161,15 +169,17 @@ Important: If a bandwidth limit is set for a particular network adapter in the r + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. +- If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -186,6 +196,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -220,15 +233,17 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. +- If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -245,6 +260,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -279,13 +297,15 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Best Effort service type. +- If you enable this setting, you can change the default priority value associated with the Best Effort service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -302,6 +322,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -336,15 +359,17 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. +- If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. -If you disable this setting, the system uses the default DSCP value of 24 (0x18). +- If you disable this setting, the system uses the default DSCP value of 24 (0x18). -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -361,6 +386,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -395,15 +423,17 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. +- If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -420,6 +450,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -454,13 +487,15 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Controlled Load service type. +- If you enable this setting, you can change the default priority value associated with the Controlled Load service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -477,6 +512,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -511,15 +549,17 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. +- If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. -If you disable this setting, the system uses the default DSCP value of 40 (0x28). +- If you disable this setting, the system uses the default DSCP value of 40 (0x28). -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -536,6 +576,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -570,15 +613,17 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. +- If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -595,6 +640,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -629,13 +677,15 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Guaranteed service type. +- If you enable this setting, you can change the default priority value associated with the Guaranteed service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -652,6 +702,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -686,15 +739,17 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Network Control service type. +- If you enable this setting, you can change the default DSCP value associated with the Network Control service type. -If you disable this setting, the system uses the default DSCP value of 48 (0x30). +- If you disable this setting, the system uses the default DSCP value of 48 (0x30). -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -711,6 +766,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -745,15 +803,17 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Network Control service type. +- If you enable this setting, you can change the default DSCP value associated with the Network Control service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -770,6 +830,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -804,13 +867,15 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Network Control service type. +- If you enable this setting, you can change the default priority value associated with the Network Control service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -827,6 +892,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -861,13 +929,15 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with nonconforming packets. +- If you enable this setting, you can change the default priority value associated with nonconforming packets. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -884,6 +954,9 @@ Important: If the Layer-2 priority value for nonconforming packets is specified +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -918,15 +991,17 @@ Important: If the Layer-2 priority value for nonconforming packets is specified + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. +- If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -943,6 +1018,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -977,15 +1055,17 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. +- If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -1002,6 +1082,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -1036,13 +1119,15 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Qualitative service type. +- If you enable this setting, you can change the default priority value associated with the Qualitative service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -1059,6 +1144,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -1093,13 +1181,15 @@ Important: If the Layer-2 priority value for this service type is specified in t + Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry. -If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds. +- If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds. -If you disable this setting or do not configure it, the setting has no effect on the system. +- If you disable this setting or do not configure it, the setting has no effect on the system. -Important: If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter. @@ -1116,6 +1206,9 @@ Important: If a timer resolution is specified in the registry for a particular n +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index 13a94d8fbf..2c6b557f6b 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -1,99 +1,104 @@ --- -title: Policy CSP - ADMX_Radar -description: Learn about Policy CSP - ADMX_Radar. +title: ADMX_Radar Policy CSP +description: Learn more about the ADMX_Radar Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Radar > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Radar policies + +## WdiScenarioExecutionPolicy -
    -
    - ADMX_Radar/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Radar/WdiScenarioExecutionPolicy +``` + -
    + + +Determines the execution level for Windows Resource Exhaustion Detection and Resolution. - -**ADMX_Radar/WdiScenarioExecutionPolicy** +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. - +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. - -
    +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +No system restart or service restart is required for this policy to take effect: changes take effect immediately. -> [!div class = "checklist"] -> * Device +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + -
    + + + - - -This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution. + +**Description framework properties**: -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. +**ADMX mapping**: -If you don't configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Resource Exhaustion Detection and Resolution | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{3af8b24a-c441-4fa4-8c5c-bed591bfa867} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | Radar.admx | + -No system restart or service restart is required for this policy to take effect; changes take effect immediately. + + + ->[!Note] -> This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution* -- GP ADMX file name: *Radar.admx* + -
    +## Related articles - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index d6f224badc..1ac41a1abb 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -1,266 +1,301 @@ --- -title: Policy CSP - ADMX_Reliability -description: Policy CSP - ADMX_Reliability +title: ADMX_Reliability Policy CSP +description: Learn more about the ADMX_Reliability Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Reliability ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Reliability policies + +## EE_EnablePersistentTimeStamp -
    -
    - ADMX_Reliability/EE_EnablePersistentTimeStamp -
    -
    - ADMX_Reliability/PCH_ReportShutdownEvents -
    -
    - ADMX_Reliability/ShutdownEventTrackerStateFile -
    -
    - ADMX_Reliability/ShutdownReason -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/EE_EnablePersistentTimeStamp +``` + -
    - - -**ADMX_Reliability/EE_EnablePersistentTimeStamp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. -If you enable this policy setting, you're able to specify how often the Persistent System Timestamp is refreshed and then written to the disk. You can specify the Timestamp Interval in seconds. +- If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. -If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns isn't recorded. +- If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. -If you don't configure this policy setting, the Persistent System Timestamp is refreshed according to the default, which is every 60 seconds beginning with Windows Server 2003. +- If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows Server 2003. > [!NOTE] > This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Persistent Time Stamp* -- GP name: *EE_EnablePersistentTimeStamp* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Reliability/PCH_ReportShutdownEvents** +| Name | Value | +|:--|:--| +| Name | EE_EnablePersistentTimeStamp | +| Friendly Name | Enable Persistent Time Stamp | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Reliability | +| Registry Value Name | TimeStampEnabled | +| ADMX File Name | Reliability.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PCH_ReportShutdownEvents - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/PCH_ReportShutdownEvents +``` + -
    - - - + + This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. -If you enable this policy setting, error reporting includes unplanned shutdown events. +- If you enable this policy setting, error reporting includes unplanned shutdown events. -If you disable this policy setting, unplanned shutdown events aren't included in error reporting. +- If you disable this policy setting, unplanned shutdown events are not included in error reporting. -If you don't configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. +- If you do not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. Also see the "Configure Error Reporting" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Report unplanned shutdown events* -- GP name: *PCH_ReportShutdownEvents* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Reliability/ShutdownEventTrackerStateFile** +| Name | Value | +|:--|:--| +| Name | PCH_ReportShutdownEvents | +| Friendly Name | Report unplanned shutdown events | +| Location | Computer Configuration | +| Path | CAT_WindowsErrorReporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| Registry Value Name | IncludeShutdownErrs | +| ADMX File Name | Reliability.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ShutdownEventTrackerStateFile - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/ShutdownEventTrackerStateFile +``` + -
    - - - + + This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. -The system state data file contains information about the basic system state and the state of all running processes. +The system state data file contains information about the basic system state as well as the state of all running processes. -If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned. +- If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned. -If you disable this policy setting, the System State Data feature is never activated. +- If you disable this policy setting, the System State Data feature is never activated. -If you don't configure this policy setting, the default behavior for the System State Data feature occurs. +- If you do not configure this policy setting, the default behavior for the System State Data feature occurs. +> [!NOTE] +> By default, the System State Data feature is always enabled on Windows Server 2003. See "Supported on" for all supported versions. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Activate Shutdown Event Tracker System State Data feature* -- GP name: *ShutdownEventTrackerStateFile* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Reliability/ShutdownReason** +| Name | Value | +|:--|:--| +| Name | ShutdownEventTrackerStateFile | +| Friendly Name | Activate Shutdown Event Tracker System State Data feature | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Reliability | +| Registry Value Name | SnapShot | +| ADMX File Name | Reliability.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ShutdownReason - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/ShutdownReason +``` + -
    + + +The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. - - -The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This tracker is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you're shutting down the computer. +- If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. -If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. +- If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.) -If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.) +- If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) -If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) +- If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the computer. -If you disable this policy setting, the Shutdown Event Tracker isn't displayed when you shut down the computer. - -If you don't configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. +- If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. > [!NOTE] > By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display Shutdown Event Tracker* -- GP name: *ShutdownReason* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | ShutdownReason | +| Friendly Name | Display Shutdown Event Tracker | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Reliability | +| Registry Value Name | ShutdownReasonOn | +| ADMX File Name | Reliability.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index bece2eb4d9..faee594f91 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -1,159 +1,174 @@ --- -title: Policy CSP - ADMX_RemoteAssistance -description: Learn about Policy CSP - ADMX_RemoteAssistance. +title: ADMX_RemoteAssistance Policy CSP +description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_RemoteAssistance ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_RemoteAssistance policies + +## RA_EncryptedTicketOnly -
    -
    - ADMX_RemoteAssistance/RA_EncryptedTicketOnly -
    -
    - ADMX_RemoteAssistance/RA_Optimize_Bandwidth -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemoteAssistance/RA_EncryptedTicketOnly +``` + -
    + + +This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. - -**ADMX_RemoteAssistance/RA_EncryptedTicketOnly** +- If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. - +- If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting doesn't affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. +**ADMX mapping**: -If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. +| Name | Value | +|:--|:--| +| Name | RA_EncryptedTicketOnly | +| Friendly Name | Allow only Windows Vista or later connections | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | CreateEncryptedOnlyTickets | +| ADMX File Name | RemoteAssistance.admx | + -If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer. + + + -If you don't configure this policy setting, users can configure this setting in System Properties in the Control Panel. + - + +## RA_Optimize_Bandwidth + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Allow only Windows Vista or later connections* -- GP name: *RA_EncryptedTicketOnly* -- GP path: *System\Remote Assistance* -- GP ADMX file name: *RemoteAssistance.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemoteAssistance/RA_Optimize_Bandwidth +``` + - - -
    - - -**ADMX_RemoteAssistance/RA_Optimize_Bandwidth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to improve performance in low bandwidth scenarios. -This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. +This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. For example: "Turn off background" will include the following optimizations: - -- No full window drag -- Turn off background +-No full window drag +-Turn off background "Full optimization" will include the following optimizations: +-Use 16-bit color (8-bit color in Windows Vista) +-Turn off font smoothing (not supported in Windows Vista) +-No full window drag +-Turn off background -- Use 16-bit color (8-bit color in Windows Vista) -- Turn off font smoothing (not supported in Windows Vista) -- No full window drag -- Turn off background +- If you enable this policy setting, bandwidth optimization occurs at the level specified. -If you enable this policy setting, bandwidth optimization occurs at the level specified. +- If you disable this policy setting, application-based settings are used. -If you disable this policy setting, application-based settings are used. +- If you do not configure this policy setting, application-based settings are used. + -If you don't configure this policy setting, application-based settings are used. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn on bandwidth optimization* -- GP name: *RA_Optimize_Bandwidth* -- GP path: *System\Remote Assistance* -- GP ADMX file name: *RemoteAssistance.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | RA_Optimize_Bandwidth | +| Friendly Name | Turn on bandwidth optimization | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseBandwidthOptimization | +| ADMX File Name | RemoteAssistance.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index 13c9f54981..27e48cd062 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -1,1623 +1,1969 @@ --- -title: Policy CSP - ADMX_RemovableStorage -description: Learn about Policy CSP - ADMX_RemovableStorage. +title: ADMX_RemovableStorage Policy CSP +description: Learn more about the ADMX_RemovableStorage Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_RemovableStorage ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_RemovableStorage policies + +## AccessRights_RebootTime_1 -
    -
    - ADMX_RemovableStorage/AccessRights_RebootTime_1 -
    -
    - ADMX_RemovableStorage/AccessRights_RebootTime_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 -
    -
    - ADMX_RemovableStorage/Removable_Remote_Allow_Access -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/AccessRights_RebootTime_1 +``` + -
    - - -**ADMX_RemovableStorage/AccessRights_RebootTime_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. -If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. +- If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. -If you disable or don't configure this setting, the operating system does not force a reboot. +- If you disable or do not configure this setting, the operating system does not force a reboot. > [!NOTE] > If no reboot is forced, the access right does not take effect until the operating system is restarted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set time (in seconds) to force reboot* -- GP name: *AccessRights_RebootTime_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/AccessRights_RebootTime_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AccessRights_RebootTime_1 | +| Friendly Name | Set time (in seconds) to force reboot | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | RebootTimeinSeconds_state | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AccessRights_RebootTime_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/AccessRights_RebootTime_2 +``` + - - + + This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. -If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. +- If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. -If you disable or don't configure this setting, the operating system does not force a reboot +- If you disable or do not configure this setting, the operating system does not force a reboot. > [!NOTE] > If no reboot is forced, the access right does not take effect until the operating system is restarted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set time (in seconds) to force reboot* -- GP name: *AccessRights_RebootTime_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AccessRights_RebootTime_2 | +| Friendly Name | Set time (in seconds) to force reboot | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | RebootTimeinSeconds_state | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CDandDVD_DenyExecute_Access_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 +``` + - - + + This policy setting denies execute access to the CD and DVD removable storage class. -If you enable this policy setting, execute access is denied to this removable storage class. +- If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny execute access* -- GP name: *CDandDVD_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyExecute_Access_2 | +| Friendly Name | CD and DVD: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CDandDVD_DenyRead_Access_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 +``` + - - + + This policy setting denies read access to the CD and DVD removable storage class. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny read access* -- GP name: *CDandDVD_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyRead_Access_1 | +| Friendly Name | CD and DVD: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CDandDVD_DenyRead_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 +``` + + + + This policy setting denies read access to the CD and DVD removable storage class. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny read access* -- GP name: *CDandDVD_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyRead_Access_2 | +| Friendly Name | CD and DVD: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CDandDVD_DenyWrite_Access_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 +``` + - - + + This policy setting denies write access to the CD and DVD removable storage class. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny write access* -- GP name: *CDandDVD_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyWrite_Access_1 | +| Friendly Name | CD and DVD: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CDandDVD_DenyWrite_Access_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 +``` + - - + + This policy setting denies write access to the CD and DVD removable storage class. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny write access* -- GP name: *CDandDVD_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyWrite_Access_2 | +| Friendly Name | CD and DVD: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomClasses_DenyRead_Access_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 +``` + - - + + This policy setting denies read access to custom removable storage classes. -If you enable this policy setting, read access is denied to these removable storage classes. +- If you enable this policy setting, read access is denied to these removable storage classes. -If you disable or don't configure this policy setting, read access is allowed to these removable storage classes. +- If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny read access* -- GP name: *CustomClasses_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyRead_Access_1 | +| Friendly Name | Custom Classes: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomClasses_DenyRead_Access_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 +``` + - - + + This policy setting denies read access to custom removable storage classes. -If you enable this policy setting, read access is denied to these removable storage classes. +- If you enable this policy setting, read access is denied to these removable storage classes. -If you disable or don't configure this policy setting, read access is allowed to these removable storage classes. +- If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny read access* -- GP name: *CustomClasses_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyRead_Access_2 | +| Friendly Name | Custom Classes: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomClasses_DenyWrite_Access_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 +``` + - - + + This policy setting denies write access to custom removable storage classes. -If you enable this policy setting, write access is denied to these removable storage classes. +- If you enable this policy setting, write access is denied to these removable storage classes. -If you disable or don't configure this policy setting, write access is allowed to these removable storage classes. +- If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny write access* -- GP name: *CustomClasses_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyWrite_Access_1 | +| Friendly Name | Custom Classes: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CustomClasses_DenyWrite_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 +``` + + + + This policy setting denies write access to custom removable storage classes. -If you enable this policy setting, write access is denied to these removable storage classes. +- If you enable this policy setting, write access is denied to these removable storage classes. -If you disable or don't configure this policy setting, write access is allowed to these removable storage classes. +- If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny write access* -- GP name: *CustomClasses_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyWrite_Access_2 | +| Friendly Name | Custom Classes: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## FloppyDrives_DenyExecute_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 +``` + + + + This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, execute access is denied to this removable storage class. +- If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny execute access* -- GP name: *FloppyDrives_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyExecute_Access_2 | +| Friendly Name | Floppy Drives: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## FloppyDrives_DenyRead_Access_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 +``` + + + + This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny read access* -- GP name: *FloppyDrives_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyRead_Access_1 | +| Friendly Name | Floppy Drives: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## FloppyDrives_DenyRead_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 +``` + + + + This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny read access* -- GP name: *FloppyDrives_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyRead_Access_2 | +| Friendly Name | Floppy Drives: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## FloppyDrives_DenyWrite_Access_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 +``` + + + + This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny write access* -- GP name: *FloppyDrives_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyWrite_Access_1 | +| Friendly Name | Floppy Drives: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## FloppyDrives_DenyWrite_Access_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 +``` + + + + This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny write access* -- GP name: *FloppyDrives_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyWrite_Access_2 | +| Friendly Name | Floppy Drives: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Removable_Remote_Allow_Access -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/Removable_Remote_Allow_Access +``` + + + + +This policy setting grants normal users direct access to removable storage devices in remote sessions. + +- If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. + +- If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Removable_Remote_Allow_Access | +| Friendly Name | All Removable Storage: Allow direct access in remote sessions | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | AllowRemoteDASD | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## RemovableDisks_DenyExecute_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 +``` + + + + This policy setting denies execute access to removable disks. -If you enable this policy setting, execute access is denied to this removable storage class. +- If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. - +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny execute access* -- GP name: *RemovableDisks_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyExecute_Access_2 | +| Friendly Name | Removable Disks: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## RemovableDisks_DenyRead_Access_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 +``` + + + + This policy setting denies read access to removable disks. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny read access* -- GP name: *RemovableDisks_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyRead_Access_1 | +| Friendly Name | Removable Disks: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RemovableDisks_DenyRead_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 +``` + + + + This policy setting denies read access to removable disks. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny read access* -- GP name: *RemovableDisks_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyRead_Access_2 | +| Friendly Name | Removable Disks: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## RemovableDisks_DenyWrite_Access_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 +``` + + + + This policy setting denies write access to removable disks. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. > [!NOTE] > To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny write access* -- GP name: *RemovableDisks_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyWrite_Access_1 | +| Friendly Name | Removable Disks: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## RemovableStorageClasses_DenyAll_Access_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 +``` + + + + Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. -If you enable this policy setting, no access is allowed to any removable storage class. +- If you enable this policy setting, no access is allowed to any removable storage class. -If you disable or don't configure this policy setting, write and read accesses are allowed to all removable storage classes. +- If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *All Removable Storage classes: Deny all access* -- GP name: *RemovableStorageClasses_DenyAll_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RemovableStorageClasses_DenyAll_Access_1 | +| Friendly Name | All Removable Storage classes: Deny all access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | Deny_All | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RemovableStorageClasses_DenyAll_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 +``` + + + + Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. -If you enable this policy setting, no access is allowed to any removable storage class. +- If you enable this policy setting, no access is allowed to any removable storage class. -If you disable or don't configure this policy setting, write and read accesses are allowed to all removable storage classes. +- If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *All Removable Storage classes: Deny all access* -- GP name: *RemovableStorageClasses_DenyAll_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/Removable_Remote_Allow_Access** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RemovableStorageClasses_DenyAll_Access_2 | +| Friendly Name | All Removable Storage classes: Deny all access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | Deny_All | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TapeDrives_DenyExecute_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting grants normal users direct access to removable storage devices in remote sessions. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 +``` + -If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. - -If you disable or don't configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. - - - - - -ADMX Info: -- GP Friendly name: *All Removable Storage: Allow direct access in remote sessions* -- GP name: *Removable_Remote_Allow_Access* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting denies execute access to the Tape Drive removable storage class. -If you enable this policy setting, execute access is denied to this removable storage class. +- If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny execute access* -- GP name: *TapeDrives_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyExecute_Access_2 | +| Friendly Name | Tape Drives: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TapeDrives_DenyRead_Access_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 +``` + + + + This policy setting denies read access to the Tape Drive removable storage class. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny read access* -- GP name: *TapeDrives_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyRead_Access_1 | +| Friendly Name | Tape Drives: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TapeDrives_DenyRead_Access_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 +``` + + + + This policy setting denies read access to the Tape Drive removable storage class. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny read access* -- GP name: *TapeDrives_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyRead_Access_2 | +| Friendly Name | Tape Drives: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TapeDrives_DenyWrite_Access_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 +``` + + + + This policy setting denies write access to the Tape Drive removable storage class. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny write access* -- GP name: *TapeDrives_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyWrite_Access_1 | +| Friendly Name | Tape Drives: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TapeDrives_DenyWrite_Access_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 +``` + + + + This policy setting denies write access to the Tape Drive removable storage class. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny write access* -- GP name: *TapeDrives_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyWrite_Access_2 | +| Friendly Name | Tape Drives: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WPDDevices_DenyRead_Access_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 +``` + + + + This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access_1 | +| Friendly Name | WPD Devices: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WPDDevices_DenyRead_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 +``` + + + + This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access_2 | +| Friendly Name | WPD Devices: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## WPDDevices_DenyWrite_Access_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 +``` + + + + This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access_1 | +| Friendly Name | WPD Devices: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WPDDevices_DenyWrite_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting denies write access to removable disks that may include media players, cellular phones, auxiliary displays, and CE devices. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 +``` + -If you enable this policy setting, write access is denied to this removable storage class. + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. - +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access_2 | +| Friendly Name | WPD Devices: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index c2e8188d71..b37b7eb63d 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -1,199 +1,200 @@ --- -title: Policy CSP - ADMX_RPC -description: Learn about Policy CSP - ADMX_RPC. +title: ADMX_RPC Policy CSP +description: Learn more about the ADMX_RPC Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_RPC + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_RPC policies + +## RpcExtendedErrorInformation -
    -
    - ADMX_RPC/RpcExtendedErrorInformation -
    -
    - ADMX_RPC/RpcIgnoreDelegationFailure -
    -
    - ADMX_RPC/RpcMinimumHttpConnectionTimeout -
    -
    - ADMX_RPC/RpcStateInformation -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcExtendedErrorInformation +``` + -
    - - -**ADMX_RPC/RpcExtendedErrorInformation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether the RPC runtime generates extended error information when an error occurs. Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs). -If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition. +- If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition. -If you don't configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. +- If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. -If you enable this policy setting, the RPC runtime will generate extended error information. - -You must select an error response type from the folowing options in the drop-down box: +- If you enable this policy setting, the RPC runtime will generate extended error information. You must select an error response type in the drop-down box. - "Off" disables all extended error information for all processes. RPC only generates an error code. + - "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. + - "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. + - "On" enables extended error information for all processes. > [!NOTE] > For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). -> -> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. -> -> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. -> -> This policy setting won't be applied until the system is rebooted. - - - - -ADMX Info: -- GP Friendly name: *Propagate extended error information* -- GP name: *RpcExtendedErrorInformation* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* - - - -
    - - -**ADMX_RPC/RpcIgnoreDelegationFailure** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. - -The constrained delegation model, introduced in Windows Server 2003, doesn't report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. - -If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. - -If you don't configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. - -If you enable this policy setting, then: - -- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context doesn't support delegation. -- "On" directs the RPC Runtime to accept security contexts that don't support delegation even if delegation was asked for. > [!NOTE] -> This policy setting won't be applied until the system is rebooted. +> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. - +> [!NOTE] +> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. + - -ADMX Info: -- GP Friendly name: *Ignore Delegation Failure* -- GP name: *RpcIgnoreDelegationFailure* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RPC/RpcMinimumHttpConnectionTimeout** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RpcExtendedErrorInformation | +| Friendly Name | Propagate extended error information | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RpcIgnoreDelegationFailure -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcIgnoreDelegationFailure +``` + + + + +This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. + +The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. + +- If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. + +- If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. + +- If you enable this policy setting, then: + +- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation. + +- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. + +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RpcIgnoreDelegationFailure | +| Friendly Name | Ignore Delegation Failure | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + + + + + + + + + +## RpcMinimumHttpConnectionTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcMinimumHttpConnectionTimeout +``` + + + + This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout. @@ -202,91 +203,137 @@ This policy setting is only applicable when the RPC Client, the RPC Server and t The minimum allowed value for this policy setting is 90 seconds. The maximum is 7200 seconds (2 hours). -If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. +- If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. -If you don't configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. +- If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. -If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds. +- If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds. > [!NOTE] -> This policy setting won't be applied until the system is rebooted. +> This policy setting will not be applied until the system is rebooted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Minimum Idle Connection Timeout for RPC/HTTP connections* -- GP name: *RpcMinimumHttpConnectionTimeout* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_RPC/RpcStateInformation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RpcMinimumHttpConnectionTimeout | +| Friendly Name | Set Minimum Idle Connection Timeout for RPC/HTTP connections | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RpcStateInformation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcStateInformation +``` + - - + + This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems. -If you disable this policy setting, the RPC runtime defaults to "Auto2" level. +- If you disable this policy setting, the RPC runtime defaults to "Auto2" level. -If you don't configure this policy setting, the RPC defaults to "Auto2" level. +- If you do not configure this policy setting, the RPC defaults to "Auto2" level. -If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information from the following: +- If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information. + +- "None" indicates that the system does not maintain any RPC state information + +> [!NOTE] +> Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations. -- "None" indicates that the system doesn't maintain any RPC state information. Note: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting isn't recommended for most installations. - "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. + - "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. + - "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity. -- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it's recommended for use only while you're investigating an RPC problem. + +- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem. > [!NOTE] > To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. -> -> This policy setting won't be applied until the system is rebooted. - +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. + - -ADMX Info: -- GP Friendly name: *Maintain RPC Troubleshooting State Information* -- GP name: *RpcStateInformation* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | RpcStateInformation | +| Friendly Name | Maintain RPC Troubleshooting State Information | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md index 16f8928707..3a57924050 100644 --- a/windows/client-management/mdm/policy-csp-admx-sam.md +++ b/windows/client-management/mdm/policy-csp-admx-sam.md @@ -1,10 +1,10 @@ --- title: ADMX_sam Policy CSP -description: Learn more about the ADMX_sam Area in Policy CSP +description: Learn more about the ADMX_sam Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_sam > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,21 +41,22 @@ ms.topic: reference + This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability. -For more information on the ROCA vulnerability, please see: +For more information on the ROCA vulnerability, please see -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361 + -https://en.wikipedia.org/wiki/ROCA_vulnerability + -If you enable this policy setting the following options are supported: +- If you enable this policy setting the following options are supported -Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. +Ignore during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. -Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). +Audit during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). -Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). +Block during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). This setting only takes effect on domain controllers. @@ -65,9 +64,9 @@ If not configured, domain controllers will default to using their local configur A reboot is not required for changes to this setting to take effect. -Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. +**Note** to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. -More information is available at https://go.microsoft.com/fwlink/?linkid=2116430. +More information is available at . @@ -84,6 +83,9 @@ More information is available at https://go.microsoft.com/fwlink/?linkid=2116430 +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 8fb9f59bb0..dc87193ebf 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -1,214 +1,186 @@ --- -title: Policy CSP - ADMX_Scripts -description: Learn about Policy CSP - ADMX_Scripts. +title: ADMX_Scripts Policy CSP +description: Learn more about the ADMX_Scripts Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Scripts + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Scripts policies + +## Allow_Logon_Script_NetbiosDisabled -
    -
    - ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled -
    -
    - ADMX_Scripts/MaxGPOScriptWaitPolicy -
    -
    - ADMX_Scripts/Run_Computer_PS_Scripts_First -
    -
    - ADMX_Scripts/Run_Legacy_Logon_Script_Hidden -
    -
    - ADMX_Scripts/Run_Logoff_Script_Visible -
    -
    - ADMX_Scripts/Run_Logon_Script_Sync_1 -
    -
    - ADMX_Scripts/Run_Logon_Script_Sync_2 -
    -
    - ADMX_Scripts/Run_Logon_Script_Visible -
    -
    - ADMX_Scripts/Run_Shutdown_Script_Visible -
    -
    - ADMX_Scripts/Run_Startup_Script_Sync -
    -
    - ADMX_Scripts/Run_Startup_Script_Visible -
    -
    - ADMX_Scripts/Run_User_PS_Scripts_First -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled +``` + -
    + + +This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. - -**ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled** +- If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. - +- If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes aren't configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. +| Name | Value | +|:--|:--| +| Name | Allow_Logon_Script_NetbiosDisabled | +| Friendly Name | Allow logon scripts when NetBIOS or WINS is disabled | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | Allow-LogonScript-NetbiosDisabled | +| ADMX File Name | Scripts.admx | + -If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. + + + -If you disable or don't configure this policy setting, user account cross-forest, interactive logging can't run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes aren't configured. + - + +## MaxGPOScriptWaitPolicy + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Allow logon scripts when NetBIOS or WINS is disabled* -- GP name: *Allow_Logon_Script_NetbiosDisabled* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/MaxGPOScriptWaitPolicy +``` + - - -
    - - -**ADMX_Scripts/MaxGPOScriptWaitPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines how long the system waits for scripts applied by Group Policy to run. -This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts haven't finished running when the specified time expires, the system stops script processing and records an error event. +This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event. -If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0. +- If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0. -This interval is important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop. +This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop. -An excessively long interval can delay the system and cause inconvenience to users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely. +An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely. -If you disable or don't configure this setting, the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This value is the default value. +- If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify maximum wait time for Group Policy scripts* -- GP name: *MaxGPOScriptWaitPolicy* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Computer_PS_Scripts_First** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxGPOScriptWaitPolicy | +| Friendly Name | Specify maximum wait time for Group Policy scripts | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Computer_PS_Scripts_First -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Computer_PS_Scripts_First +``` + - - -This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. + + + -If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. + + +This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. For example, assume the following scenario: -There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. - -GPO B and GPO C include the following computer startup scripts: +There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following computer startup scripts: - GPO B: B.cmd, B.ps1 - GPO C: C.cmd, C.ps1 -Assume also that there are two computers, DesktopIT and DesktopSales. -For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT: +Assume also that there are two computers, DesktopIT and DesktopSales. For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT: - Within GPO B: B.ps1, B.cmd - Within GPO C: C.ps1, C.cmd @@ -220,466 +192,582 @@ For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the script > [!NOTE] > This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: +> > - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup > - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Run Windows PowerShell scripts first at computer startup, shutdown* -- GP name: *Run_Computer_PS_Scripts_First* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_Scripts/Run_Legacy_Logon_Script_Hidden** +| Name | Value | +|:--|:--| +| Name | Run_Computer_PS_Scripts_First | +| Friendly Name | Run Windows PowerShell scripts first at computer startup, shutdown | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunComputerPSScriptsFirst | +| ADMX File Name | Scripts.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Run_Legacy_Logon_Script_Hidden - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Legacy_Logon_Script_Hidden +``` + -
    - - - + + This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. -Logon scripts are batch files of instructions that run when the user logs on. By default, Windows displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it doesn't display logon scripts written for Windows. +Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000. -If you enable this setting, Windows doesn't display logon scripts written for Windows NT 4.0 and earlier. +- If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier. -If you disable or don't configure this policy setting, Windows displays login scripts written for Windows NT 4.0 and earlier. +- If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier. Also, see the "Run Logon Scripts Visible" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run legacy logon scripts hidden* -- GP name: *Run_Legacy_Logon_Script_Hidden* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Logoff_Script_Visible** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Legacy_Logon_Script_Hidden | +| Friendly Name | Run legacy logon scripts hidden | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideLegacyLogonScripts | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Logoff_Script_Visible -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logoff_Script_Visible +``` + - - + + This policy setting displays the instructions in logoff scripts as they run. -Logoff scripts are batch files of instructions that run when the user signs out. By default, the system doesn't display the instructions in the logoff script. +Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. -If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. +- If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. -If you disable or don't configure this policy setting, the instructions are suppressed. +- If you disable or do not configure this policy setting, the instructions are suppressed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display instructions in logoff scripts as they run* -- GP name: *Run_Logoff_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Logon_Script_Sync_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Logoff_Script_Visible | +| Friendly Name | Display instructions in logoff scripts as they run | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideLogoffScripts | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Logon_Script_Sync_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_1 +``` + - - + + This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. -If you enable this policy setting, File Explorer doesn't start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. +- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. -If you disable or don't configure this policy setting, the logon scripts and File Explorer aren't synchronized and can run simultaneously. +- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run logon scripts synchronously* -- GP name: *Run_Logon_Script_Sync_1* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Logon_Script_Sync_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Logon_Script_Sync_1 | +| Friendly Name | Run logon scripts synchronously | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunLogonScriptSync | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Logon_Script_Sync_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2 +``` + - - + + This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. -If you enable this policy setting, File Explorer doesn't start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. +- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. -If you disable or don't configure this policy setting, the logon scripts and File Explorer aren't synchronized and can run simultaneously. +- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run logon scripts synchronously* -- GP name: *Run_Logon_Script_Sync_2* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Logon_Script_Visible** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Logon_Script_Sync_2 | +| Friendly Name | Run logon scripts synchronously | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunLogonScriptSync | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Logon_Script_Visible -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Visible +``` + - - + + This policy setting displays the instructions in logon scripts as they run. -Logon scripts are batch files of instructions that run when the user logs on. By default, the system doesn't display the instructions in logon scripts. +Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. -If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. +- If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. -If you disable or don't configure this policy setting, the instructions are suppressed. +- If you disable or do not configure this policy setting, the instructions are suppressed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display instructions in logon scripts as they run* -- GP name: *Run_Logon_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Shutdown_Script_Visible** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Logon_Script_Visible | +| Friendly Name | Display instructions in logon scripts as they run | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideLogonScripts | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Shutdown_Script_Visible -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible +``` + - - + + This policy setting displays the instructions in shutdown scripts as they run. -Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system doesn't display the instructions in the shutdown script. +Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. -If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window. +- If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window. -If you disable or don't configure this policy setting, the instructions are suppressed. +- If you disable or do not configure this policy setting, the instructions are suppressed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display instructions in shutdown scripts as they run* -- GP name: *Run_Shutdown_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Startup_Script_Sync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Shutdown_Script_Visible | +| Friendly Name | Display instructions in shutdown scripts as they run | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideShutdownScripts | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Startup_Script_Sync -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync +``` + - - + + This policy setting lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. -If you enable this policy setting, the system doesn't coordinate the running of startup scripts. As a result, startup scripts can run simultaneously. +- If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously. -If you disable or don't configure this policy setting, a startup can't run until the previous script is complete. +- If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete. > [!NOTE] > Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run startup scripts asynchronously* -- GP name: *Run_Startup_Script_Sync* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_Startup_Script_Visible** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Startup_Script_Sync | +| Friendly Name | Run startup scripts asynchronously | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunStartupScriptSync | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Startup_Script_Visible -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible +``` + - - + + This policy setting displays the instructions in startup scripts as they run. -Startup scripts are batch files of instructions that run before the user is invited to sign in. By default, the system doesn't display the instructions in the startup script. +Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. -If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users. +- If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users. -If you disable or don't configure this policy setting, the instructions are suppressed. +- If you disable or do not configure this policy setting, the instructions are suppressed. > [!NOTE] > Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display instructions in startup scripts as they run* -- GP name: *Run_Startup_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Scripts/Run_User_PS_Scripts_First** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Startup_Script_Visible | +| Friendly Name | Display instructions in startup scripts as they run | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideStartupScripts | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_User_PS_Scripts_First -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First +``` - - -This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user sign in and sign out. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First +``` + -If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user sign in and sign out. + + + + + + +This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. For example, assume the following scenario: -There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. - -GPO B and GPO C include the following user logon scripts: +There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following user logon scripts: - GPO B: B.cmd, B.ps1 - GPO C: C.cmd, C.ps1 -Assume also that there are two users, Qin Hong and Tamara Johnston. -For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin: +Assume also that there are two users, Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin: - Within GPO B: B.ps1, B.cmd - Within GPO C: C.ps1, C.cmd @@ -691,30 +779,49 @@ For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for > [!NOTE] > This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: +> > - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon > - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff + -This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Run Windows PowerShell scripts first at user logon, logoff* -- GP name: *Run_User_PS_Scripts_First* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | Run_User_PS_Scripts_First | +| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff | +| Location | Computer and User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunUserPSScriptsFirst | +| ADMX File Name | Scripts.admx | + + + + + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 98532868c7..3ec7284be3 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -1,191 +1,218 @@ --- -title: Policy CSP - ADMX_sdiageng -description: Learn about Policy CSP - ADMX_sdiageng. +title: ADMX_sdiageng Policy CSP +description: Learn more about the ADMX_sdiageng Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_sdiageng + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_sdiageng policies + +## BetterWhenConnected -
    -
    - ADMX_sdiageng/BetterWhenConnected -
    -
    - ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy -
    -
    - ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiageng/BetterWhenConnected +``` + -
    + + +This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" - -**ADMX_sdiageng/BetterWhenConnected** +- If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. - +- If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy setting allows Internet-connected users to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +| Name | Value | +|:--|:--| +| Name | BetterWhenConnected | +| Friendly Name | Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS) | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scripted Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy | +| Registry Value Name | EnableQueryRemoteServer | +| ADMX File Name | sdiageng.admx | + -If you enable or don't configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. + + + -If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service. + - + +## ScriptedDiagnosticsExecutionPolicy + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)* -- GP name: *BetterWhenConnected* -- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics* -- GP ADMX file name: *sdiageng.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy +``` + - - -
    - - -**ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. -If you enable or don't configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. +- If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. -If this policy setting is disabled, the users cannot access or run the troubleshooting tools from the Control Panel. +- If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel. ->[!NOTE] ->This setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. +**Note** that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Troubleshooting: Allow users to access and run Troubleshooting Wizards* -- GP name: *ScriptedDiagnosticsExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics* -- GP ADMX file name: *sdiageng.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ScriptedDiagnosticsExecutionPolicy | +| Friendly Name | Troubleshooting: Allow users to access and run Troubleshooting Wizards | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scripted Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics | +| Registry Value Name | EnableDiagnostics | +| ADMX File Name | sdiageng.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ScriptedDiagnosticsSecurityPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy +``` + - - + + This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. -If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. +- If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. -If you disable or don't configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages. +- If you disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Security Policy for Scripted Diagnostics* -- GP name: *ScriptedDiagnosticsSecurityPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics* -- GP ADMX file name: *sdiageng.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - -## Related topics +| Name | Value | +|:--|:--| +| Name | ScriptedDiagnosticsSecurityPolicy | +| Friendly Name | Configure Security Policy for Scripted Diagnostics | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scripted Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics | +| Registry Value Name | ValidateTrust | +| ADMX File Name | sdiageng.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index 6de574029e..91f8df9c49 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -1,94 +1,104 @@ --- -title: Policy CSP - ADMX_sdiagschd -description: Learn about Policy CSP - ADMX_sdiagschd. +title: ADMX_sdiagschd Policy CSP +description: Learn more about the ADMX_sdiagschd Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_sdiagschd -
    - - -## ADMX_sdiagschd policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy -
    -
    + + + + +## ScheduledDiagnosticsExecutionPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +``` + - + + +Determines whether scheduled diagnostics will run to proactively detect and resolve system problems. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. - -
    +If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. -> [!div class = "checklist"] -> * Device +- If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. -
    +No reboots or service restarts are required for this policy to take effect: changes take effect immediately. - - -This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems. +This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + -If you enable this policy setting, you must choose an execution level from the following: + + + -- If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. -- If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. + +**Description framework properties**: -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve problems on a scheduled basis. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you don't configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics won't be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Configure Scheduled Maintenance Behavior* -- GP name: *ScheduledDiagnosticsExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance* -- GP ADMX file name: *sdiagschd.admx* +| Name | Value | +|:--|:--| +| Name | ScheduledDiagnosticsExecutionPolicy | +| Friendly Name | Configure Scheduled Maintenance Behavior | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scheduled Maintenance | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics | +| Registry Value Name | EnabledExecution | +| ADMX File Name | sdiagschd.admx | + - - -
    + + + + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index e223bafce2..6bc06ebc29 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -1,97 +1,108 @@ --- -title: Policy CSP - ADMX_Securitycenter -description: Learn about Policy CSP - ADMX_Securitycenter. +title: ADMX_Securitycenter Policy CSP +description: Learn more about the ADMX_Securitycenter Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Securitycenter + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Securitycenter policies + +## SecurityCenter_SecurityCenterInDomain -
    -
    - ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain +``` + -
    + + +This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. - -**ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain** +**Note** that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. - +If you do not congifure this policy setting, the Security Center is turned off for domain members. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, Security Center is turned on for all users. - -
    +- If you disable this policy setting, Security Center is turned off for domain members. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Windows XP SP2 +---------------------- +In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. **Note** that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers. -> [!div class = "checklist"] -> * Device +Windows Vista +--------------------- +In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect. + -
    + + + - - -This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. + +**Description framework properties**: -The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center isn't enabled on the domain, the notifications and the Security Center status section aren't displayed. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Security Center can only be turned off for computers that are joined to a Windows domain. When a computer isn't joined to a Windows domain, the policy setting will have no effect. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you don't configure this policy setting, the Security Center is turned off for domain members. +**ADMX mapping**: -If you enable this policy setting, Security Center is turned on for all users. +| Name | Value | +|:--|:--| +| Name | SecurityCenter_SecurityCenterInDomain | +| Friendly Name | Turn on Security Center (Domain PCs only) | +| Location | Computer Configuration | +| Path | Windows Components > Security Center | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Security Center | +| Registry Value Name | SecurityCenterInDomain | +| ADMX File Name | Securitycenter.admx | + -If you disable this policy setting, Security Center is turned off for domain members. + + + + - + + + + - -ADMX Info: -- GP Friendly name: *Turn on Security Center (Domain PCs only)* -- GP name: *SecurityCenter_SecurityCenterInDomain* -- GP path: *Windows Components\Security Center* -- GP ADMX file name: *Securitycenter.admx* +## Related articles - - -
    - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 95bffd5ac9..31322c5681 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -1,290 +1,336 @@ --- -title: Policy CSP - ADMX_Sensors -description: Learn about Policy CSP - ADMX_Sensors. +title: ADMX_Sensors Policy CSP +description: Learn more about the ADMX_Sensors Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Sensors + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Sensors policies + +## DisableLocation_1 -
    -
    - ADMX_Sensors/DisableLocationScripting_1 -
    -
    - ADMX_Sensors/DisableLocationScripting_2 -
    -
    - ADMX_Sensors/DisableLocation_1 -
    -
    - ADMX_Sensors/DisableSensors_1 -
    -
    - ADMX_Sensors/DisableSensors_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocation_1 +``` + -
    - - -**ADMX_Sensors/DisableLocationScripting_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off scripting for the location feature. - -If you enable this policy setting, scripts for the location feature won't run. - -If you disable or don't configure this policy setting, all location scripts will run. - - - - - -ADMX Info: -- GP Friendly name: *Turn off location scripting* -- GP name: *DisableLocationScripting_1* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -
    - - -**ADMX_Sensors/DisableLocationScripting_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting turns off scripting for the location feature. - -If you enable this policy setting, scripts for the location feature will not run. - -If you disable or don't configure this policy setting, all location scripts will run. - - - - - -ADMX Info: -- GP Friendly name: *Turn off location scripting* -- GP name: *DisableLocationScripting_2* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -
    - - -**ADMX_Sensors/DisableLocation_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting turns off the location feature for this computer. -If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. +- If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. -If you disable or don't configure this policy setting, all programs on this computer won't be prevented from using location information from the location feature. +- If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off location* -- GP name: *DisableLocation_1* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Sensors/DisableSensors_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableLocation_1 | +| Friendly Name | Turn off location | +| Location | User Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocation | +| ADMX File Name | Sensors.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableLocationScripting_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocationScripting_1 +``` + - - + + +This policy setting turns off scripting for the location feature. + +- If you enable this policy setting, scripts for the location feature will not run. + +- If you disable or do not configure this policy setting, all location scripts will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocationScripting_1 | +| Friendly Name | Turn off location scripting | +| Location | User Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocationScripting | +| ADMX File Name | Sensors.admx | + + + + + + + + + +## DisableLocationScripting_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocationScripting_2 +``` + + + + +This policy setting turns off scripting for the location feature. + +- If you enable this policy setting, scripts for the location feature will not run. + +- If you disable or do not configure this policy setting, all location scripts will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocationScripting_2 | +| Friendly Name | Turn off location scripting | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocationScripting | +| ADMX File Name | Sensors.admx | + + + + + + + + + +## DisableSensors_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableSensors_1 +``` + + + + This policy setting turns off the sensor feature for this computer. -If you enable this policy setting, the sensor feature is turned off, and all programs on this computer can't use the sensor feature. +- If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. -If you disable or don't configure this policy setting, all programs on this computer can use the sensor feature. +- If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off sensors* -- GP name: *DisableSensors_1* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Sensors/DisableSensors_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSensors_1 | +| Friendly Name | Turn off sensors | +| Location | User Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableSensors | +| ADMX File Name | Sensors.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSensors_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableSensors_2 +``` + - - + + This policy setting turns off the sensor feature for this computer. -If you enable this policy setting, the sensor feature is turned off, and all programs on this computer can't use the sensor feature. +- If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. -If you disable or don't configure this policy setting, all programs on this computer can use the sensor feature. +- If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off sensors* -- GP name: *DisableSensors_2* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisableSensors_2 | +| Friendly Name | Turn off sensors | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableSensors | +| ADMX File Name | Sensors.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index 24b6080943..3bebbb38c2 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -1,252 +1,289 @@ --- -title: Policy CSP - ADMX_ServerManager -description: Learn about Policy CSP - ADMX_ServerManager. +title: ADMX_ServerManager Policy CSP +description: Learn more about the ADMX_ServerManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ServerManager -
    - - -## ADMX_ServerManager policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_ServerManager/Do_not_display_Manage_Your_Server_page -
    -
    - ADMX_ServerManager/ServerManagerAutoRefreshRate -
    -
    - ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks -
    -
    - ADMX_ServerManager/DoNotLaunchServerManager -
    -
    + + + + +## Do_not_display_Manage_Your_Server_page -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_ServerManager/Do_not_display_Manage_Your_Server_page** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +``` + - + + +This policy setting allows you to turn off the automatic display of the Manage Your Server page. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. - -
    +- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. However, if the administrator has selected the "Don't display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +> [!NOTE] +> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy setting allows you to turn off the automatic display of Server Manager at sign in. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you enable this policy setting, Server Manager isn't displayed automatically when a user signs in to the server. +**ADMX mapping**: -If you disable this policy setting, Server Manager is displayed automatically when a user signs in to the server. +| Name | Value | +|:--|:--| +| Name | Do_not_display_Manage_Your_Server_page | +| Friendly Name | Do not display Manage Your Server page at logon | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\MYS | +| Registry Value Name | DisableShowAtLogon | +| ADMX File Name | ServerManager.admx | + -If you don't configure this policy setting, Server Manager is displayed when a user signs in to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console isn't displayed automatically at a sign in. + + + + + + + +## DoNotLaunchInitialConfigurationTasks + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +``` + + + + +This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2. + +- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. + +- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. + +- If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotLaunchInitialConfigurationTasks | +| Friendly Name | Do not display Initial Configuration Tasks window automatically at logon | +| Location | Computer Configuration | +| Path | System > Server Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\Server\InitialConfigurationTasks | +| Registry Value Name | DoNotOpenAtLogon | +| ADMX File Name | ServerManager.admx | + + + + + + + + + +## DoNotLaunchServerManager + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/DoNotLaunchServerManager +``` + + + + +This policy setting allows you to turn off the automatic display of Server Manager at logon. + +- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. + +- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. + +- If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or "Do not start Server Manager automatically at logon" (Windows Server 2012) option is selected, the console is not displayed automatically at logon. > [!NOTE] > Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display Server Manager automatically at logon* -- GP name: *Do_not_display_Manage_Your_Server_page* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - -**ADMX_ServerManager/ServerManagerAutoRefreshRate** +| Name | Value | +|:--|:--| +| Name | DoNotLaunchServerManager | +| Friendly Name | Do not display Server Manager automatically at logon | +| Location | Computer Configuration | +| Path | System > Server Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\Server\ServerManager | +| Registry Value Name | DoNotOpenAtLogon | +| ADMX File Name | ServerManager.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ServerManagerAutoRefreshRate - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/ServerManagerAutoRefreshRate +``` + -
    + + +This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. - - -This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you're managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. +- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the "Configure Refresh Interval" setting (in Windows Server 2008 and Windows Server 2008 R2), or the "Refresh the data shown in Server Manager every [x] [minutes/hours/days]" setting (in Windows Server 2012) that is configured in the Server Manager console. -- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. - -- If you disable this policy setting, Server Manager doesn't refresh automatically. If you don't configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. +- If you disable this policy setting, Server Manager does not refresh automatically. +- If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. > [!NOTE] > The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure the refresh interval for Server Manager* -- GP name: *ServerManagerAutoRefreshRate* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks** +| Name | Value | +|:--|:--| +| Name | ServerManagerAutoRefreshRate | +| Friendly Name | Configure the refresh interval for Server Manager | +| Location | Computer Configuration | +| Path | System > Server Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\Server\ServerManager | +| Registry Value Name | RefreshIntervalEnabled | +| ADMX File Name | ServerManager.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device +## Related articles -
    - - - -This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at a sign in on Windows Server 2008 and Windows Server 2008 R2. - -If you enable this policy setting, the Initial Configuration Tasks window isn't displayed when an administrator signs in to the server. - -If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator signs in to the server. - -If you don't configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator signs in to the server. However, if an administrator selects the "Do not show this window at logon" option, the window isn't displayed on subsequent logons. - - - - - -ADMX Info: -- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon* -- GP name: *DoNotLaunchInitialConfigurationTasks* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* - - - -
    - - -**ADMX_ServerManager/DoNotLaunchServerManager** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to turn off the automatic display of the Manage Your Server page. - -- If you enable this policy setting, the Manage Your Server page isn't displayed each time an administrator signs in to the server. - -- If you disable or don't configure this policy setting, the Manage Your Server page is displayed each time an administrator signs in to the server. - -However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page isn't displayed. - - - - - -ADMX Info: -- GP Friendly name: *Do not display Manage Your Server page at logon* -- GP name: *DoNotLaunchServerManager* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index 719e360bac..98279f859e 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -1,87 +1,97 @@ --- -title: Policy CSP - ADMX_Servicing -description: Learn about Policy CSP - ADMX_Servicing. +title: ADMX_Servicing Policy CSP +description: Learn more about the ADMX_Servicing Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Servicing +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Servicing policies + +## Servicing -
    -
    - ADMX_Servicing/Servicing -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Servicing/Servicing +``` + -
    - - -**ADMX_Servicing/Servicing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. -If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon. +- If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon. -The network location can be either a folder, or a WIM file. If it's a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file, for example, “wim:\\server\share\install.wim:3”. +The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by prefixing the path with "wim:" and include the index of the image to use in the WIM file. For example "wim:\\server\share\install.wim:3". -If you disable or don't configure this policy setting, or if the required files can't be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer. +- If you disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify settings for optional component installation and component repair* -- GP name: *Servicing* -- GP path: *System* -- GP ADMX file name: *Servicing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Servicing | +| Friendly Name | Specify settings for optional component installation and component repair | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Servicing | +| ADMX File Name | Servicing.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index 116e79b9a4..4525405908 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -1,505 +1,592 @@ --- -title: Policy CSP - ADMX_SettingSync -description: Learn about Policy CSP - ADMX_SettingSync. +title: ADMX_SettingSync Policy CSP +description: Learn more about the ADMX_SettingSync Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SettingSync + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -
    - - -## ADMX_SettingSync policies - -
    -
    - ADMX_SettingSync/DisableAppSyncSettingSync -
    -
    - ADMX_SettingSync/DisableApplicationSettingSync -
    -
    - ADMX_SettingSync/DisableCredentialsSettingSync -
    -
    - ADMX_SettingSync/DisableDesktopThemeSettingSync -
    -
    - ADMX_SettingSync/DisablePersonalizationSettingSync -
    -
    - ADMX_SettingSync/DisableSettingSync -
    -
    - ADMX_SettingSync/DisableStartLayoutSettingSync -
    -
    - ADMX_SettingSync/DisableSyncOnPaidNetwork -
    -
    - ADMX_SettingSync/DisableWindowsSettingSync -
    -
    +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisableApplicationSettingSync - -**ADMX_SettingSync/DisableAppSyncSettingSync** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableApplicationSettingSync +``` + + + + +Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. + +- If you enable this policy setting, the "app settings" group will not be synced. + +Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableApplicationSettingSync | +| Friendly Name | Do not sync app settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableApplicationSettingSync | +| ADMX File Name | SettingSync.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + + + +## DisableAppSyncSettingSync -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents the "AppSync" group from syncing to and from this PC. This option turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableAppSyncSettingSync +``` + + + + +Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. + +- If you enable this policy setting, the "AppSync" group will not be synced. + +Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAppSyncSettingSync | +| Friendly Name | Do not sync Apps | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableAppSyncSettingSync | +| ADMX File Name | SettingSync.admx | + -If you enable this policy setting, the "AppSync" group won't be synced. + + + + + + + +## DisableCredentialsSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableCredentialsSettingSync +``` + + + + +Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. + +- If you enable this policy setting, the "passwords" group will not be synced. + +Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableCredentialsSettingSync | +| Friendly Name | Do not sync passwords | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableCredentialsSettingSync | +| ADMX File Name | SettingSync.admx | + -Use the option "Allow users to turn app syncing on" so that syncing it is turned off by default but not disabled. + + + + + + + +## DisableDesktopThemeSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableDesktopThemeSettingSync +``` + + + + +Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. + +- If you enable this policy setting, the "desktop personalization" group will not be synced. + +Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDesktopThemeSettingSync | +| Friendly Name | Do not sync desktop personalization | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableDesktopThemeSettingSync | +| ADMX File Name | SettingSync.admx | + -If you don't set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. + + + + + + + +## DisablePersonalizationSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisablePersonalizationSettingSync +``` + + + + +Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. + +- If you enable this policy setting, the "personalize" group will not be synced. + +Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisablePersonalizationSettingSync | +| Friendly Name | Do not sync personalize | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisablePersonalizationSettingSync | +| ADMX File Name | SettingSync.admx | + - + + + + + + + +## DisableSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableSettingSync +``` + + + + +Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. + +- If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. + +Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSettingSync | +| Friendly Name | Do not sync | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableSettingSync | +| ADMX File Name | SettingSync.admx | + + + + + + + + +## DisableStartLayoutSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableStartLayoutSettingSync +``` + + + + +Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. + +- If you enable this policy setting, the "Start layout" group will not be synced. + +Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableStartLayoutSettingSync | +| Friendly Name | Do not sync start settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableStartLayoutSettingSync | +| ADMX File Name | SettingSync.admx | + - -ADMX Info: -- GP Friendly name: *Do not sync Apps* -- GP name: *DisableAppSyncSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* + + + + + + + +## DisableSyncOnPaidNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableSyncOnPaidNetwork +``` + + + + +Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. + +- If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. + +If you do not set or disable this setting, syncing on metered connections is configurable by the user. + + + + + + + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_SettingSync/DisableApplicationSettingSync** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSyncOnPaidNetwork | +| Friendly Name | Do not sync on metered connections | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableSyncOnPaidNetwork | +| ADMX File Name | SettingSync.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + + + +## DisableWindowsSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableWindowsSettingSync +``` + + + + +Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. + +- If you enable this policy setting, the "Other Windows settings" group will not be synced. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. + + + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy seting prevents the "app settings" group from syncing to and from this PC. This option turns off and disables the "app settings" group on the "sync your settings" page in PC settings. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you enable this policy setting, the "app settings" group won't be synced. +**ADMX mapping**: -Use the option "Allow users to turn app settings syncing on" so that syncing it is turned off by default but not disabled. +| Name | Value | +|:--|:--| +| Name | DisableWindowsSettingSync | +| Friendly Name | Do not sync other Windows settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableWindowsSettingSync | +| ADMX File Name | SettingSync.admx | + -If you don't set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. + + + - + + + + - -ADMX Info: -- GP Friendly name: *Do not sync app settings* -- GP name: *DisableApplicationSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* + - - -
    +## Related articles - -**ADMX_SettingSync/DisableCredentialsSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy seting prevents the "passwords" group from syncing to and from this PC. This option turns off and disables the "passwords" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "passwords" group won't be synced. - -Use the option "Allow users to turn passwords syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync passwords* -- GP name: *DisableCredentialsSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableDesktopThemeSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents the "desktop personalization" group from syncing to and from this PC. This option turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "desktop personalization" group won't be synced. - -Use the option "Allow users to turn desktop personalization syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync desktop personalization* -- GP name: *DisableDesktopThemeSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisablePersonalizationSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents the "personalize" group from syncing to and from this PC. This option turns off and disables the "personalize" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "personalize" group won't be synced. - -Use the option "Allow users to turn personalize syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync personalize* -- GP name: *DisablePersonalizationSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents syncing to and from this PC. This option turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. - -If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. - -Use the option "Allow users to turn syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, "sync your settings" is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync* -- GP name: *DisableSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableStartLayoutSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents the "Start layout" group from syncing to and from this PC. This option turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "Start layout" group won't be synced. - -Use the option "Allow users to turn on start syncing" so that syncing is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync start settings* -- GP name: *DisableStartLayoutSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableSyncOnPaidNetwork** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents syncing to and from this PC when on metered Internet connections. This option turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. - -If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. - -If you don't set or disable this setting, syncing on metered connections is configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync on metered connections* -- GP name: *DisableSyncOnPaidNetwork* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableWindowsSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents the "Other Windows settings" group from syncing to and from this PC. This option turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "Other Windows settings" group won't be synced. - -Use the option "Allow users to turn other Windows settings syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync other Windows settings* -- GP name: *DisableWindowsSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 1aa619b1dc..0380f886fb 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -1,146 +1,162 @@ --- -title: Policy CSP - ADMX_SharedFolders -description: Learn about Policy CSP - ADMX_SharedFolders. +title: ADMX_SharedFolders Policy CSP +description: Learn more about the ADMX_SharedFolders Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SharedFolders + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_SharedFolders policies + +## PublishDfsRoots -
    -
    - ADMX_SharedFolders/PublishDfsRoots -
    -
    - ADMX_SharedFolders/PublishSharedFolders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_SharedFolders/PublishDfsRoots +``` + - -**ADMX_SharedFolders/PublishDfsRoots** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). -If you enable or don't configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . +- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . -If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. +- If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled > [!NOTE] > The default is to allow shared folders to be published when this setting is not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow DFS roots to be published* -- GP name: *PublishDfsRoots* -- GP path: *Shared Folders* -- GP ADMX file name: *SharedFolders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_SharedFolders/PublishSharedFolders** +| Name | Value | +|:--|:--| +| Name | PublishDfsRoots | +| Friendly Name | Allow DFS roots to be published | +| Location | User Configuration | +| Path | Shared Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\SharedFolders | +| Registry Value Name | PublishDfsRoots | +| ADMX File Name | SharedFolders.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishSharedFolders - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_SharedFolders/PublishSharedFolders +``` + -
    - - - + + This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). -If you enable or don't configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. +- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. -If you disable this policy setting, users can't publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled. +- If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled > [!NOTE] > The default is to allow shared folders to be published when this setting is not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow shared folders to be published* -- GP name: *PublishSharedFolders* -- GP path: *Shared Folders* -- GP ADMX file name: *SharedFolders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | PublishSharedFolders | +| Friendly Name | Allow shared folders to be published | +| Location | User Configuration | +| Path | Shared Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\SharedFolders | +| Registry Value Name | PublishSharedFolders | +| ADMX File Name | SharedFolders.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 7b02e8d272..ca00b3af93 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -1,88 +1,160 @@ --- -title: Policy CSP - ADMX_Sharing -description: Learn about Policy CSP - ADMX_Sharing. +title: ADMX_Sharing Policy CSP +description: Learn more about the ADMX_Sharing Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Sharing + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Sharing policies + +## DisableHomeGroup -
    -
    - ADMX_Sharing/NoInplaceSharing -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sharing/DisableHomeGroup +``` + - -**ADMX_Sharing/NoInplaceSharing** + + +This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a homegroup on a private network. - +- If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup. - -
    +This policy setting is not configured by default. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +You must restart the computer for this policy setting to take effect. + -> [!div class = "checklist"] -> * User + + + -
    + +**Description framework properties**: - - -This policy setting specifies whether users can share files within their profile. By default, users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting, users can't share files within their profile using the sharing wizard. Also, the sharing wizard can't create a share at %root%\users and can only be used to create SMB shares on folders. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableHomeGroup | +| Friendly Name | Prevent the computer from joining a homegroup | +| Location | Computer Configuration | +| Path | Windows Components > HomeGroup | +| Registry Key Name | Software\Policies\Microsoft\Windows\HomeGroup | +| Registry Value Name | DisableHomeGroup | +| ADMX File Name | Sharing.admx | + + + + - -ADMX Info: -- GP Friendly name: *Prevent users from sharing files within their profile.* -- GP name: *NoInplaceSharing* -- GP path: *Windows Components\Network Sharing* -- GP ADMX file name: *Sharing.admx* + - - -
    + +## NoInplaceSharing + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sharing/NoInplaceSharing +``` + -## Related topics + + +This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +- If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. + +- If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoInplaceSharing | +| Friendly Name | Prevent users from sharing files within their profile. | +| Location | User Configuration | +| Path | Windows Components > Network Sharing | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInplaceSharing | +| ADMX File Name | Sharing.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index 0329365c45..d51369a170 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -1,260 +1,293 @@ --- -title: Policy CSP - ADMX_ShellCommandPromptRegEditTools -description: Learn about Policy CSP - ADMX_ShellCommandPromptRegEditTools. +title: ADMX_ShellCommandPromptRegEditTools Policy CSP +description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ShellCommandPromptRegEditTools -
    - - -## ADMX_ShellCommandPromptRegEditTools policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisallowApps -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisableRegedit -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisableCMD -
    -
    - ADMX_ShellCommandPromptRegEditTools/RestrictApps -
    -
    + + + + +## DisableCMD -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_ShellCommandPromptRegEditTools/DisallowApps** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD +``` + - + + +This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users from running the interactive command prompt `Cmd.exe`. - -This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. - -If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. . - -If you disable this policy setting or don't configure it, users can run Cmd.exe and batch files normally. +- If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. > [!NOTE] -> Don't prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. +> Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent access to the command prompt* -- GP name: *DisallowApps* -- GP path: *System* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisableCMD | +| Friendly Name | Prevent access to the command prompt | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + - -**ADMX_ShellCommandPromptRegEditTools/DisableRegedit** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableRegedit - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableRegedit +``` + -> [!div class = "checklist"] -> * User + + +Disables the Windows registry editor Regedit.exe. -
    +- If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. - - -This policy setting disables the Windows registry editor `Regedit.exe`. - -If you enable this policy setting and the user tries to start `Regedit.exe`, a message appears explaining that a policy setting prevents the action. - -If you disable this policy setting or don't configure it, users can run `Regedit.exe` normally. +- If you disable this policy setting or do not configure it, users can run Regedit.exe normally. To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent access to registry editing tools* -- GP name: *DisableRegedit* -- GP path: *System\Server Manager* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_ShellCommandPromptRegEditTools/DisableCMD** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRegedit | +| Friendly Name | Prevent access to registry editing tools | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowApps -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisallowApps +``` + - - -This policy setting limits the Windows programs that users have permission to run on the computer. + + +Prevents Windows from running the programs you specify in this policy setting. -If you enable this policy setting, users can only run programs that you add to the list of allowed applications. +- If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. -If you disable this policy setting or don't configure it, users can run all applications. This policy setting only prevents users from running programs that are started by the File Explorer process. +- If you disable this policy setting or do not configure it, users can run any programs. -It doesn't prevent users from running programs such as Task Manager, which is started by the system process or by other processes. Also, if users have access to the command prompt `Cmd.exe`, this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. +This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. -Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +> [!NOTE] +> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +> [!NOTE] +> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). + -To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe). + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Run only specified Windows applications* -- GP name: *DisableCMD* -- GP path: *System* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_ShellCommandPromptRegEditTools/RestrictApps** +| Name | Value | +|:--|:--| +| Name | DisallowApps | +| Friendly Name | Don't run specified Windows applications | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisallowRun | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## RestrictApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/RestrictApps +``` + -
    + + +Limits the Windows programs that users have permission to run on the computer. - - -This policy setting prevents Windows from running the programs you specify in this policy setting. +- If you enable this policy setting, users can only run programs that you add to the list of allowed applications. -If you enable this policy setting, users can't run programs that you add to the list of disallowed applications. +- If you disable this policy setting or do not configure it, users can run all applications. -If you disable this policy setting or don't configure it, users can run any programs. +This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. -This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. +> [!NOTE] +> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +> [!NOTE] +> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). + -Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. + + + -To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe). + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Don't run specified Windows applications* -- GP name: *RestrictApps* -- GP path: *System* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* +| Name | Value | +|:--|:--| +| Name | RestrictApps | +| Friendly Name | Run only specified Windows applications | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | RestrictRun | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + - - + + + - + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 859415fe2f..ddfeafcb32 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1,880 +1,1032 @@ --- -title: Policy CSP - ADMX_Smartcard -description: Learn about Policy CSP - ADMX_Smartcard. +title: ADMX_Smartcard Policy CSP +description: Learn more about the ADMX_Smartcard Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/23/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Smartcard + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Smartcard policies + +## AllowCertificatesWithNoEKU -
    -
    - ADMX_Smartcard/AllowCertificatesWithNoEKU -
    -
    - ADMX_Smartcard/AllowIntegratedUnblock -
    -
    - ADMX_Smartcard/AllowSignatureOnlyKeys -
    -
    - ADMX_Smartcard/AllowTimeInvalidCertificates -
    -
    - ADMX_Smartcard/CertPropEnabledString -
    -
    - ADMX_Smartcard/CertPropRootCleanupString -
    -
    - ADMX_Smartcard/CertPropRootEnabledString -
    -
    - ADMX_Smartcard/DisallowPlaintextPin -
    -
    - ADMX_Smartcard/EnumerateECCCerts -
    -
    - ADMX_Smartcard/FilterDuplicateCerts -
    -
    - ADMX_Smartcard/ForceReadingAllCertificates -
    -
    - ADMX_Smartcard/IntegratedUnblockPromptString -
    -
    - ADMX_Smartcard/ReverseSubject -
    -
    - ADMX_Smartcard/SCPnPEnabled -
    -
    - ADMX_Smartcard/SCPnPNotification -
    -
    - ADMX_Smartcard/X509HintsNeeded -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowCertificatesWithNoEKU +``` + -
    + + +This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. - -**ADMX_Smartcard/AllowCertificatesWithNoEKU** +In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an extended key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. - +- If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card: + - Certificates with no EKU + - Certificates with an All Purpose EKU + - Certificates with a Client Authentication EKU -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for signing in. +**ADMX mapping**: -In versions of Windows, prior to Windows Vista, smart card certificates that are used for a sign-in require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. +| Name | Value | +|:--|:--| +| Name | AllowCertificatesWithNoEKU | +| Friendly Name | Allow certificates with no extended key usage certificate attribute | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowCertificatesWithNoEKU | +| ADMX File Name | Smartcard.admx | + -If you enable this policy setting, certificates with the following attributes can also be used to sign in on with a smart card: + + + -- Certificates with no EKU -- Certificates with an All Purpose EKU -- Certificates with a Client Authentication EKU + -If you disable or don't configure this policy setting, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card. + +## AllowIntegratedUnblock - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowIntegratedUnblock +``` + - -ADMX Info: -- GP Friendly name: *Allow certificates with no extended key usage certificate attribute* -- GP name: *AllowCertificatesWithNoEKU* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* - - - -
    - - -**ADMX_Smartcard/AllowIntegratedUnblock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). -In order to use the integrated unblock feature, your smart card must support this feature. Check with your hardware manufacturer to see if your smart card supports this feature. +In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. -If you enable this policy setting, the integrated unblock feature will be available. +- If you enable this policy setting, the integrated unblock feature will be available. -If you disable or don't configure this policy setting then the integrated unblock feature won't be available. +- If you disable or do not configure this policy setting then the integrated unblock feature will not be available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Integrated Unblock screen to be displayed at the time of logon* -- GP name: *AllowIntegratedUnblock* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/AllowSignatureOnlyKeys** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowIntegratedUnblock | +| Friendly Name | Allow Integrated Unblock screen to be displayed at the time of logon | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowIntegratedUnblock | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSignatureOnlyKeys -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowSignatureOnlyKeys +``` + - - -This policy setting lets you allow signature key-based certificates to be enumerated and available for a sign in. + + +This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. -If you enable this policy setting, then any certificates available on the smart card with a signature only key will be listed on the sign-in screen. +- If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. -If you disable or don't configure this policy setting, any available smart card signature key-based certificates won't be listed on the sign-in screen. +- If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow signature keys valid for Logon* -- GP name: *AllowSignatureOnlyKeys* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/AllowTimeInvalidCertificates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSignatureOnlyKeys | +| Friendly Name | Allow signature keys valid for Logon | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowSignatureOnlyKeys | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowTimeInvalidCertificates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowTimeInvalidCertificates +``` + - - -This policy setting permits those certificates to be displayed for a sign-in, which are either expired or not yet valid. + + +This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. -Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls displaying of the certificate on the client machine. +Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. -If you enable this policy setting, certificates will be listed on the sign-in screen regardless of whether they have an invalid time or their time validity has expired. +- If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired. -If you disable or don't configure this policy setting, certificates that are expired or not yet valid won't be listed on the sign-in screen. +- If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow time invalid certificates* -- GP name: *AllowTimeInvalidCertificates* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/CertPropEnabledString** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowTimeInvalidCertificates | +| Friendly Name | Allow time invalid certificates | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowTimeInvalidCertificates | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CertPropEnabledString -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropEnabledString +``` + - - + + This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. -If you enable or don't configure this policy setting then certificate propagation will occur when you insert your smart card. +- If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. -If you disable this policy setting, certificate propagation won't occur and the certificates won't be made available to applications such as Outlook. +- If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on certificate propagation from smart card* -- GP name: *CertPropEnabledString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/CertPropRootCleanupString** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CertPropEnabledString | +| Friendly Name | Turn on certificate propagation from smart card | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp | +| Registry Value Name | CertPropEnabled | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CertPropRootCleanupString -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropRootCleanupString +``` + - - -This policy setting allows you to manage the cleanup behavior of root certificates. + + +This policy setting allows you to manage the clean up behavior of root certificates. +- If you enable this policy setting then root certificate cleanup will occur according to the option selected. +- If you disable or do not configure this setting then root certificate clean up will occur on log off. + -If you enable this policy setting, then root certificate cleanup will occur according to the option selected. + + + -If you disable or don't configure this setting then root certificate cleanup will occur on a sign out. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Configure root certificate clean up* -- GP name: *CertPropRootCleanupString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | CertPropRootCleanupString | +| Friendly Name | Configure root certificate clean up | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp | +| ADMX File Name | Smartcard.admx | + - -**ADMX_Smartcard/CertPropRootEnabledString** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## CertPropRootEnabledString - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropRootEnabledString +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. -If you enable or don't configure this policy setting then root certificate propagation will occur when you insert your smart card. +- If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. > [!NOTE] -> For this policy setting to work this policy setting must also be enabled: "Turn on certificate propagation from smart card". +> For this policy setting to work the following policy setting must also be enabled Turn on certificate propagation from smart card. -If you disable this policy setting, then root certificates won't be propagated from the smart card. +- If you disable this policy setting then root certificates will not be propagated from the smart card. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on root certificate propagation from smart card* -- GP name: *CertPropRootEnabledString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/DisallowPlaintextPin** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CertPropRootEnabledString | +| Friendly Name | Turn on root certificate propagation from smart card | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp | +| Registry Value Name | EnableRootCertificatePropagation | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowPlaintextPin -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/DisallowPlaintextPin +``` + - - + + This policy setting prevents plaintext PINs from being returned by Credential Manager. -If you enable this policy setting, Credential Manager doesn't return a plaintext PIN. +- If you enable this policy setting, Credential Manager does not return a plaintext PIN. -If you disable or don't configure this policy setting, plaintext PINs can be returned by Credential Manager. +- If you disable or do not configure this policy setting, plaintext PINs can be returned by Credential Manager. > [!NOTE] > Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent plaintext PINs from being returned by Credential Manager* -- GP name: *DisallowPlaintextPin* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/EnumerateECCCerts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowPlaintextPin | +| Friendly Name | Prevent plaintext PINs from being returned by Credential Manager | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | DisallowPlaintextPin | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnumerateECCCerts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/EnumerateECCCerts +``` + - - -This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign-in to a domain. + + +This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. -If you enable this policy setting, ECC certificates on a smart card can be used to sign in to a domain. +- If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. -If you disable or don't configure this policy setting, ECC certificates on a smart card can't be used to sign in to a domain. +- If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to log on to a domain. > [!NOTE] > This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. +> [!NOTE] > If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow ECC certificates to be used for logon and authentication* -- GP name: *EnumerateECCCerts* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/FilterDuplicateCerts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnumerateECCCerts | +| Friendly Name | Allow ECC certificates to be used for logon and authentication | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | EnumerateECCCerts | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## FilterDuplicateCerts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/FilterDuplicateCerts +``` + - - -This policy setting lets you configure if all your valid logon certificates are displayed. + + +This policy settings lets you configure if all your valid logon certificates are displayed. -During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This scenario can cause confusion as to which certificate to select for a sign in. The common case for this behavior is when a certificate is renewed and the old one hasn't yet expired. Two certificates are determined to be the same if they're issued from the same template with the same major version and they're for the same user (determined by their UPN). +During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). -If there are two or more of the "same" certificate on a smart card and this policy is enabled, then the certificate that is used for a sign in on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown. +If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown. > [!NOTE] -> This setting will be applied after this policy: "Allow time invalid certificates" +> This setting will be applied after the following policy "Allow time invalid certificates" -If you enable or don't configure this policy setting, filtering will take place. +- If you enable or do not configure this policy setting, filtering will take place. -If you disable this policy setting, no filtering will take place. +- If you disable this policy setting, no filtering will take place. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Filter duplicate logon certificates* -- GP name: *FilterDuplicateCerts* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/ForceReadingAllCertificates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | FilterDuplicateCerts | +| Friendly Name | Filter duplicate logon certificates | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | FilterDuplicateCerts | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ForceReadingAllCertificates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/ForceReadingAllCertificates +``` + - - -This policy setting allows you to manage the reading of all certificates from the smart card for a sign-in. + + +This policy setting allows you to manage the reading of all certificates from the smart card for logon. -During a sign-in, Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This setting can introduce a significant performance decrease in certain situations. Contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. +During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. -If you enable this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP. +- If you enable this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP. -If you disable or don't configure this setting, Windows will only attempt to read the default certificate from those cards that don't support retrieval of all certificates in a single call. Certificates other than the default won't be available for a sign in. +- If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Force the reading of all certificates from the smart card* -- GP name: *ForceReadingAllCertificates* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/IntegratedUnblockPromptString** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForceReadingAllCertificates | +| Friendly Name | Force the reading of all certificates from the smart card | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | ForceReadingAllCertificates | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntegratedUnblockPromptString -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/IntegratedUnblockPromptString +``` + - - + + This policy setting allows you to manage the displayed message when a smart card is blocked. -If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. +- If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. > [!NOTE] -> The following policy setting must be enabled: "Allow Integrated Unblock screen to be displayed at the time of logon". +> The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon. -If you disable or don't configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. +- If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display string when smart card is blocked* -- GP name: *IntegratedUnblockPromptString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/ReverseSubject** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IntegratedUnblockPromptString | +| Friendly Name | Display string when smart card is blocked | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ReverseSubject -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/ReverseSubject +``` + - - -This policy setting lets you reverse the subject name from how it's stored in the certificate when displaying it during a sign in. + + +This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. -By default the User Principal Name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN isn't present, then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. +By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. -If you enable this policy setting or don't configure this setting, then the subject name will be reversed. +- If you enable this policy setting or do not configure this setting, then the subject name will be reversed. -If you disable, the subject name will be displayed as it appears in the certificate. +If you disable , the subject name will be displayed as it appears in the certificate. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reverse the subject name stored in a certificate when displaying* -- GP name: *ReverseSubject* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/SCPnPEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ReverseSubject | +| Friendly Name | Reverse the subject name stored in a certificate when displaying | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | ReverseSubject | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SCPnPEnabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/SCPnPEnabled +``` + - - + + This policy setting allows you to control whether Smart Card Plug and Play is enabled. -If you enable or don't configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. +- If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. -If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver won't be installed when a card is inserted in a Smart Card Reader. +- If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card Reader. > [!NOTE] > This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Smart Card Plug and Play service* -- GP name: *SCPnPEnabled* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/SCPnPNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SCPnPEnabled | +| Friendly Name | Turn on Smart Card Plug and Play service | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScPnP | +| Registry Value Name | EnableScPnP | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SCPnPNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/SCPnPNotification +``` + - - + + This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. -If you enable or don't configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. +- If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. -If you disable this policy setting, a confirmation message won't be displayed when a smart card device driver is installed. +- If you disable this policy setting, a confirmation message will not be displayed when a smart card device driver is installed. > [!NOTE] > This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Notify user of successful smart card driver installation* -- GP name: *SCPnPNotification* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Smartcard/X509HintsNeeded** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SCPnPNotification | +| Friendly Name | Notify user of successful smart card driver installation | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScPnP | +| Registry Value Name | ScPnPNotification | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## X509HintsNeeded -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/X509HintsNeeded +``` + - - -This policy setting lets you determine whether an optional field will be displayed during a sign-in and elevation that allows users to enter their user name or user name and domain, thereby associating a certificate with the users. + + +This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. -If you enable this policy setting, then an optional field that allows a user to enter their user name or user name and domain will be displayed. +- If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. -If you disable or don't configure this policy setting, an optional field that allows users to enter their user name or user name and domain won't be displayed. +- If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow user name hint* -- GP name: *X509HintsNeeded* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | X509HintsNeeded | +| Friendly Name | Allow user name hint | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | X509HintsNeeded | +| ADMX File Name | Smartcard.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 7d3c267de8..3621590388 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -1,222 +1,247 @@ --- -title: Policy CSP - ADMX_Snmp -description: Learn about Policy CSP - ADMX_Snmp. +title: ADMX_Snmp Policy CSP +description: Learn more about the ADMX_Snmp Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/24/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Snmp + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Snmp policies + +## SNMP_Communities -
    -
    - ADMX_Snmp/SNMP_Communities -
    -
    - ADMX_Snmp/SNMP_PermittedManagers -
    -
    - ADMX_Snmp/SNMP_Traps_Public -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_Communities +``` + -
    - - -**ADMX_Snmp/SNMP_Communities** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events. A valid community is a community recognized by the SNMP service, while a community is a group of hosts (servers, workstations, hubs, and routers) that are administered together by SNMP. The SNMP service is a managed network node that receives SNMP packets from the network. -If you enable this policy setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community. +- If you enable this policy setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community. -If you disable or don't configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead. +- If you disable or do not configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead. Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full control. > [!NOTE] -> - It is good practice to use a cryptic community name. -> - This policy setting has no effect if the SNMP agent isn't installed on the client computer. +> It is good practice to use a cryptic community name. + +> [!NOTE] +> This policy setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Specify permitted managers" and "Specify trap configuration". + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify communities* -- GP name: *SNMP_Communities* -- GP path: *Network\SNMP* -- GP ADMX file name: *Snmp.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Snmp/SNMP_PermittedManagers** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SNMP_Communities | +| Friendly Name | Specify communities | +| Location | Computer Configuration | +| Path | Network > SNMP | +| Registry Key Name | Software\Policies\SNMP\Parameters | +| ADMX File Name | Snmp.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SNMP_PermittedManagers -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_PermittedManagers +``` + - - + + This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. The manager is located on the host computer on the network. The manager's role is to poll the agents for certain requested information. -If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting. +- If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting. -If you disable or don't configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead. +- If you disable or do not configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead. Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control. > [!NOTE] -> This policy setting has no effect if the SNMP agent isn't installed on the client computer. +> This policy setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name". + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify permitted managers* -- GP name: *SNMP_PermittedManagers* -- GP path: *Network\SNMP* -- GP ADMX file name: *Snmp.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Snmp/SNMP_Traps_Public** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SNMP_PermittedManagers | +| Friendly Name | Specify permitted managers | +| Location | Computer Configuration | +| Path | Network > SNMP | +| Registry Key Name | Software\Policies\SNMP\Parameters | +| ADMX File Name | Snmp.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SNMP_Traps_Public -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_Traps_Public +``` + - - + + This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. This policy setting allows you to configure the name of the hosts that receive trap messages for the community sent by the SNMP service. A trap message is an alert or significant event that allows the SNMP agent to notify management systems asynchronously. -If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public" community. +- If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public" community. -If you disable or don't configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead. +- If you disable or do not configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead. > [!NOTE] -> This setting has no effect if the SNMP agent isn't installed on the client computer. +> This setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Specify permitted managers" and "Specify Community Name". + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify traps for public community* -- GP name: *SNMP_Traps_Public* -- GP path: *Network\SNMP* -- GP ADMX file name: *Snmp.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SNMP_Traps_Public | +| Friendly Name | Specify traps for public community | +| Location | Computer Configuration | +| Path | Network > SNMP | +| Registry Key Name | Software\Policies\SNMP\Parameters | +| ADMX File Name | Snmp.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index 9a1a7a7fd8..2c0c32056e 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -1,142 +1,160 @@ --- -title: Policy CSP - ADMX_SoundRec -description: Learn about Policy CSP - ADMX_SoundRec. +title: ADMX_SoundRec Policy CSP +description: Learn more about the ADMX_SoundRec Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SoundRec -
    - - -## ADMX_SoundRec policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 -
    -
    - ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 -
    -
    + + + + +## Soundrec_DiableApplication_TitleText_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy specifies whether Sound Recorder can run. + + +Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. -If you enable this policy setting, Sound Recorder won't run. +- If you enable this policy setting, Sound Recorder will not run. -If you disable or don't configure this policy setting, Sound Recorder can run. +- If you disable or do not configure this policy setting, Sound Recorder can be run. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Sound Recorder to run* -- GP name: *Soundrec_DiableApplication_TitleText_1* -- GP path: *Windows Components\Sound Recorder* -- GP ADMX file name: *SettingSync.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Soundrec_DiableApplication_TitleText_1 | +| Friendly Name | Do not allow Sound Recorder to run | +| Location | User Configuration | +| Path | Windows Components > Sound Recorder | +| Registry Key Name | SOFTWARE\Policies\Microsoft\SoundRecorder | +| Registry Value Name | Soundrec | +| ADMX File Name | SoundRec.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Soundrec_DiableApplication_TitleText_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +``` + - - -This policy specifies whether Sound Recorder can run. + + +Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. -If you enable this policy setting, Sound Recorder won't run. +- If you enable this policy setting, Sound Recorder will not run. -If you disable or don't configure this policy setting, Sound Recorder can be run. +- If you disable or do not configure this policy setting, Sound Recorder can be run. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Sound Recorder to run* -- GP name: *Soundrec_DiableApplication_TitleText_2* -- GP path: *Windows Components\Sound Recorder* -- GP ADMX file name: *SettingSync.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | Soundrec_DiableApplication_TitleText_2 | +| Friendly Name | Do not allow Sound Recorder to run | +| Location | Computer Configuration | +| Path | Windows Components > Sound Recorder | +| Registry Key Name | SOFTWARE\Policies\Microsoft\SoundRecorder | +| Registry Value Name | Soundrec | +| ADMX File Name | SoundRec.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index d56e6b36ff..11e6d2fff2 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -1,137 +1,277 @@ --- -title: Policy CSP - ADMX_srmfci -description: Learn about Policy CSP - ADMX_srmfci. +title: ADMX_srmfci Policy CSP +description: Learn more about the ADMX_srmfci Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_srmfci > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_srmfci policies + +## AccessDeniedConfiguration -
    -
    - ADMX_srmfci/EnableShellAccessCheck -
    -
    - ADMX_srmfci/AccessDeniedConfiguration -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/AccessDeniedConfiguration +``` + -
    + + +This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. - -**ADMX_srmfci/EnableShellAccessCheck** +- If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. - +- If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This group policy setting should be set on Windows clients to enable access-denied assistance for all file types. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AccessDeniedConfiguration | +| Friendly Name | Customize message for Access Denied errors | +| Location | Computer Configuration | +| Path | System > Access-Denied Assistance | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ADR\AccessDenied | +| Registry Value Name | Enabled | +| ADMX File Name | srm-fci.admx | + + + + - -ADMX Info: -- GP Friendly name: *Enable access-denied assistance on client for all file types* -- GP name: *EnableShellAccessCheck* -- GP path: *System\Access-Denied Assistance* -- GP ADMX file name: *srmfci.admx* + - - -
    + +## CentralClassificationList - -**ADMX_srmfci/AccessDeniedConfiguration** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/CentralClassificationList +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting controls which set of properties is available for classifying files on affected computers. - -
    +Administrators can define the properties for the organization by using Active Directory Domain Services (AD DS), and then group these properties into lists. Administrators can supplement these properties on individual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manager role service. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this policy setting, you can select which list of properties is available for classification on the affected computers. -> [!div class = "checklist"] -> * Device +- If you disable or do not configure this policy setting, the Global Resource Property List in AD DS provides the default set of properties. + -
    + + + - - -This policy setting specifies the message that users see when they're denied access to a file or folder. You can customize the Access Denied message to include more text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. + +**Description framework properties**: -If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionalities controlled by this policy setting, regardless of the file server configuration. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you don't configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CentralClassificationList | +| Friendly Name | File Classification Infrastructure: Specify classification properties list | +| Location | Computer Configuration | +| Path | System > File Classification Infrastructure | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\FCI | +| ADMX File Name | srm-fci.admx | + - -ADMX Info: -- GP Friendly name: *Customize message for Access Denied errors* -- GP name: *AccessDeniedConfiguration* -- GP path: *System\Access-Denied Assistance* -- GP ADMX file name: *srmfci.admx* + + + - - -
    + + +## EnableManualUX - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/EnableManualUX +``` + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + +This policy setting controls whether the Classification tab is displayed in the Properties dialog box in File Explorer. + +The Classification tab enables users to manually classify files by selecting properties from a list. Administrators can define the properties for the organization by using Group Policy, and supplement these with properties defined on individual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manager role service. + +- If you enable this policy setting, the Classification tab is displayed. + +- If you disable or do not configure this policy setting, the Classification tab is hidden. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableManualUX | +| Friendly Name | File Classification Infrastructure: Display Classification tab in File Explorer | +| Location | Computer Configuration | +| Path | System > File Classification Infrastructure | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\FCI | +| Registry Value Name | EnableManualUX | +| ADMX File Name | srm-fci.admx | + + + + + + + + + +## EnableShellAccessCheck + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/EnableShellAccessCheck +``` + + + + +This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableShellAccessCheck | +| Friendly Name | Enable access-denied assistance on client for all file types | +| Location | Computer Configuration | +| Path | System > Access-Denied Assistance | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | EnableShellExecuteFileStreamCheck | +| ADMX File Name | srm-fci.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index aff23491ae..b4ffcc734a 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,3533 +1,4233 @@ --- -title: Policy CSP - ADMX_StartMenu -description: Learn about Policy CSP - ADMX_StartMenu. +title: ADMX_StartMenu Policy CSP +description: Learn more about the ADMX_StartMenu Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/20/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_StartMenu + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_StartMenu policies + +## AddSearchInternetLinkInStartMenu -
    -
    - ADMX_StartMenu/AddSearchInternetLinkInStartMenu -
    -
    - ADMX_StartMenu/ClearRecentDocsOnExit -
    -
    - ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu -
    -
    - ADMX_StartMenu/ClearTilesOnExit -
    -
    - ADMX_StartMenu/DesktopAppsFirstInAppsView -
    -
    - ADMX_StartMenu/DisableGlobalSearchOnAppsView -
    -
    - ADMX_StartMenu/ForceStartMenuLogOff -
    -
    - ADMX_StartMenu/GoToDesktopOnSignIn -
    -
    - ADMX_StartMenu/GreyMSIAds -
    -
    - ADMX_StartMenu/HidePowerOptions -
    -
    - ADMX_StartMenu/Intellimenus -
    -
    - ADMX_StartMenu/LockTaskbar -
    -
    - ADMX_StartMenu/MemCheckBoxInRunDlg -
    -
    - ADMX_StartMenu/NoAutoTrayNotify -
    -
    - ADMX_StartMenu/NoBalloonTip -
    -
    - ADMX_StartMenu/NoChangeStartMenu -
    -
    - ADMX_StartMenu/NoClose -
    -
    - ADMX_StartMenu/NoCommonGroups -
    -
    - ADMX_StartMenu/NoFavoritesMenu -
    -
    - ADMX_StartMenu/NoFind -
    -
    - ADMX_StartMenu/NoGamesFolderOnStartMenu -
    -
    - ADMX_StartMenu/NoHelp -
    -
    - ADMX_StartMenu/NoInstrumentation -
    -
    - ADMX_StartMenu/NoMoreProgramsList -
    -
    - ADMX_StartMenu/NoNetAndDialupConnect -
    -
    - ADMX_StartMenu/NoPinnedPrograms -
    -
    - ADMX_StartMenu/NoRecentDocsMenu -
    -
    - ADMX_StartMenu/NoResolveSearch -
    -
    - ADMX_StartMenu/NoResolveTrack -
    -
    - ADMX_StartMenu/NoRun -
    -
    - ADMX_StartMenu/NoSMConfigurePrograms -
    -
    - ADMX_StartMenu/NoSMMyDocuments -
    -
    - ADMX_StartMenu/NoSMMyMusic -
    -
    - ADMX_StartMenu/NoSMMyNetworkPlaces -
    -
    - ADMX_StartMenu/NoSMMyPictures -
    -
    - ADMX_StartMenu/NoSearchCommInStartMenu -
    -
    - ADMX_StartMenu/NoSearchComputerLinkInStartMenu -
    -
    - ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu -
    -
    - ADMX_StartMenu/NoSearchFilesInStartMenu -
    -
    - ADMX_StartMenu/NoSearchInternetInStartMenu -
    -
    - ADMX_StartMenu/NoSearchProgramsInStartMenu -
    -
    - ADMX_StartMenu/NoSetFolders -
    -
    - ADMX_StartMenu/NoSetTaskbar -
    -
    - ADMX_StartMenu/NoStartMenuDownload -
    -
    - ADMX_StartMenu/NoStartMenuHomegroup -
    -
    - ADMX_StartMenu/NoStartMenuRecordedTV -
    -
    - ADMX_StartMenu/NoStartMenuSubFolders -
    -
    - ADMX_StartMenu/NoStartMenuVideos -
    -
    - ADMX_StartMenu/NoStartPage -
    -
    - ADMX_StartMenu/NoTaskBarClock -
    -
    - ADMX_StartMenu/NoTaskGrouping -
    -
    - ADMX_StartMenu/NoToolbarsOnTaskbar -
    -
    - ADMX_StartMenu/NoTrayContextMenu -
    -
    - ADMX_StartMenu/NoTrayItemsDisplay -
    -
    - ADMX_StartMenu/NoUninstallFromStart -
    -
    - ADMX_StartMenu/NoUserFolderOnStartMenu -
    -
    - ADMX_StartMenu/NoUserNameOnStartMenu -
    -
    - ADMX_StartMenu/NoWindowsUpdate -
    -
    - ADMX_StartMenu/PowerButtonAction -
    -
    - ADMX_StartMenu/QuickLaunchEnabled -
    -
    - ADMX_StartMenu/RemoveUnDockPCButton -
    -
    - ADMX_StartMenu/ShowAppsViewOnStart -
    -
    - ADMX_StartMenu/ShowRunAsDifferentUserInStart -
    -
    - ADMX_StartMenu/ShowRunInStartMenu -
    -
    - ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey -
    -
    - ADMX_StartMenu/StartMenuLogOff -
    -
    - ADMX_StartMenu/StartPinAppsWhenInstalled -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/AddSearchInternetLinkInStartMenu +``` + -
    + + +- If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. - -**ADMX_StartMenu/AddSearchInternetLinkInStartMenu** +- If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. - +- If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * User + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. +| Name | Value | +|:--|:--| +| Name | AddSearchInternetLinkInStartMenu | +| Friendly Name | Add Search Internet link to Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | AddSearchInternetLinkInStartMenu | +| ADMX File Name | StartMenu.admx | + -If you disable this policy, there won't be a "Search the Internet" link when the user performs a search in the start menu search box. + + + -If you don't configure this policy (default), there won't be a "Search the Internet" link on the start menu. + - + +## ClearRecentDocsOnExit + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Add Search Internet link to Start Menu* -- GP name: *AddSearchInternetLinkInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ClearRecentDocsOnExit +``` + - - -
    + + +Clear history of recently opened documents on exit. - -**ADMX_StartMenu/ClearRecentDocsOnExit** +- If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting clears history of recently opened documents on exit. - -If you enable this setting, the system deletes shortcuts to recently used document files when the user signs out. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user signs out. - -If you disable or don't configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. +- If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. > [!NOTE] > The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this setting when neither of these related settings are selected. -This setting doesn't clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting. +This setting does not clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting. -This policy setting also doesn't hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. +This policy setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. -This policy also doesn't clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting. +This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Clear history of recently opened documents on exit* -- GP name: *ClearRecentDocsOnExit* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClearRecentDocsOnExit | +| Friendly Name | Clear history of recently opened documents on exit | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ClearRecentDocsOnExit | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ClearRecentProgForNewUserInStartMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu +``` + - - -If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. + + +- If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. -If you disable or don't configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. +- If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Clear the recent programs list for new users* -- GP name: *ClearRecentProgForNewUserInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/ClearTilesOnExit** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClearRecentProgForNewUserInStartMenu | +| Friendly Name | Clear the recent programs list for new users | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ClearRecentProgForNewUserInStartMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ClearTilesOnExit -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ClearTilesOnExit +``` + - - -If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. + + +- If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. -If you disable or don't configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. +- If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. -This setting doesn't prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. +This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Clear tile notifications during log on* -- GP name: *ClearTilesOnExit* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/DesktopAppsFirstInAppsView** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClearTilesOnExit | +| Friendly Name | Clear tile notifications during log on | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ClearTilesOnExit | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DesktopAppsFirstInAppsView -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/DesktopAppsFirstInAppsView +``` + - - + + This policy setting allows desktop apps to be listed first in the Apps view in Start. -If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. +- If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. -If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. +- If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *List desktop apps first in the Apps view* -- GP name: *DesktopAppsFirstInAppsView* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/DisableGlobalSearchOnAppsView** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DesktopAppsFirstInAppsView | +| Friendly Name | List desktop apps first in the Apps view | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DesktopAppsFirstInAppsView | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableGlobalSearchOnAppsView -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/DisableGlobalSearchOnAppsView +``` + - - -This policy setting prevents the user from searching apps, files and settings (and the web if enabled) when the user searches from the Apps view. + + +This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. This policy setting is only applied when the Apps view is set as the default view for Start. -If you enable this policy setting, searching from the Apps view will only search the list of installed apps. +- If you enable this policy setting, searching from the Apps view will only search the list of installed apps. -If you disable or don’t configure this policy setting, the user can configure this setting. +- If you disable or don't configure this policy setting, the user can configure this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Search just apps from the Apps view* -- GP name: *DisableGlobalSearchOnAppsView* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/ForceStartMenuLogOff** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableGlobalSearchOnAppsView | +| Friendly Name | Search just apps from the Apps view | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableGlobalSearchOnAppsView | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ForceStartMenuLogOff -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ForceStartMenuLogOff +``` + - - -This policy only applies to the classic version of the start menu and doesn't affect the new style start menu. + + +This policy only applies to the classic version of the start menu and does not affect the new style start menu. Adds the "Log Off ``" item to the Start menu and prevents users from removing it. -If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users can't remove the Log Off `` item from the Start Menu. +- If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu. -If you disable this setting or don't configure it, users can use the Display Logoff item to add and remove the Log Off item. +- If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. -This setting affects the Start menu only. It doesn't affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. +This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. > [!NOTE] > To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add Logoff to the Start Menu* -- GP name: *ForceStartMenuLogOff* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/GoToDesktopOnSignIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForceStartMenuLogOff | +| Friendly Name | Add Logoff to the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceStartMenuLogOff | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GoToDesktopOnSignIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/GoToDesktopOnSignIn +``` + - - + + This policy setting allows users to go to the desktop instead of the Start screen when they sign in. -If you enable this policy setting, users will always go to the desktop when they sign in. +- If you enable this policy setting, users will always go to the desktop when they sign in. -If you disable this policy setting, users will always go to the Start screen when they sign in. +- If you disable this policy setting, users will always go to the Start screen when they sign in. -If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. +- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Go to the desktop instead of Start when signing in* -- GP name: *GoToDesktopOnSignIn* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/GreyMSIAds** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GoToDesktopOnSignIn | +| Friendly Name | Go to the desktop instead of Start when signing in | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | GoToDesktopOnSignIn | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GreyMSIAds -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/GreyMSIAds +``` + - - + + Displays Start menu shortcuts to partially installed programs in gray text. -This setting makes it easier for users to distinguish between programs that are fully installed and those programs that are only partially installed. +This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed. -Partially installed programs include those programs that a system administrator assigns using Windows Installer and those programs that users have configured for full installation upon first use. +Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use. -If you disable this setting or don't configure it, all Start menu shortcuts appear as black text. +- If you disable this setting or do not configure it, all Start menu shortcuts appear as black text. > [!NOTE] > Enabling this setting can make the Start menu slow to open. + - -> + + + - -ADMX Info: -- GP Friendly name: *Gray unavailable Windows Installer programs Start Menu shortcuts* -- GP name: *GreyMSIAds* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/HidePowerOptions** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | GreyMSIAds | +| Friendly Name | Gray unavailable Windows Installer programs Start Menu shortcuts | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | GreyMSIAds | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## HidePowerOptions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents users from performing the following commands from the Windows security screen, the sign-in screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting doesn't prevent users from running Windows-based programs that perform these functions. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/HidePowerOptions +``` + -If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the sign in screen. + + +This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. -If you disable or don't configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and sign-in screens is also available. +- If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen. - +- If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available. + + + + - -ADMX Info: -- GP Friendly name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* -- GP name: *HidePowerOptions* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/Intellimenus** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HidePowerOptions | +| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HidePowerOptions | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Intellimenus -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy seting disables personalized menus. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/Intellimenus +``` + -Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that haven't been used recently. Users can display the hidden items by clicking an arrow to extend the menu. + + +Disables personalized menus. -If you enable this setting, the system doesn't personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users don't try to change the setting while a setting is in effect. +Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. + +- If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect. > [!NOTE] > Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. -To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. +> [!TIP] +> To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off personalized menus* -- GP name: *Intellimenus* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/LockTaskbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Intellimenus | +| Friendly Name | Turn off personalized menus | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | Intellimenus | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockTaskbar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/LockTaskbar +``` + - - + + This setting affects the taskbar, which is used to switch between running applications. -The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it's locked, it can't be moved or resized. +The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized. -If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties. +- If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties. -If you disable this setting or don't configure it, the user can configure the taskbar position. +- If you disable this setting or do not configure it, the user can configure the taskbar position. > [!NOTE] -> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user can't show and hide various toolbars using the taskbar context menu. +> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Lock the Taskbar* -- GP name: *LockTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/MemCheckBoxInRunDlg** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LockTaskbar | +| Friendly Name | Lock the Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | LockTaskbar | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MemCheckBoxInRunDlg -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/MemCheckBoxInRunDlg +``` + - - -This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. + + +Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. -All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and can't run simultaneously. +All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously. -Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The extra check box is enabled only when a user enters a 16-bit program in the Run dialog box. +Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add "Run in Separate Memory Space" check box to Run dialog box* -- GP name: *MemCheckBoxInRunDlg* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoAutoTrayNotify** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MemCheckBoxInRunDlg | +| Friendly Name | Add "Run in Separate Memory Space" check box to Run dialog box | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | MemCheckBoxInRunDlg | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoAutoTrayNotify -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoAutoTrayNotify +``` + - - + + This setting affects the notification area, also called the "system tray." The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron." -If you enable this setting, the system notification area expands to show all of the notifications that use this area. +- If you enable this setting, the system notification area expands to show all of the notifications that use this area. -If you disable this setting, the system notification area will always collapse notifications. +- If you disable this setting, the system notification area will always collapse notifications. -If you don't configure it, the user can choose if they want notifications collapsed. +If you do not configure it, the user can choose if they want notifications collapsed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off notification area cleanup* -- GP name: *NoAutoTrayNotify* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoBalloonTip** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoAutoTrayNotify | +| Friendly Name | Turn off notification area cleanup | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoAutoTrayNotify | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoBalloonTip -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoBalloonTip +``` + - - -This policy setting hides pop-up text on the Start menu and in the notification area. + + +Hides pop-up text on the Start menu and in the notification area. When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object. -If you enable this setting, some of this pop-up text isn't displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. +- If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. -If you disable this setting or don't configure it, all pop-up text is displayed on the Start menu and in the notification area. +- If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Balloon Tips on Start Menu items* -- GP name: *NoBalloonTip* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoChangeStartMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoBalloonTip | +| Friendly Name | Remove Balloon Tips on Start Menu items | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMBalloonTip | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoChangeStartMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu +``` + + + + This policy setting allows you to prevent users from changing their Start screen layout. -If you enable this setting, you'll prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. +- If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. -If you disable or don't configure this setting, you'll allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. +- If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent users from customizing their Start Screen* -- GP name: *NoChangeStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoClose** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoChangeStartMenu | +| Friendly Name | Prevent users from customizing their Start Screen | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoChangeStartMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoClose -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoClose +``` + - - -This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting doesn't prevent users from running Windows-based programs that perform these functions. + + +This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. -If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. +- If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. -If you disable or don't configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. +- If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. > [!NOTE] > Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* -- GP name: *NoClose* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoCommonGroups** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoClose | +| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoClose | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoCommonGroups -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoCommonGroups +``` + - - -This policy setting removes items in the All Users profile from the Programs menu on the Start menu. + + +Removes items in the All Users profile from the Programs menu on the Start menu. -By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu. +By default, the Programs menu contains items from the All Users profile and items from the user's profile. +- If you enable this setting, only items in the user's profile appear in the Programs menu. -To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. +> [!TIP] +> To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove common program groups from Start Menu* -- GP name: *NoCommonGroups* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoFavoritesMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoCommonGroups | +| Friendly Name | Remove common program groups from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoCommonGroups | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoFavoritesMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoFavoritesMenu +``` + - - -This policy setting prevents users from adding the Favorites menu to the Start menu or classic Start menu. + + +Prevents users from adding the Favorites menu to the Start menu or classic Start menu. -If you enable this setting, the Display Favorites item doesn't appear in the Advanced Start menu options box. +- If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. -If you disable or don't configure this setting, the Display Favorite item is available. +- If you disable or do not configure this setting, the Display Favorite item is available. + +> [!NOTE] +> The Favorites menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. + +> [!NOTE] +> The items that appear in the Favorites menu when you install Windows are pre-configured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. > [!NOTE] -> The Favorites menu doesn't appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. -> -> The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. -> > This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Favorites menu from Start Menu* -- GP name: *NoFavoritesMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoFind** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoFavoritesMenu | +| Friendly Name | Remove Favorites menu from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFavoritesMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoFind -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoFind +``` + - - -This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. This policy setting doesn't remove the search box from the new style Start menu. + + +This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. **Note** that this does not remove the search box from the new style Start menu. -If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system doesn't respond when users press the Application key (the key with the Windows logo)+ F. +- If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. > [!NOTE] > Enabling this policy setting also prevents the user from using the F3 key. -In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system doesn't respond when the user presses Ctrl+F. Also, Search doesn't appear in the context menu when you right-click an icon representing a drive or a folder. +In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder. -This policy setting affects the specified user interface elements only. It doesn't affect Internet Explorer and doesn't prevent the user from using other methods to search. +This policy setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search. -If you disable or don't configure this policy setting, the Search link is available from the Start menu. +- If you disable or do not configure this policy setting, the Search link is available from the Start menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Search link from Start Menu* -- GP name: *NoFind* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoGamesFolderOnStartMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoFind | +| Friendly Name | Remove Search link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFind | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoGamesFolderOnStartMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoGamesFolderOnStartMenu +``` + - - -If you enable this policy, the start menu won't show a link to the Games folder. + + +- If you enable this policy the start menu will not show a link to the Games folder. -If you disable or don't configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. +- If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Games link from Start Menu* -- GP name: *NoGamesFolderOnStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoHelp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoGamesFolderOnStartMenu | +| Friendly Name | Remove Games link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuMyGames | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoHelp -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoHelp +``` + - - + + This policy setting allows you to remove the Help command from the Start menu. -If you enable this policy setting, the Help command is removed from the Start menu. +- If you enable this policy setting, the Help command is removed from the Start menu. -If you disable or don't configure this policy setting, the Help command is available from the Start menu. +- If you disable or do not configure this policy setting, the Help command is available from the Start menu. -This policy setting only affects the Start menu. It doesn't remove the Help menu from File Explorer and doesn't prevent users from running Help. +This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Help menu from Start Menu* -- GP name: *NoHelp* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoInstrumentation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoHelp | +| Friendly Name | Remove Help menu from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMHelp | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoInstrumentation -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoInstrumentation +``` + - - + + This policy setting allows you to turn off user tracking. -If you enable this policy setting, the system doesn't track the programs that the user runs, and doesn't display frequently used programs in the Start Menu. +- If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu. -If you disable or don't configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. +- If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. -Also, see these related policy settings: "Remove frequent programs list from the Start Menu" and "Turn off personalized menus". +Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus". -This policy setting doesn't prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings. +This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off user tracking* -- GP name: *NoInstrumentation* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoMoreProgramsList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoInstrumentation | +| Friendly Name | Turn off user tracking | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInstrumentation | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoMoreProgramsList -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList +``` - - -If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList +``` + -Selecting "Collapse" won't display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This selection of collapse is equivalent to setting the "Show app list in Start" in Settings to Off. + + +- If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. -Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users can't turn it to On. +Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. -Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users can't turn it to On. Select this option for compatibility with earlier versions of Windows. +Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. -If you disable or don't configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. +Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows. - +- If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. + + + + - -ADMX Info: -- GP Friendly name: *Remove All Programs list from the Start menu* -- GP name: *NoMoreProgramsList* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/NoNetAndDialupConnect** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoMoreProgramsList | +| Friendly Name | Remove All Programs list from the Start menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoNetAndDialupConnect -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoNetAndDialupConnect +``` + + + + This policy setting allows you to remove Network Connections from the Start Menu. -If you enable this policy setting, users are prevented from running Network Connections. +- If you enable this policy setting, users are prevented from running Network Connections. Enabling this policy setting prevents the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu. Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action. -If you disable or don't configure this policy setting, Network Connections is available from the Start Menu. +- If you disable or do not configure this policy setting, Network Connections is available from the Start Menu. Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Network Connections from Start Menu* -- GP name: *NoNetAndDialupConnect* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoPinnedPrograms** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoNetAndDialupConnect | +| Friendly Name | Remove Network Connections from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNetworkConnections | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoPinnedPrograms -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoPinnedPrograms +``` + - - -If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users can't pin programs to the Start menu. + + +- If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. -If you disable this setting or don't configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. +- If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove pinned programs list from the Start Menu* -- GP name: *NoPinnedPrograms* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoRecentDocsMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoPinnedPrograms | +| Friendly Name | Remove pinned programs list from the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuPinnedList | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoRecentDocsMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRecentDocsMenu +``` + - - -This policy setting removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. + + +Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. -If you enable this setting, the system saves document shortcuts but doesn't display the Recent Items menu in the Start Menu, and users can't turn on the menu. +- If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on. If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu. -When the setting is disabled, the Recent Items menu appears in the Start Menu, and users can't remove it. +When the setting is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it. -If the setting isn't configured, users can turn the Recent Items menu on and off. +If the setting is not configured, users can turn the Recent Items menu on and off. > [!NOTE] -> This setting doesn't prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. +> This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. -This setting also doesn't hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. +This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Recent Items menu from Start Menu* -- GP name: *NoRecentDocsMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoResolveSearch** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRecentDocsMenu | +| Friendly Name | Remove Recent Items menu from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRecentDocsMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoResolveSearch -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoResolveSearch +``` + - - + + This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. -If you enable this policy setting, the system doesn't conduct the final drive search. It just displays a message explaining that the file isn't found. +- If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found. -If you disable or don't configure this policy setting, by default, when the system can't find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path isn't correct, it conducts a comprehensive search of the target drive in an attempt to find the file. +- If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. > [!NOTE] -> This policy setting only applies to target files on NTFS partitions. FAT partitions don't have this ID tracking and search capability. +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not use the search-based method when resolving shell shortcuts* -- GP name: *NoResolveSearch* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoResolveTrack** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoResolveSearch | +| Friendly Name | Do not use the search-based method when resolving shell shortcuts | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoResolveSearch | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoResolveTrack -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoResolveTrack +``` + - - + + This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. -If you enable this policy setting, the system doesn't try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. +- If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. -If you disable or don't configure this policy setting, by default, when the system can't find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path isn't correct, it conducts a comprehensive search of the target drive in an attempt to find the file. +- If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. > [!NOTE] -> This policy setting only applies to target files on NTFS partitions. FAT partitions don't have this ID tracking and search capability. +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings. - + + + + - -ADMX Info: -- GP Friendly name: *Do not use the tracking-based method when resolving shell shortcuts* -- GP name: *NoResolveTrack* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/NoRun** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoResolveTrack | +| Friendly Name | Do not use the tracking-based method when resolving shell shortcuts | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoResolveTrack | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoRun -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun +``` + + + + Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. -If you enable this setting, the following changes occur: +- If you enable this setting, the following changes occur: -1. The Run command is removed from the Start menu. +(1) The Run command is removed from the Start menu. -2. The New Task (Run) command is removed from Task Manager. +(2) The New Task (Run) command is removed from Task Manager. -3. The user will be blocked from entering the following into the Internet Explorer Address Bar: +(3) The user will be blocked from entering the following into the Internet Explorer Address Bar: - - A UNC path: `\\\` +--- A UNC path: \\``\\`` - - Accessing local drives: for example, C: +---Accessing local drives: e.g., C: - - Accessing local folders: for example, `\` +--- Accessing local folders: e.g., \temp> Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. -If you disable or don't configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. +- If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. > [!NOTE] -> This setting affects the specified interface only. It doesn't prevent users from using other methods to run programs. -> -> It's a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. +> This setting affects the specified interface only. It does not prevent users from using other methods to run programs. - +> [!NOTE] +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + + + - -ADMX Info: -- GP Friendly name: *Remove Run menu from Start Menu* -- GP name: *NoRun* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/NoSMConfigurePrograms** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoRun | +| Friendly Name | Remove Run menu from Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRun | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoSearchCommInStartMenu -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchCommInStartMenu +``` + + + + +- If you enable this policy the start menu search box will not search for communications. + +- If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchCommInStartMenu | +| Friendly Name | Do not search communications | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchCommInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchComputerLinkInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchComputerLinkInStartMenu +``` + + + + +- If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. + +- If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchComputerLinkInStartMenu | +| Friendly Name | Remove Search Computer link | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchComputerLinkInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchEverywhereLinkInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu +``` + + + + +- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + +- If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchEverywhereLinkInStartMenu | +| Friendly Name | Remove See More Results / Search Everywhere link | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoSearchEverywhereLinkInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchFilesInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchFilesInStartMenu +``` + + + + +- If you enable this policy setting the Start menu search box will not search for files. + +- If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. +- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchFilesInStartMenu | +| Friendly Name | Do not search for files | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchFilesInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchInternetInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchInternetInStartMenu +``` + + + + +- If you enable this policy the start menu search box will not search for internet history or favorites. + +- If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchInternetInStartMenu | +| Friendly Name | Do not search Internet | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchInternetInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchProgramsInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchProgramsInStartMenu +``` + + + + +- If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. + +- If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchProgramsInStartMenu | +| Friendly Name | Do not search programs and Control Panel items | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchProgramsInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSetFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetFolders +``` + + + + +This policy setting allows you to remove programs on Settings menu. + +- If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. + +However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. + +- If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. + +Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSetFolders | +| Friendly Name | Remove programs on Settings menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSetFolders | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSetTaskbar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar +``` + + + + +This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. + +- If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. + +If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. + +- If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSetTaskbar | +| Friendly Name | Prevent changes to Taskbar and Start Menu Settings | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSetTaskbar | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSMConfigurePrograms + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMConfigurePrograms +``` + + + + This policy setting allows you to remove the Default Programs link from the Start menu. -If you enable this policy setting, the Default Programs link is removed from the Start menu. +- If you enable this policy setting, the Default Programs link is removed from the Start menu. Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. -If you disable or don't configure this policy setting, the Default Programs link is available from the Start menu. +- If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu. > [!NOTE] -> This policy setting doesn't prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. +> This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Default Programs link from the Start menu.* -- GP name: *NoSMConfigurePrograms* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoSMMyDocuments** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSMConfigurePrograms | +| Friendly Name | Remove Default Programs link from the Start menu. | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMConfigurePrograms | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSMMyDocuments -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyDocuments +``` + - - + + This policy setting allows you to remove the Documents icon from the Start menu and its submenus. -If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It doesn't prevent the user from using other methods to gain access to the contents of the Documents folder. +- If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. > [!NOTE] > To make changes to this policy setting effective, you must log off and then log on. -If you disable or don't configure this policy setting, the Documents icon is available from the Start menu. +- If you disable or do not configure this policy setting, he Documents icon is available from the Start menu. Also, see the "Remove Documents icon on the desktop" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Documents icon from Start Menu* -- GP name: *NoSMMyDocuments* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoSMMyMusic** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSMMyDocuments | +| Friendly Name | Remove Documents icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMMyDocs | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSMMyMusic -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyMusic +``` + - - + + This policy setting allows you to remove the Music icon from Start Menu. -If you enable this policy setting, the Music icon is no longer available from Start Menu. +- If you enable this policy setting, the Music icon is no longer available from Start Menu. -If you disable or don't configure this policy setting, the Music icon is available from Start Menu. +- If you disable or do not configure this policy setting, the Music icon is available from Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Music icon from Start Menu* -- GP name: *NoSMMyMusic* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoSMMyNetworkPlaces** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSMMyMusic | +| Friendly Name | Remove Music icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuMyMusic | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSMMyNetworkPlaces -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyNetworkPlaces +``` + - - + + This policy setting allows you to remove the Network icon from Start Menu. -If you enable this policy setting, the Network icon is no longer available from Start Menu. +- If you enable this policy setting, the Network icon is no longer available from Start Menu. -If you disable or don't configure this policy setting, the Network icon is available from Start Menu. +- If you disable or do not configure this policy setting, the Network icon is available from Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Network icon from Start Menu* -- GP name: *NoSMMyNetworkPlaces* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoSMMyPictures** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSMMyNetworkPlaces | +| Friendly Name | Remove Network icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuNetworkPlaces | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSMMyPictures -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyPictures +``` + - - + + This policy setting allows you to remove the Pictures icon from Start Menu. -If you enable this policy setting, the Pictures icon is no longer available from Start Menu. - -If you disable or don't configure this policy setting, the Pictures icon is available from Start Menu. - - - - - -ADMX Info: -- GP Friendly name: *Remove Pictures icon from Start Menu* -- GP name: *NoSMMyPictures* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchCommInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, the start menu search box won't search for communications. - -If you disable or don't configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. - - - - - -ADMX Info: -- GP Friendly name: *Do not search communications* -- GP name: *NoSearchCommInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchComputerLinkInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, the "See all results" link won't be shown when the user performs a search in the start menu search box. - -If you disable or don't configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. - - - - - -ADMX Info: -- GP Friendly name: *Remove Search Computer link* -- GP name: *NoSearchComputerLinkInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, a "See more results" / "Search Everywhere" link won't be shown when the user performs a search in the start menu search box. - -If you disable or don't configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a third-party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. - - - - - -ADMX Info: -- GP Friendly name: *Remove See More Results / Search Everywhere link* -- GP name: *NoSearchEverywhereLinkInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchFilesInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy setting, the Start menu search box won't search for files. - -If you disable or don't configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link won't be shown when the user performs a search in the start menu search box. - - - - - -ADMX Info: -- GP Friendly name: *Do not search for files* -- GP name: *NoSearchFilesInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchInternetInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, the start menu search box won't search for internet history or favorites. - -If you disable or don't configure this policy, the start menu will search for internet history or favorites, unless the user chooses not to in the start menu control panel. - - - - - -ADMX Info: -- GP Friendly name: *Do not search Internet* -- GP name: *NoSearchInternetInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchProgramsInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy setting, the Start menu search box won't search for programs or Control Panel items. - -If you disable or don't configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. - - - - - -ADMX Info: -- GP Friendly name: *Do not search programs and Control Panel items* -- GP name: *NoSearchProgramsInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSetFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove programs on Settings menu. - -If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. - -However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. - -If you disable or don't configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. - -Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings. - - - - - -ADMX Info: -- GP Friendly name: *Remove programs on Settings menu* -- GP name: *NoSetFolders* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSetTaskbar** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. - -If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. - -If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. - -If you disable or don't configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. - - - - - -ADMX Info: -- GP Friendly name: *Prevent changes to Taskbar and Start Menu Settings* -- GP name: *NoSetTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoStartMenuDownload** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - +- If you enable this policy setting, the Pictures icon is no longer available from Start Menu. + +- If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSMMyPictures | +| Friendly Name | Remove Pictures icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMMyPictures | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoStartMenuDownload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuDownload +``` + + + + This policy setting allows you to remove the Downloads link from the Start Menu. -If you enable this policy setting, the Start Menu doesn't show a link to the Downloads folder. +- If you enable this policy setting, the Start Menu does not show a link to the Downloads folder. -If you disable or don't configure this policy setting, the Downloads link is available from the Start Menu. +- If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Downloads link from Start Menu* -- GP name: *NoStartMenuDownload* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoStartMenuHomegroup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuDownload | +| Friendly Name | Remove Downloads link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuDownloads | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuHomegroup -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuHomegroup +``` + - - -If you enable this policy, the Start menu won't show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users can't add the homegroup link to the Start Menu. + + +- If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. -If you disable or don't configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. +- If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Homegroup link from Start Menu* -- GP name: *NoStartMenuHomegroup* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoStartMenuRecordedTV** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuHomegroup | +| Friendly Name | Remove Homegroup link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuHomegroup | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuRecordedTV -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuRecordedTV +``` + - - + + This policy setting allows you to remove the Recorded TV link from the Start Menu. -If you enable this policy setting, the Start Menu doesn't show a link to the Recorded TV library. +- If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library. -If you disable or don't configure this policy setting, the Recorded TV link is available from the Start Menu. +- If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Recorded TV link from Start Menu* -- GP name: *NoStartMenuRecordedTV* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoStartMenuSubFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuRecordedTV | +| Friendly Name | Remove Recorded TV link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuRecordedTV | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuSubFolders -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuSubFolders +``` + - - + + Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden. This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders. -This setting hides all user-specific folders, not just those folders associated with redirected folders. +**Note** that this setting hides all user-specific folders, not just those associated with redirected folders. -If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. +- If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. -If you disable this setting or don't configure it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. +- If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove user's folders from the Start Menu* -- GP name: *NoStartMenuSubFolders* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoStartMenuVideos** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuSubFolders | +| Friendly Name | Remove user's folders from the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuSubFolders | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuVideos -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuVideos +``` + - - + + This policy setting allows you to remove the Videos link from the Start Menu. -If you enable this policy setting, the Start Menu doesn't show a link to the Videos library. +- If you enable this policy setting, the Start Menu does not show a link to the Videos library. -If you disable or don't configure this policy setting, the Videos link is available from the Start Menu. +- If you disable or do not configure this policy setting, the Videos link is available from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Videos link from Start Menu* -- GP name: *NoStartMenuVideos* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoStartPage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuVideos | +| Friendly Name | Remove Videos link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuVideos | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartPage -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartPage +``` + - - + + This setting affects the presentation of the Start menu. -The classic Start menu in Windows allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. +The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. -If you enable this setting, the Start menu displays the classic Start menu and displays the standard desktop icons. +- If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. -If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. +- If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. -If you don't configure this setting, the default is the new style, and the user can change the view. +- If you do not configure this setting, the default is the new style, and the user can change the view. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Force classic Start Menu* -- GP name: *NoStartPage* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoTaskBarClock** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartPage | +| Friendly Name | Force classic Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSimpleStartMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoTaskBarClock -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTaskBarClock +``` + - - + + Prevents the clock in the system notification area from being displayed. -If you enable this setting, the clock won't be displayed in the system notification area. +- If you enable this setting, the clock will not be displayed in the system notification area. -If you disable or don't configure this setting, the default behavior of the clock appearing in the notification area will occur. +- If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Clock from the system notification area* -- GP name: *NoTaskBarClock* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoTaskGrouping** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoTaskBarClock | +| Friendly Name | Remove Clock from the system notification area | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideClock | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoTaskGrouping -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTaskGrouping +``` + - - + + This setting affects the taskbar buttons used to switch between running programs. Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full. -If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. +- If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. -If you disable or don't configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping, if they choose. +If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent grouping of taskbar items* -- GP name: *NoTaskGrouping* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoToolbarsOnTaskbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoTaskGrouping | +| Friendly Name | Prevent grouping of taskbar items | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoTaskGrouping | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoToolbarsOnTaskbar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoToolbarsOnTaskbar +``` + - - + + This setting affects the taskbar. The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application. -If this setting is enabled, the taskbar doesn't display any custom toolbars, and the user can't add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. +- If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. -If this setting is disabled or isn't configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. +- If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display any custom toolbars in the taskbar* -- GP name: *NoToolbarsOnTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoTrayContextMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoToolbarsOnTaskbar | +| Friendly Name | Do not display any custom toolbars in the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoToolbarsOnTaskbar | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoTrayContextMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu +``` + + + + This policy setting allows you to remove access to the context menus for the taskbar. -If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. +- If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. -If you disable or don't configure this policy setting, the context menus for the taskbar are available. +- If you disable or do not configure this policy setting, the context menus for the taskbar are available. -This policy setting doesn't prevent users from using other methods to issue the commands that appear on these menus. +This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove access to the context menus for the taskbar* -- GP name: *NoTrayContextMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoTrayItemsDisplay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoTrayContextMenu | +| Friendly Name | Remove access to the context menus for the taskbar | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoTrayContextMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoTrayItemsDisplay -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayItemsDisplay +``` + - - + + This setting affects the notification area (previously called the "system tray") on the taskbar. -The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. +Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. -If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. +- If this setting is enabled, the user's entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. -If this setting is disabled or isn't configured, the notification area is shown in the user's taskbar. +- If this setting is disabled or is not configured, the notification area is shown in the user's taskbar. > [!NOTE] > Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide the notification area* -- GP name: *NoTrayItemsDisplay* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/NoUninstallFromStart** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoTrayItemsDisplay | +| Friendly Name | Hide the notification area | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoTrayItemsDisplay | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoUninstallFromStart -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart +``` - - -If you enable this setting, users can't uninstall apps from Start. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart +``` + -If you disable this setting or don't configure it, users can access the uninstall command from Start. + + +- If you enable this setting, users cannot uninstall apps from Start. - +- If you disable this setting or do not configure it, users can access the uninstall command from Start + + + + - -ADMX Info: -- GP Friendly name: *Prevent users from uninstalling applications from Start* -- GP name: *NoUninstallFromStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/NoUserFolderOnStartMenu** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoUninstallFromStart | +| Friendly Name | Prevent users from uninstalling applications from Start | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUninstallFromStart | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoUserFolderOnStartMenu -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -If you enable this policy, the start menu won't show a link to the user's storage folder. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUserFolderOnStartMenu +``` + -If you disable or don't configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. + + +- If you enable this policy the start menu will not show a link to the user's storage folder. - +- If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. + + + + - -ADMX Info: -- GP Friendly name: *Remove user folder link from Start Menu* -- GP name: *NoUserFolderOnStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/NoUserNameOnStartMenu** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoUserFolderOnStartMenu | +| Friendly Name | Remove user folder link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoUserFolderInStartMenu | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoUserNameOnStartMenu -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows you to remove the user name label from the Start Menu. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUserNameOnStartMenu +``` + -If you enable this policy setting, the user name label is removed from the Start Menu. + + +This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003. -If you disable or don't configure this policy setting, the user name label appears on the Start Menu. +- If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003. - +To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting. +- If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003. + - -ADMX Info: -- GP Friendly name: *Remove user name from Start Menu* -- GP name: *NoUserNameOnStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_StartMenu/NoWindowsUpdate** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoUserNameOnStartMenu | +| Friendly Name | Remove user name from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoUserNameInStartMenu | +| ADMX File Name | StartMenu.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoWindowsUpdate - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoWindowsUpdate +``` + + + + This policy setting allows you to remove links and access to Windows Update. -If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. +- If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. -Enabling this policy setting blocks user access to the Windows Update Web site at https://windowsupdate.microsoft.com. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. +Enabling this policy setting blocks user access to the Windows Update Web site at . Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. -Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need, newest versions of which are displayed for download. +Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. -If you disable or don't configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. +- If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. Also, see the "Hide the "Add programs from Microsoft" option" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove links and access to Windows Update* -- GP name: *NoWindowsUpdate* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/PowerButtonAction** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWindowsUpdate | +| Friendly Name | Remove links and access to Windows Update | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWindowsUpdate | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PowerButtonAction -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/PowerButtonAction +``` + - - + + Set the default action of the power button on the Start menu. -If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. +- If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. -If you set the button to either Sleep or Hibernate, and that state isn't supported on a computer, then the button will fall back to Shut Down. +If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down. -If you disable or don't configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. +- If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Change Start Menu power button* -- GP name: *PowerButtonAction* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/QuickLaunchEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PowerButtonAction | +| Friendly Name | Change Start Menu power button | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## QuickLaunchEnabled -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/QuickLaunchEnabled +``` + - - + + This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. -If you enable this policy setting, the QuickLaunch bar will be visible and can't be turned off. +- If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. -If you disable this policy setting, the QuickLaunch bar will be hidden and can't be turned on. +- If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on. -If you don't configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. +- If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show QuickLaunch on Taskbar* -- GP name: *QuickLaunchEnabled* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/RemoveUnDockPCButton** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | QuickLaunchEnabled | +| Friendly Name | Show QuickLaunch on Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | QuickLaunchEnabled | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RemoveUnDockPCButton -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/RemoveUnDockPCButton +``` + - - -If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC can't be undocked. + + +- If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. -If you disable this setting or don't configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. +- If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove the "Undock PC" button from the Start Menu* -- GP name: *RemoveUnDockPCButton* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/ShowAppsViewOnStart** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RemoveUnDockPCButton | +| Friendly Name | Remove the "Undock PC" button from the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuEjectPC | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowAppsViewOnStart -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowAppsViewOnStart +``` + - - + + This policy setting allows the Apps view to be opened by default when the user goes to Start. -If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. +- If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. -If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. +- If you disable or don't configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show the Apps view automatically when the user goes to Start* -- GP name: *ShowAppsViewOnStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/ShowRunAsDifferentUserInStart** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowAppsViewOnStart | +| Friendly Name | Show the Apps view automatically when the user goes to Start | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowAppsViewOnStart | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowRunAsDifferentUserInStart -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowRunAsDifferentUserInStart +``` + - - + + This policy setting shows or hides the "Run as different user" command on the Start application bar. -If you enable this setting, users can access the "Run as different user" command from Start for applications that support this functionality. +- If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality. -If you disable this setting or don't configure it, users can't access the "Run as different user" command from Start for any applications. +- If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications. > [!NOTE] -> This setting doesn't prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. +> This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show "Run as different user" command on Start* -- GP name: *ShowRunAsDifferentUserInStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/ShowRunInStartMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowRunAsDifferentUserInStart | +| Friendly Name | Show "Run as different user" command on Start | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowRunAsDifferentUserInStart | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowRunInStartMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowRunInStartMenu +``` + - - -If you enable this setting, the Run command is added to the Start menu. + + +- If you enable this setting, the Run command is added to the Start menu. +- If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. + -If you disable or don't configure this setting, the Run command isn't visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. + + + -If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Add the Run command to the Start Menu* -- GP name: *ShowRunInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | ShowRunInStartMenu | +| Friendly Name | Add the Run command to the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceRunOnStartMenu | +| ADMX File Name | StartMenu.admx | + - -**ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ShowStartOnDisplayWithForegroundOnWinKey - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey +``` + -> [!div class = "checklist"] -> * User + + +This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. -
    +- If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key. - - +- If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Show Start on the display the user is using when they press the Windows logo key* -- GP name: *ShowStartOnDisplayWithForegroundOnWinKey* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_StartMenu/StartMenuLogOff** +| Name | Value | +|:--|:--| +| Name | ShowStartOnDisplayWithForegroundOnWinKey | +| Friendly Name | Show Start on the display the user is using when they press the Windows logo key | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowStartOnDisplayWithForegroundOnWinKey | +| ADMX File Name | StartMenu.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## StartMenuLogOff - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartMenuLogOff +``` + -
    + + +This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it. - - -This policy setting allows you to remove the "Log Off ``" item from the Start menu and prevents users from restoring it. +- If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu. -If you enable this policy setting, the Log Off `` item doesn't appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users can't restore the Log Off `` item to the Start Menu. +- If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. -If you disable or don't configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. - -This policy setting affects the Start menu only. It doesn't affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it doesn't prevent users from using other methods to sign out. +This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off. > [!TIP] > To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Logoff on the Start Menu* -- GP name: *StartMenuLogOff* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_StartMenu/StartPinAppsWhenInstalled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | StartMenuLogOff | +| Friendly Name | Remove Logoff on the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | StartMenuLogOff | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## StartPinAppsWhenInstalled -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled +``` - - -This policy setting allows pinning apps to Start by default, when they're included by AppID on the list. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled +``` + - + + +This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. + + + + - -ADMX Info: -- GP Friendly name: *Pin Apps to Start when installed* -- GP name: *StartPinAppsWhenInstalled* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | StartPinAppsWhenInstalled | +| Friendly Name | Pin Apps to Start when installed | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | StartPinAppsWhenInstalled | +| ADMX File Name | StartMenu.admx | + + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 7711aaec84..1880514363 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -1,94 +1,102 @@ --- -title: Policy CSP - ADMX_SystemRestore -description: Learn about Policy CSP - ADMX_SystemRestore. +title: ADMX_SystemRestore Policy CSP +description: Learn more about the ADMX_SystemRestore Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SystemRestore + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_SystemRestore policies + +## SR_DisableConfig -
    -
    - ADMX_SystemRestore/SR_DisableConfig -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SystemRestore/SR_DisableConfig +``` + -
    + + +Allows you to disable System Restore configuration through System Protection. - -**ADMX_SystemRestore/SR_DisableConfig** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to disable System Restore configuration through System Protection. +This policy setting allows you to turn off System Restore configuration through System Protection. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting. -If you enable this policy setting, the option to configure System Restore through System Protection is disabled. +- If you enable this policy setting, the option to configure System Restore through System Protection is disabled. -If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. +- If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Configuration* -- GP name: *SR_DisableConfig* -- GP path: *System\System Restore* -- GP ADMX file name: *SystemRestore.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SR_DisableConfig | +| Friendly Name | Turn off Configuration | +| Location | Computer Configuration | +| Path | System > System Restore | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\SystemRestore | +| Registry Value Name | DisableConfig | +| ADMX File Name | SystemRestore.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md index b8297ea689..b83e3d74c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md @@ -1,10 +1,10 @@ --- title: ADMX_TabletPCInputPanel Policy CSP -description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP +description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_TabletPCInputPanel > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,506 +25,6 @@ ms.topic: reference - -## AutoComplete_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_2 -``` - - - -Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoComplete | -| Friendly Name | Turn off AutoComplete integration with Input Panel | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | DisableACIntegration | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## EdgeTarget_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_2 -``` - - - -Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. - -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | EdgeTarget | -| Friendly Name | Prevent Input Panel tab from appearing | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | DisableEdgeTarget | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## IPTIPTarget_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_2 -``` - - - -Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. - -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | IPTIPTarget | -| Friendly Name | For tablet pen input, don’t show the Input Panel icon | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | HideIPTIPTarget | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## IPTIPTouchTarget_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_2 -``` - - - -Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | IPTIPTouchTarget | -| Friendly Name | For touch input, don’t show the Input Panel icon | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | HideIPTIPTouchTarget | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## PasswordSecurity_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_2 -``` - - - -Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. - -Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. - -Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PasswordSecurity | -| Friendly Name | Turn off password security in Input Panel | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | PasswordSecurityState | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## Prediction_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_2 -``` - - - -Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. - -Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | EnablePrediction | -| Friendly Name | Disable text prediction | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | DisablePrediction | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## RareChar_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_2 -``` - - - -Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. - -Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RareChar | -| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | IncludeRareChar | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## ScratchOut_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_2 -``` - - - -Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. - -The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ScratchOut | -| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | ScratchOutState | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - ## AutoComplete_1 @@ -543,15 +41,16 @@ If you do not configure this policy, users will be able to use both the tolerant + Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. +- If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. @@ -568,11 +67,14 @@ If you do not configure this policy, application auto complete lists will appear +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AutoComplete | +| Name | AutoComplete_1 | | Friendly Name | Turn off AutoComplete integration with Input Panel | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -587,6 +89,70 @@ If you do not configure this policy, application auto complete lists will appear + +## AutoComplete_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_2 +``` + + + + +Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoComplete_2 | +| Friendly Name | Turn off AutoComplete integration with Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableACIntegration | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## EdgeTarget_1 @@ -603,17 +169,19 @@ If you do not configure this policy, application auto complete lists will appear + Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. +- If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. @@ -630,11 +198,14 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | EdgeTarget | +| Name | EdgeTarget_1 | | Friendly Name | Prevent Input Panel tab from appearing | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -649,6 +220,73 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + +## EdgeTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_2 +``` + + + + +Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EdgeTarget_2 | +| Friendly Name | Prevent Input Panel tab from appearing | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableEdgeTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## IPTIPTarget_1 @@ -665,17 +303,19 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. @@ -692,11 +332,14 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IPTIPTarget | +| Name | IPTIPTarget_1 | | Friendly Name | For tablet pen input, don’t show the Input Panel icon | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -711,6 +354,73 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + +## IPTIPTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_2 +``` + + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTarget_2 | +| Friendly Name | For tablet pen input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## IPTIPTouchTarget_1 @@ -727,15 +437,16 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. @@ -752,11 +463,14 @@ If you do not configure this policy, Input Panel will appear next to text entry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IPTIPTouchTarget | +| Name | IPTIPTouchTarget_1 | | Friendly Name | For touch input, don’t show the Input Panel icon | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -771,6 +485,70 @@ If you do not configure this policy, Input Panel will appear next to text entry + +## IPTIPTouchTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_2 +``` + + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTouchTarget_2 | +| Friendly Name | For touch input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTouchTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## PasswordSecurity_1 @@ -787,25 +565,27 @@ If you do not configure this policy, Input Panel will appear next to text entry + Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low." At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "High" from the drop-down box, password security is set to "High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. +- If you do not configure this policy, password security is set to "Medium-High" by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. -Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. +> [!CAUTION] +> If you lower password security settings, people who can see the user's screen might be able to see their passwords. @@ -822,11 +602,14 @@ Caution: If you lower password security settings, people who can see the user’ +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PasswordSecurity | +| Name | PasswordSecurity_1 | | Friendly Name | Turn off password security in Input Panel | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -841,6 +624,81 @@ Caution: If you lower password security settings, people who can see the user’ + +## PasswordSecurity_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_2 +``` + + + + +Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low." At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "High" from the drop-down box, password security is set to "High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, password security is set to "Medium-High" by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. + +> [!CAUTION] +> If you lower password security settings, people who can see the user's screen might be able to see their passwords. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PasswordSecurity_2 | +| Friendly Name | Turn off password security in Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | PasswordSecurityState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## Prediction_1 @@ -857,15 +715,16 @@ Caution: If you lower password security settings, people who can see the user’ + Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. +- If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. @@ -882,11 +741,14 @@ If you do not configure this policy, Input Panel will provide text prediction su +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | EnablePrediction | +| Name | Prediction_1 | | Friendly Name | Disable text prediction | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -901,6 +763,70 @@ If you do not configure this policy, Input Panel will provide text prediction su + +## Prediction_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_2 +``` + + + + +Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Prediction_2 | +| Friendly Name | Disable text prediction | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisablePrediction | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## RareChar_1 @@ -917,15 +843,16 @@ If you do not configure this policy, Input Panel will provide text prediction su + Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). +- If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). @@ -942,11 +869,14 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RareChar | +| Name | RareChar_1 | | Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -961,6 +891,70 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara + +## RareChar_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_2 +``` + + + + +Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. + +Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RareChar_2 | +| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | IncludeRareChar | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## ScratchOut_1 @@ -977,21 +971,22 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara + Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "All" from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "None," users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. +- If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. @@ -1008,11 +1003,14 @@ If you do not configure this policy, users will be able to use both the tolerant +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ScratchOut | +| Name | ScratchOut_1 | | Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -1027,6 +1025,76 @@ If you do not configure this policy, users will be able to use both the tolerant + +## ScratchOut_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_2 +``` + + + + +Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. + +The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy and choose "All" from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "None," users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ScratchOut_2 | +| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | ScratchOutState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 82eee23e73..bb04b3fb84 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -1,143 +1,1388 @@ --- -title: Policy CSP - ADMX_TabletShell -description: Learn about Policy CSP - ADMX_TabletShell. +title: ADMX_TabletShell Policy CSP +description: Learn more about the ADMX_TabletShell Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TabletShell > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_TabletShell policies + +## DisableInkball_1 -
    -
    - ADMX_TabletShell/DisableInkball_1 -
    -
    - ADMX_TabletShell/DisableNoteWriterPrinting_1 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableInkball_1 +``` + -
    + + +Prevents start of InkBall game. - -**ADMX_TabletShell/DisableInkball_1** +- If you enable this policy, the InkBall game will not run. - +- If you disable this policy, the InkBall game will run. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy, the InkBall game will run. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting prevents start of InkBall game. +**ADMX mapping**: -If you enable this policy, the InkBall game won't run. +| Name | Value | +|:--|:--| +| Name | DisableInkball_1 | +| Friendly Name | Do not allow Inkball to run | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableInkball | +| ADMX File Name | TabletShell.admx | + -If you disable this policy, the InkBall game will run. If you don't configure this policy, the InkBall game will run. + + + - + + +## DisableInkball_2 - -ADMX Info: -- GP Friendly name: *Do not allow Inkball to run* -- GP name: *DisableInkball_1* -- GP path: *Windows Components\Tablet PC\Accessories* -- GP ADMX file name: *TabletShell.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableInkball_2 +``` + -
    + + +Prevents start of InkBall game. - -**ADMX_TabletShell/DisableNoteWriterPrinting_1** +- If you enable this policy, the InkBall game will not run. - +- If you disable this policy, the InkBall game will run. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy, the InkBall game will run. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting prevents printing to Journal Note Writer. +**ADMX mapping**: -If you enable this policy, the Journal Note Writer printer driver won't allow printing to it. It will remain displayed in the list of available printers, but attempts to print it will fail. +| Name | Value | +|:--|:--| +| Name | DisableInkball_2 | +| Friendly Name | Do not allow Inkball to run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableInkball | +| ADMX File Name | TabletShell.admx | + -If you disable this policy, you'll be able to use this feature to print to a Journal Note. If you don't configure this policy, users will be able to use this feature to print to a Journal Note. + + + + - + +## DisableJournal_1 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Do not allow printing to Journal Note Writer* -- GP name: *DisableNoteWriterPrinting_1* -- GP path: *Windows Components\Tablet PC\Accessories* -- GP ADMX file name: *TabletShell.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableJournal_1 +``` + - - -
    + + +Prevents start of Windows Journal. +- If you enable this policy, the Windows Journal accessory will not run. +- If you disable this policy, the Windows Journal accessory will run. - +- If you do not configure this policy, the Windows Journal accessory will run. + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableJournal_1 | +| Friendly Name | Do not allow Windows Journal to be run | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableJournal | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableJournal_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableJournal_2 +``` + + + + +Prevents start of Windows Journal. + +- If you enable this policy, the Windows Journal accessory will not run. + +- If you disable this policy, the Windows Journal accessory will run. + +- If you do not configure this policy, the Windows Journal accessory will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableJournal_2 | +| Friendly Name | Do not allow Windows Journal to be run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableJournal | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableNoteWriterPrinting_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableNoteWriterPrinting_1 +``` + + + + +Prevents printing to Journal Note Writer. + +- If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +- If you disable this policy, you will be able to use this feature to print to a Journal Note. + +- If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableNoteWriterPrinting_1 | +| Friendly Name | Do not allow printing to Journal Note Writer | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableNoteWriterPrinting | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableNoteWriterPrinting_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableNoteWriterPrinting_2 +``` + + + + +Prevents printing to Journal Note Writer. + +- If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +- If you disable this policy, you will be able to use this feature to print to a Journal Note. + +- If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableNoteWriterPrinting_2 | +| Friendly Name | Do not allow printing to Journal Note Writer | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableNoteWriterPrinting | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableSnippingTool_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableSnippingTool_1 +``` + + + + +Prevents the snipping tool from running. + +- If you enable this policy setting, the Snipping Tool will not run. + +- If you disable this policy setting, the Snipping Tool will run. + +- If you do not configure this policy setting, the Snipping Tool will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSnippingTool_1 | +| Friendly Name | Do not allow Snipping Tool to run | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableSnippingTool | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableSnippingTool_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableSnippingTool_2 +``` + + + + +Prevents the snipping tool from running. + +- If you enable this policy setting, the Snipping Tool will not run. + +- If you disable this policy setting, the Snipping Tool will run. + +- If you do not configure this policy setting, the Snipping Tool will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSnippingTool_2 | +| Friendly Name | Do not allow Snipping Tool to run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableSnippingTool | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventBackEscMapping_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventBackEscMapping_1 +``` + + + + +Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. + +- If you enable this policy, a button assigned to Back will not map to ESC. + +- If you disable this policy, Back->ESC mapping will occur. + +- If you do not configure this policy, Back->ESC mapping will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventBackEscMapping_1 | +| Friendly Name | Prevent Back-ESC mapping | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonBackEscapeMapping | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventBackEscMapping_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventBackEscMapping_2 +``` + + + + +Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. + +- If you enable this policy, a button assigned to Back will not map to ESC. + +- If you disable this policy, Back->ESC mapping will occur. + +- If you do not configure this policy, Back->ESC mapping will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventBackEscMapping_2 | +| Friendly Name | Prevent Back-ESC mapping | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonBackEscapeMapping | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicks_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicks_1 +``` + + + + +Makes pen flicks and all related features unavailable. + +- If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. + +- If you disable or do not configure this policy, pen flicks and related features are available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicks_1 | +| Friendly Name | Prevent flicks | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Pen UX Behaviors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicks | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicks_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicks_2 +``` + + + + +Makes pen flicks and all related features unavailable. + +- If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. + +- If you disable or do not configure this policy, pen flicks and related features are available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicks_2 | +| Friendly Name | Prevent flicks | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Pen UX Behaviors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicks | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicksLearningMode_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicksLearningMode_1 +``` + + + + +Makes pen flicks learning mode unavailable. + +- If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. + +- If you disable or do not configure this policy, all the features described above will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicksLearningMode_1 | +| Friendly Name | Prevent Flicks Learning Mode | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Pen Flicks Learning | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicksLearningMode | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicksLearningMode_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicksLearningMode_2 +``` + + + + +Makes pen flicks learning mode unavailable. + +- If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. + +- If you disable or do not configure this policy, all the features described above will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicksLearningMode_2 | +| Friendly Name | Prevent Flicks Learning Mode | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Pen Flicks Learning | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicksLearningMode | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventLaunchApp_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventLaunchApp_1 +``` + + + + +Prevents the user from launching an application from a Tablet PC hardware button. + +- If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). + +- If you disable this policy, applications can be launched from a hardware button. + +- If you do not configure this policy, applications can be launched from a hardware button. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLaunchApp_1 | +| Friendly Name | Prevent launch an application | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonApplicationLaunch | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventLaunchApp_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventLaunchApp_2 +``` + + + + +Prevents the user from launching an application from a Tablet PC hardware button. + +- If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). + +- If you disable this policy, applications can be launched from a hardware button. + +- If you do not configure this policy, applications can be launched from a hardware button. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLaunchApp_2 | +| Friendly Name | Prevent launch an application | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonApplicationLaunch | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventPressAndHold_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventPressAndHold_1 +``` + + + + +Prevents press and hold actions on hardware buttons, so that only one action is available per button. + +- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." + +- If you disable this policy, press and hold actions for buttons will be available. + +- If you do not configure this policy, press and hold actions will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventPressAndHold_1 | +| Friendly Name | Prevent press and hold | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonPressAndHold | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventPressAndHold_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventPressAndHold_2 +``` + + + + +Prevents press and hold actions on hardware buttons, so that only one action is available per button. + +- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." + +- If you disable this policy, press and hold actions for buttons will be available. + +- If you do not configure this policy, press and hold actions will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventPressAndHold_2 | +| Friendly Name | Prevent press and hold | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonPressAndHold | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffButtons_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffButtons_1 +``` + + + + +Turns off Tablet PC hardware buttons. + +- If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. + +- If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. + +- If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffButtons_1 | +| Friendly Name | Turn off hardware buttons | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffButtons | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffButtons_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffButtons_2 +``` + + + + +Turns off Tablet PC hardware buttons. + +- If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. + +- If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. + +- If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffButtons_2 | +| Friendly Name | Turn off hardware buttons | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffButtons | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffFeedback_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffFeedback_1 +``` + + + + +Disables visual pen action feedback, except for press and hold feedback. + +- If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. + +- If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffFeedback_1 | +| Friendly Name | Turn off pen feedback | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Cursors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPenFeedback | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffFeedback_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffFeedback_2 +``` + + + + +Disables visual pen action feedback, except for press and hold feedback. + +- If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. + +- If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffFeedback_2 | +| Friendly Name | Turn off pen feedback | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Cursors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPenFeedback | +| ADMX File Name | TabletShell.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 107ce3f16c..d5babf1d77 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1,1150 +1,1379 @@ --- -title: Policy CSP - ADMX_Taskbar -description: Learn about Policy CSP - ADMX_Taskbar. +title: ADMX_Taskbar Policy CSP +description: Learn more about the ADMX_Taskbar Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Taskbar -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_Taskbar policies + + + -
    -
    - ADMX_Taskbar/DisableNotificationCenter -
    -
    - ADMX_Taskbar/EnableLegacyBalloonNotifications -
    -
    - ADMX_Taskbar/HideSCAHealth -
    -
    - ADMX_Taskbar/HideSCANetwork -
    -
    - ADMX_Taskbar/HideSCAPower -
    -
    - ADMX_Taskbar/HideSCAVolume -
    -
    - ADMX_Taskbar/NoBalloonFeatureAdvertisements -
    -
    - ADMX_Taskbar/NoPinningStoreToTaskbar -
    -
    - ADMX_Taskbar/NoPinningToDestinations -
    -
    - ADMX_Taskbar/NoPinningToTaskbar -
    -
    - ADMX_Taskbar/NoRemoteDestinations -
    -
    - ADMX_Taskbar/NoSystraySystemPromotion -
    -
    - ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar -
    -
    - ADMX_Taskbar/TaskbarLockAll -
    -
    - ADMX_Taskbar/TaskbarNoAddRemoveToolbar -
    -
    - ADMX_Taskbar/TaskbarNoDragToolbar -
    -
    - ADMX_Taskbar/TaskbarNoMultimon -
    -
    - ADMX_Taskbar/TaskbarNoNotification -
    -
    - ADMX_Taskbar/TaskbarNoPinnedList -
    -
    - ADMX_Taskbar/TaskbarNoRedock -
    -
    - ADMX_Taskbar/TaskbarNoResize -
    -
    - ADMX_Taskbar/TaskbarNoThumbnail -
    -
    + +## DisableNotificationCenter + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/DisableNotificationCenter +``` - -**ADMX_Taskbar/DisableNotificationCenter** +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/DisableNotificationCenter +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting removes Notifications and Action Center from the notification area on the taskbar. The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. -If this setting is enabled, Notifications and Action Center isn't displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss. +- If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won't be able to review any notifications they miss. -If you disable or don't configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. +- If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. ->[!NOTE] -> A reboot is required for this policy setting to take effect. +A reboot is required for this policy setting to take effect. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Notifications and Action Center* -- GP name: *DisableNotificationCenter* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/EnableLegacyBalloonNotifications** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableNotificationCenter | +| Friendly Name | Remove Notifications and Action Center | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableNotificationCenter | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## EnableLegacyBalloonNotifications -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/EnableLegacyBalloonNotifications +``` + + + + This policy disables the functionality that converts balloons to toast notifications. -If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. +- If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications. -If you disable or don’t configure this policy setting, all notifications will appear as toast notifications. +- If you disable or don't configure this policy setting, all notifications will appear as toast notifications. ->[!NOTE] -> A reboot is required for this policy setting to take effect. +A reboot is required for this policy setting to take effect. + - + + + - -ADMX Info: -- GP Friendly name: *Disable showing balloon notifications as toasts.* -- GP name: *EnableLegacyBalloonNotifications* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCAHealth** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableLegacyBalloonNotifications | +| Friendly Name | Disable showing balloon notifications as toasts. | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | EnableLegacyBalloonNotifications | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCAHealth -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCAHealth +``` + + + + This policy setting allows you to remove Security and Maintenance from the system control area. -If you enable this policy setting, the Security and Maintenance icon isn't displayed in the system notification area. +- If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. -If you disable or don't configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. +- If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the Security and Maintenance icon* -- GP name: *HideSCAHealth* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCANetwork** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCAHealth | +| Friendly Name | Remove the Security and Maintenance icon | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCAHealth | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCANetwork -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCANetwork +``` + + + + This policy setting allows you to remove the networking icon from the system control area. -If you enable this policy setting, the networking icon isn't displayed in the system notification area. +- If you enable this policy setting, the networking icon is not displayed in the system notification area. -If you disable or don't configure this policy setting, the networking icon is displayed in the system notification area. +- If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the networking icon* -- GP name: *HideSCANetwork* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCAPower** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCANetwork | +| Friendly Name | Remove the networking icon | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCANetwork | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCAPower -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCAPower +``` + + + + This policy setting allows you to remove the battery meter from the system control area. -If you enable this policy setting, the battery meter isn't displayed in the system notification area. +- If you enable this policy setting, the battery meter is not displayed in the system notification area. -If you disable or don't configure this policy setting, the battery meter is displayed in the system notification area. +- If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the battery meter* -- GP name: *HideSCAPower* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCAVolume** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCAPower | +| Friendly Name | Remove the battery meter | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCAPower | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCAVolume -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCAVolume +``` + + + + This policy setting allows you to remove the volume control icon from the system control area. -If you enable this policy setting, the volume control icon isn't displayed in the system notification area. +- If you enable this policy setting, the volume control icon is not displayed in the system notification area. -If you disable or don't configure this policy setting, the volume control icon is displayed in the system notification area. +- If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the volume control icon* -- GP name: *HideSCAVolume* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoBalloonFeatureAdvertisements** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCAVolume | +| Friendly Name | Remove the volume control icon | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCAVolume | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoBalloonFeatureAdvertisements -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoBalloonFeatureAdvertisements +``` + + + + This policy setting allows you to turn off feature advertisement balloon notifications. -If you enable this policy setting, certain notification balloons that are marked as feature advertisements aren't shown. +- If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. -If you disable don't configure this policy setting, feature advertisement balloons are shown. +If you disable do not configure this policy setting, feature advertisement balloons are shown. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off feature advertisement balloon notifications* -- GP name: *NoBalloonFeatureAdvertisements* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoPinningStoreToTaskbar** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoBalloonFeatureAdvertisements | +| Friendly Name | Turn off feature advertisement balloon notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoBalloonFeatureAdvertisements | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoPinningStoreToTaskbar -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoPinningStoreToTaskbar +``` + + + + This policy setting allows you to control pinning the Store app to the Taskbar. -If you enable this policy setting, users can't pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next sign in. +- If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login. -If you disable or don't configure this policy setting, users can pin the Store app to the Taskbar. +- If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow pinning Store app to the Taskbar* -- GP name: *NoPinningStoreToTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoPinningToDestinations** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoPinningStoreToTaskbar | +| Friendly Name | Do not allow pinning Store app to the Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoPinningStoreToTaskbar | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoPinningToDestinations -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoPinningToDestinations +``` + + + + This policy setting allows you to control pinning items in Jump Lists. -If you enable this policy setting, users can't pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also can't unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. +- If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. -If you disable or don't configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items are always present in this menu. +- If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow pinning items in Jump Lists* -- GP name: *NoPinningToDestinations* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoPinningToTaskbar** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoPinningToDestinations | +| Friendly Name | Do not allow pinning items in Jump Lists | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoPinningToDestinations | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoPinningToTaskbar -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoPinningToTaskbar +``` + + + + This policy setting allows you to control pinning programs to the Taskbar. -If you enable this policy setting, users can't change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users can't unpin these programs already pinned to the Taskbar, and they can't pin new programs to the Taskbar. +- If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. -If you disable or don't configure this policy setting, users can change the programs currently pinned to the Taskbar. +- If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow pinning programs to the Taskbar* -- GP name: *NoPinningToTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Taskbar/NoRemoteDestinations** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoPinningToTaskbar | +| Friendly Name | Do not allow pinning programs to the Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoPinningToTaskbar | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoRemoteDestinations -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoRemoteDestinations +``` + - - + + This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. -The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites, and other relevant items for that program. This customization helps users more easily reopen their most important documents and other tasks. +The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks. -If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers aren't tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. +- If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. -If you disable or don't configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. +- If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. > [!NOTE] > This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display or track items in Jump Lists from remote locations* -- GP name: *NoRemoteDestinations* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_Taskbar/NoSystraySystemPromotion** +| Name | Value | +|:--|:--| +| Name | NoRemoteDestinations | +| Friendly Name | Do not display or track items in Jump Lists from remote locations | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoRemoteDestinations | +| ADMX File Name | Taskbar.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NoSystraySystemPromotion - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoSystraySystemPromotion +``` + -
    - - - + + This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. -If you enable this policy setting, newly added notification icons aren't temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. +- If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. -If you disable or don't configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. +- If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off automatic promotion of notification icons to the taskbar* -- GP name: *NoSystraySystemPromotion* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSystraySystemPromotion | +| Friendly Name | Turn off automatic promotion of notification icons to the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoSystraySystemPromotion | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowWindowsStoreAppsOnTaskbar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar +``` + - - + + This policy setting allows users to see Windows Store apps on the taskbar. -If you enable this policy setting, users will see Windows Store apps on the taskbar. +- If you enable this policy setting, users will see Windows Store apps on the taskbar. -If you disable this policy setting, users won’t see Windows Store apps on the taskbar. +- If you disable this policy setting, users won't see Windows Store apps on the taskbar. -If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. +- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it. + - + + + - -ADMX Info: -- GP Friendly name: *Show Windows Store apps on the taskbar* -- GP name: *ShowWindowsStoreAppsOnTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Taskbar/TaskbarLockAll** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowWindowsStoreAppsOnTaskbar | +| Friendly Name | Show Windows Store apps on the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowWindowsStoreAppsOnTaskbar | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarLockAll -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarLockAll +``` + - - + + This policy setting allows you to lock all taskbar settings. -If you enable this policy setting, the user can't access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. +- If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. -If you disable or don't configure this policy setting, the user will be able to set any taskbar setting that isn't prevented by another policy setting. +- If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Lock all taskbar settings* -- GP name: *TaskbarLockAll* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Taskbar/TaskbarNoAddRemoveToolbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TaskbarLockAll | +| Friendly Name | Lock all taskbar settings | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarLockAll | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarNoAddRemoveToolbar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoAddRemoveToolbar +``` + - - + + This policy setting allows you to prevent users from adding or removing toolbars. -If you enable this policy setting, the user isn't allowed to add or remove any toolbars to the taskbar. Applications aren't able to add toolbars either. +- If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. -If you disable or don't configure this policy setting, the users and applications are able to add toolbars to the taskbar. +- If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar. + - - -ADMX Info: -- GP Friendly name: *Prevent users from adding or removing toolbars* -- GP name: *TaskbarNoAddRemoveToolbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + + + - - -> + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/TaskbarNoDragToolbar** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TaskbarNoAddRemoveToolbar | +| Friendly Name | Prevent users from adding or removing toolbars | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoAddRemoveToolbar | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TaskbarNoDragToolbar -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoDragToolbar +``` + + + + This policy setting allows you to prevent users from rearranging toolbars. -If you enable this policy setting, users aren't able to drag or drop toolbars to the taskbar. +- If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. -If you disable or don't configure this policy setting, users are able to rearrange the toolbars on the taskbar. +- If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar. + - - -ADMX Info: -- GP Friendly name: *Prevent users from rearranging toolbars* -- GP name: *TaskbarNoDragToolbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/TaskbarNoMultimon** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TaskbarNoDragToolbar | +| Friendly Name | Prevent users from rearranging toolbars | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoDragToolbar | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TaskbarNoMultimon -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoMultimon +``` + + + + This policy setting allows you to prevent taskbars from being displayed on more than one monitor. -If you enable this policy setting, users aren't able to show taskbars on more than one display. The multiple display section isn't enabled in the taskbar properties dialog. +- If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. -If you disable or don't configure this policy setting, users can show taskbars on more than one display. +- If you disable or do not configure this policy setting, users can show taskbars on more than one display. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow taskbars on more than one display* -- GP name: *TaskbarNoMultimon* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Taskbar/TaskbarNoNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TaskbarNoMultimon | +| Friendly Name | Do not allow taskbars on more than one display | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TaskbarNoMultimon | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarNoNotification -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoNotification +``` + - - + + This policy setting allows you to turn off all notification balloons. -If you enable this policy setting, no notification balloons are shown to the user. +- If you enable this policy setting, no notification balloons are shown to the user. -If you disable or don't configure this policy setting, notification balloons are shown to the user. +- If you disable or do not configure this policy setting, notification balloons are shown to the user. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off all balloon notifications* -- GP name: *TaskbarNoNotification* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/TaskbarNoPinnedList** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TaskbarNoNotification | +| Friendly Name | Turn off all balloon notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoNotification | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TaskbarNoPinnedList -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList +``` + + + + This policy setting allows you to remove pinned programs from the taskbar. -If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users can't pin programs to the Taskbar. +- If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. -If you disable or don't configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. +- If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. + - + + + - -ADMX Info: -- GP Friendly name: *Remove pinned programs from the Taskbar* -- GP name: *TaskbarNoPinnedList* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Taskbar/TaskbarNoRedock** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TaskbarNoPinnedList | +| Friendly Name | Remove pinned programs from the Taskbar | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TaskbarNoPinnedList | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarNoRedock -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoRedock +``` + - - + + This policy setting allows you to prevent users from moving taskbar to another screen dock location. -If you enable this policy setting, users aren't able to drag their taskbar to another area of the monitor(s). +- If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). -If you disable or don't configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. +- If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent users from moving taskbar to another screen dock location* -- GP name: *TaskbarNoRedock* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - -**ADMX_Taskbar/TaskbarNoResize** +| Name | Value | +|:--|:--| +| Name | TaskbarNoRedock | +| Friendly Name | Prevent users from moving taskbar to another screen dock location | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoRedock | +| ADMX File Name | Taskbar.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TaskbarNoResize - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoResize +``` + -
    - - - + + This policy setting allows you to prevent users from resizing the taskbar. -If you enable this policy setting, users aren't be able to resize their taskbar. +- If you enable this policy setting, users are not be able to resize their taskbar. -If you disable or don't configure this policy setting, users are able to resize their taskbar unless prevented by another setting. +- If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent users from resizing the taskbar* -- GP name: *TaskbarNoResize* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_Taskbar/TaskbarNoThumbnail** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TaskbarNoResize | +| Friendly Name | Prevent users from resizing the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoResize | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarNoThumbnail -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoThumbnail +``` + - - + + This policy setting allows you to turn off taskbar thumbnails. -If you enable this policy setting, the taskbar thumbnails aren't displayed and the system uses standard text for the tooltips. +- If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. -If you disable or don't configure this policy setting, the taskbar thumbnails are displayed. +- If you disable or do not configure this policy setting, the taskbar thumbnails are displayed. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off taskbar thumbnails* -- GP name: *TaskbarNoThumbnail* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | TaskbarNoThumbnail | +| Friendly Name | Turn off taskbar thumbnails | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoThumbnail | +| ADMX File Name | Taskbar.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 16255c4155..a0b38a0dd1 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -1,702 +1,838 @@ --- -title: Policy CSP - ADMX_tcpip -description: Learn about Policy CSP - ADMX_tcpip. +title: ADMX_tcpip Policy CSP +description: Learn more about the ADMX_tcpip Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_tcpip -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_tcpip policies + + + -
    -
    - ADMX_tcpip/6to4_Router_Name -
    -
    - ADMX_tcpip/6to4_Router_Name_Resolution_Interval -
    -
    - ADMX_tcpip/6to4_State -
    -
    - ADMX_tcpip/IPHTTPS_ClientState -
    -
    - ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State -
    -
    - ADMX_tcpip/ISATAP_Router_Name -
    -
    - ADMX_tcpip/ISATAP_State -
    -
    - ADMX_tcpip/Teredo_Client_Port -
    -
    - ADMX_tcpip/Teredo_Default_Qualified -
    -
    - ADMX_tcpip/Teredo_Refresh_Rate -
    -
    - ADMX_tcpip/Teredo_Server_Name -
    -
    - ADMX_tcpip/Teredo_State -
    -
    - ADMX_tcpip/Windows_Scaling_Heuristics_State -
    -
    + +## 6to4_Router_Name + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/6to4_Router_Name +``` + - -**ADMX_tcpip/6to4_Router_Name** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. -If you enable this policy setting, you can specify a relay name for a 6to4 host. +- If you enable this policy setting, you can specify a relay name for a 6to4 host. -If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host. +- If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host. + - + + + - -ADMX Info: -- GP Friendly name: *Set 6to4 Relay Name* -- GP name: *6to4_Router_Name* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/6to4_Router_Name_Resolution_Interval** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | 6to4_Router_Name | +| Friendly Name | Set 6to4 Relay Name | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## 6to4_Router_Name_Resolution_Interval -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/6to4_Router_Name_Resolution_Interval +``` + + + + This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. -If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. +- If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. + - + + + - -ADMX Info: -- GP Friendly name: *Set 6to4 Relay Name Resolution Interval* -- GP name: *6to4_Router_Name_Resolution_Interval* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/6to4_State** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | 6to4_Router_Name_Resolution_Interval | +| Friendly Name | Set 6to4 Relay Name Resolution Interval | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## 6to4_State -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/6to4_State +``` + + + + This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. -If you enable this policy setting, you can configure 6to4 with one of the following settings: +- If you enable this policy setting, you can configure 6to4 with one of the following settings: -- Policy Default State: 6to4 is turned off and connectivity with 6to4 will not be available. -- Policy Enabled State: If a global IPv4 address is present, the host will have a 6to4 interface. If no global IPv4 address is present, the host will not have a 6to4 interface. -- Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available. +Policy Default State: 6to4 is turned off and connectivity with 6to4 will not be available. - +Policy Enabled State: If a global IPv4 address is present, the host will have a 6to4 interface. If no global IPv4 address is present, the host will not have a 6to4 interface. - -ADMX Info: -- GP Friendly name: *Set 6to4 State* -- GP name: *6to4_State* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* +Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available. + - - -
    + + + - -**ADMX_tcpip/IPHTTPS_ClientState** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | 6to4_State | +| Friendly Name | Set 6to4 State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. + +## IP_Stateless_Autoconfiguration_Limits_State -If you disable or do not configure this policy setting, the local host settings are used. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings: + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State +``` + -- Policy Default State: The IP-HTTPS interface is used when there are no other connectivity options. -- Policy Enabled State: The IP-HTTPS interface is always present, even if the host has other connectiv-ity options. -- Policy Disabled State: No IP-HTTPS interfaces are present on the host. - - - - -ADMX Info: -- GP Friendly name: *Set IP-HTTPS State* -- GP name: *IPHTTPS_ClientState* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* - - - -
    - - -**ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure IP Stateless Autoconfiguration Limits. -If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. +- If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. -If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. +- If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. + - + + + - -ADMX Info: -- GP Friendly name: *Set IP Stateless Autoconfiguration Limits State* -- GP name: *IP_Stateless_Autoconfiguration_Limits_State* -- GP path: *Network\TCPIP Settings\Parameters* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/ISATAP_Router_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IP_Stateless_Autoconfiguration_Limits_State | +| Friendly Name | Set IP Stateless Autoconfiguration Limits State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > Parameters | +| Registry Key Name | System\CurrentControlSet\Services\Tcpip\Parameters | +| Registry Value Name | EnableIPAutoConfigurationLimits | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## IPHTTPS_ClientState -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/IPHTTPS_ClientState +``` + + + + +This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. + +- If you disable or do not configure this policy setting, the local host settings are used. + +- If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings: + +Policy Default State: The IP-HTTPS interface is used when there are no other connectivity options. + +Policy Enabled State: The IP-HTTPS interface is always present, even if the host has other connectivity options. + +Policy Disabled State: No IP-HTTPS interfaces are present on the host. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPHTTPS_ClientState | +| Friendly Name | Set IP-HTTPS State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface | +| ADMX File Name | tcpip.admx | + + + + + + + + + +## ISATAP_Router_Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/ISATAP_Router_Name +``` + + + + This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. -If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. +- If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. + - + + + - -ADMX Info: -- GP Friendly name: *Set ISATAP Router Name* -- GP name: *ISATAP_Router_Name* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/ISATAP_State** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ISATAP_Router_Name | +| Friendly Name | Set ISATAP Router Name | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ISATAP_State -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/ISATAP_State +``` + + + + This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. -If you enable this policy setting, you can configure ISATAP with one of the following settings: +- If you enable this policy setting, you can configure ISATAP with one of the following settings: -- Policy Default State: No ISATAP interfaces are present on the host. -- Policy Enabled State: If the ISATAP name is resolved successfully, the host will have ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If the ISATAP name is not resolved successfully, the host will have an ISATAP interface configured with a link-local address. -- Policy Disabled State: No ISATAP interfaces are present on the host. +Policy Default State: No ISATAP interfaces are present on the host. - +Policy Enabled State: If the ISATAP name is resolved successfully, the host will have ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If the ISATAP name is not resolved successfully, the host will have an ISATAP interface configured with a link-local address. - -ADMX Info: -- GP Friendly name: *Set ISATAP State* -- GP name: *ISATAP_State* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* +Policy Disabled State: No ISATAP interfaces are present on the host. + - - -
    + + + - -**ADMX_tcpip/Teredo_Client_Port** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | ISATAP_State | +| Friendly Name | Set ISATAP State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## Teredo_Client_Port + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Client_Port +``` + + + + This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. -If you enable this policy setting, you can customize a UDP port for the Teredo client. +- If you enable this policy setting, you can customize a UDP port for the Teredo client. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Client Port* -- GP name: *Teredo_Client_Port* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_Default_Qualified** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Client_Port | +| Friendly Name | Set Teredo Client Port | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_Default_Qualified -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Default_Qualified +``` + + + + This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. This policy setting contains only one state: Policy Enabled State: If Default Qualified is enabled, Teredo will attempt qualification immediately and remain qualified if the qualification process succeeds. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Default Qualified* -- GP name: *Teredo_Default_Qualified* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_Refresh_Rate** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Default_Qualified | +| Friendly Name | Set Teredo Default Qualified | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_Refresh_Rate -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Refresh_Rate +``` + + + + This policy setting allows you to configure the Teredo refresh rate. > [!NOTE] > On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. -If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermittent. +- If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermittent. -If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds. +- If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Refresh Rate* -- GP name: *Teredo_Refresh_Rate* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_Server_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Refresh_Rate | +| Friendly Name | Set Teredo Refresh Rate | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_Server_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Server_Name +``` + + + + This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. -If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. +- If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. -If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name. +- If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Server Name* -- GP name: *Teredo_Server_Name* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_State** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Server_Name | +| Friendly Name | Set Teredo Server Name | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_State -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_State +``` + + + + This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. -If you disable or do not configure this policy setting, the local host settings are used. +- If you disable or do not configure this policy setting, the local host settings are used. -If you enable this policy setting, you can configure Teredo with one of the following settings: +- If you enable this policy setting, you can configure Teredo with one of the following settings: -- Default: The default state is "Client." -- Disabled: No Teredo interfaces are present on the host. -- Client: The Teredo interface is present only when the host is not on a network that includes a domain controller. -- Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller. +Default: The default state is "Client." - +Disabled: No Teredo interfaces are present on the host. - -ADMX Info: -- GP Friendly name: *Set Teredo State* -- GP name: *Teredo_State* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* +Client: The Teredo interface is present only when the host is not on a network that includes a domain controller. - - -
    +Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller. + - -**ADMX_tcpip/Windows_Scaling_Heuristics_State** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | Teredo_State | +| Friendly Name | Set Teredo State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + -
    + + + - - + + + +## Windows_Scaling_Heuristics_State + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Windows_Scaling_Heuristics_State +``` + + + + This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. -If you do not configure this policy setting, the local host settings are used. +- If you do not configure this policy setting, the local host settings are used. -If you enable this policy setting, Window Scaling Heuristics will be enabled and system will try to identify connectivity and throughput problems and take appropriate measures. +- If you enable this policy setting, Window Scaling Heuristics will be enabled and system will try to identify connectivity and throughput problems and take appropriate measures. -If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems caused by Firewalls or other middle boxes. +- If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems casued by Firewalls or other middle boxes. + - + + + - -ADMX Info: -- GP Friendly name: *Set Window Scaling Heuristics State* -- GP name: *Windows_Scaling_Heuristics_State* -- GP path: *Network\TCPIP Settings\Parameters* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | Windows_Scaling_Heuristics_State | +| Friendly Name | Set Window Scaling Heuristics State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > Parameters | +| Registry Key Name | System\CurrentControlSet\Services\Tcpip\Parameters | +| Registry Value Name | EnableWsd | +| ADMX File Name | tcpip.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 458bfb9ffe..e293e8cf71 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,4936 +1,5793 @@ --- -title: Policy CSP - ADMX_TerminalServer -description: Learn about Policy CSP - ADMX_TerminalServer. +title: ADMX_TerminalServer Policy CSP +description: Learn more about the ADMX_TerminalServer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/21/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TerminalServer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_TerminalServer policies + +## TS_AUTO_RECONNECT -
    -
    - ADMX_TerminalServer/TS_AUTO_RECONNECT -
    -
    - ADMX_TerminalServer/TS_CAMERA_REDIRECTION -
    -
    - ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY -
    -
    - ADMX_TerminalServer/TS_CLIENT_CLIPBOARD -
    -
    - ADMX_TerminalServer/TS_CLIENT_COM -
    -
    - ADMX_TerminalServer/TS_CLIENT_DEFAULT_M -
    -
    - ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE -
    -
    - ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_LPT -
    -
    - ADMX_TerminalServer/TS_CLIENT_PNP -
    -
    - ADMX_TerminalServer/TS_CLIENT_PRINTER -
    -
    - ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP -
    -
    - ADMX_TerminalServer/TS_COLORDEPTH -
    -
    - ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES -
    -
    - ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER -
    -
    - ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU -
    -
    - ADMX_TerminalServer/TS_EASY_PRINT -
    -
    - ADMX_TerminalServer/TS_EASY_PRINT_User -
    -
    - ADMX_TerminalServer/TS_EnableVirtualGraphics -
    -
    - ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE -
    -
    - ADMX_TerminalServer/TS_FORCIBLE_LOGOFF -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER -
    -
    - ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
    -
    - ADMX_TerminalServer/TS_KEEP_ALIVE -
    -
    - ADMX_TerminalServer/TS_LICENSE_SECGROUP -
    -
    - ADMX_TerminalServer/TS_LICENSE_SERVERS -
    -
    - ADMX_TerminalServer/TS_LICENSE_TOOLTIP -
    -
    - ADMX_TerminalServer/TS_LICENSING_MODE -
    -
    - ADMX_TerminalServer/TS_MAX_CON_POLICY -
    -
    - ADMX_TerminalServer/TS_MAXDISPLAYRES -
    -
    - ADMX_TerminalServer/TS_MAXMONITOR -
    -
    - ADMX_TerminalServer/TS_NoDisconnectMenu -
    -
    - ADMX_TerminalServer/TS_NoSecurityMenu -
    -
    - ADMX_TerminalServer/TS_PreventLicenseUpgrade -
    -
    - ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP -
    -
    - ADMX_TerminalServer/TS_RADC_DefaultConnection -
    -
    - ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration -
    -
    - ADMX_TerminalServer/TS_RemoteControl_1 -
    -
    - ADMX_TerminalServer/TS_RemoteControl_2 -
    -
    - ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics -
    -
    - ADMX_TerminalServer/TS_SD_ClustName -
    -
    - ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS -
    -
    - ADMX_TerminalServer/TS_SD_Loc -
    -
    - ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY -
    -
    - ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT -
    -
    - ADMX_TerminalServer/TS_SELECT_TRANSPORT -
    -
    - ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP -
    -
    - ADMX_TerminalServer/TS_SERVER_AUTH -
    -
    - ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED -
    -
    - ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED -
    -
    - ADMX_TerminalServer/TS_SERVER_COMPRESSOR -
    -
    - ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY -
    -
    - ADMX_TerminalServer/TS_SERVER_LEGACY_RFX -
    -
    - ADMX_TerminalServer/TS_SERVER_PROFILE -
    -
    - ADMX_TerminalServer/TS_SERVER_VISEXP -
    -
    - ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER -
    -
    - ADMX_TerminalServer/TS_Session_End_On_Limit_1 -
    -
    - ADMX_TerminalServer/TS_Session_End_On_Limit_2 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Limits_1 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Limits_2 -
    -
    - ADMX_TerminalServer/TS_SINGLE_SESSION -
    -
    - ADMX_TerminalServer/TS_SMART_CARD -
    -
    - ADMX_TerminalServer/TS_START_PROGRAM_1 -
    -
    - ADMX_TerminalServer/TS_START_PROGRAM_2 -
    -
    - ADMX_TerminalServer/TS_TEMP_DELETE -
    -
    - ADMX_TerminalServer/TS_TEMP_PER_SESSION -
    -
    - ADMX_TerminalServer/TS_TIME_ZONE -
    -
    - ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY -
    -
    - ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP -
    -
    - ADMX_TerminalServer/TS_UIA -
    -
    - ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE -
    -
    - ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY -
    -
    - ADMX_TerminalServer/TS_USER_HOME -
    -
    - ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES -
    -
    - ADMX_TerminalServer/TS_USER_PROFILES -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_AUTO_RECONNECT +``` + - -**ADMX_TerminalServer/TS_AUTO_RECONNECT** + + +Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. By default, a maximum of twenty reconnection attempts are made at five second intervals. - +If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If the status is set to Disabled, automatic reconnection of clients is prohibited. - -
    +If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -By default, a maximum of 20 reconnection attempts are made at five-second intervals. If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. +**ADMX mapping**: -If the status is set to Disabled, automatic reconnection of clients is prohibited. If the status is set to Not Configured, automatic reconnection isn't specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. +| Name | Value | +|:--|:--| +| Name | TS_AUTO_RECONNECT | +| Friendly Name | Automatic reconnection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableAutoReconnect | +| ADMX File Name | TerminalServer.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Automatic reconnection* -- GP name: *TS_AUTO_RECONNECT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + - - + +## TS_CAMERA_REDIRECTION + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CAMERA_REDIRECTION +``` + - -**ADMX_TerminalServer/TS_CAMERA_REDIRECTION** + + +This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Services session. - +By default, Remote Desktop Services allows redirection of video capture devices. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, users cannot redirect their video capture devices to the remote computer. - -
    +- If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of video capture devices. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you enable this policy setting, users can't redirect their video capture devices to the remote computer. +**ADMX mapping**: -If you disable or don't configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. +| Name | Value | +|:--|:--| +| Name | TS_CAMERA_REDIRECTION | +| Friendly Name | Do not allow video capture redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCameraRedir | +| ADMX File Name | TerminalServer.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow video capture redirection* -- GP name: *TS_CAMERA_REDIRECTION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + - - + +## TS_CERTIFICATE_TEMPLATE_POLICY + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY +``` + - -**ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. -If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate hasn't been selected. +- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. -If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or don't configure this policy, the certificate template name isn't specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. +If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. ->[!NOTE] ->If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. +- If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. - +> [!NOTE] +> If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. + - -ADMX Info: -- GP Friendly name: *Server authentication certificate template* -- GP name: *TS_CERTIFICATE_TEMPLATE_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CERTIFICATE_TEMPLATE_POLICY | +| Friendly Name | Server authentication certificate template | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_CLIENT_ALLOW_SIGNED_FILES_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 +``` + + + +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** +- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. - +- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. +**ADMX mapping**: -This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying a .rdp file). +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_SIGNED_FILES_1 | +| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowSignedFiles | +| ADMX File Name | TerminalServer.admx | + -If you enable or don't configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + + + -If you disable this policy setting, users can't run .rdp files that are signed with a valid certificate. Additionally, users can't start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + +## TS_CLIENT_ALLOW_SIGNED_FILES_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Allow .rdp files from valid publishers and user's default .rdp settings* -- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 +``` + - - + + +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). -
    +- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2** +- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. - +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_SIGNED_FILES_2 | +| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowSignedFiles | +| ADMX File Name | TerminalServer.admx | + -This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection (RDC) client without specifying a .rdp file). + + + -If you enable or don't configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + -If you disable this policy setting, users can't run .rdp files that are signed with a valid certificate. Additionally, users can't start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + +## TS_CLIENT_ALLOW_UNSIGNED_FILES_1 ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 +``` + - -ADMX Info: -- GP Friendly name: *Allow .rdp files from valid publishers and user's default .rdp settings* -- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. -If you enable or don't configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. +- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. -If you disable this policy setting, users can't run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. +- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + - + + + - -ADMX Info: -- GP Friendly name: *Allow .rdp files from unknown publishers* -- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES_1 | +| Friendly Name | Allow .rdp files from unknown publishers | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowUnsignedFiles | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_ALLOW_UNSIGNED_FILES_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 +``` + -
    - - - + + This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. -If you enable or don't configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. +- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. -If you disable this policy setting, users can't run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. +- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + - + + + - -ADMX Info: -- GP Friendly name: *Allow .rdp files from unknown publishers* -- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_AUDIO** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES_2 | +| Friendly Name | Allow .rdp files from unknown publishers | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowUnsignedFiles | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_AUDIO - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_AUDIO +``` + -
    - - - + + This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session. +Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. -Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the video playback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. +By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. -By default, audio and video playback redirection isn't allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. +- If you enable this policy setting, audio and video playback redirection is allowed. -If you enable this policy setting, audio and video playback redirection is allowed. +- If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. -If you disable this policy setting, audio and video playback redirection isn't allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. If you don't configure this policy setting, audio and video playback redirection isn't specified at the Group Policy level. +- If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Allow audio and video playback redirection* -- GP name: *TS_CLIENT_AUDIO* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_AUDIO | +| Friendly Name | Allow audio and video playback redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCam | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_AUDIO_CAPTURE - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE +``` + -
    + + +This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. +Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an audio input device on the local computer, such as a built-in microphone. - - -This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). +By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. -Users can record audio by using an audio input device on the local computer, such as a built-in microphone. By default, audio recording redirection isn't allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. +- If you enable this policy setting, audio recording redirection is allowed. -If you enable this policy setting, audio recording redirection is allowed. +- If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. -If you disable this policy setting, audio recording redirection isn't allowed, even if audio recording redirection is specified in RDC. If you don't configure this policy setting, Audio recording redirection isn't specified at the Group Policy level. +- If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Allow audio recording redirection* -- GP name: *TS_CLIENT_AUDIO_CAPTURE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_AUDIO_CAPTURE | +| Friendly Name | Allow audio recording redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableAudioCapture | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_AUDIO_QUALITY - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY +``` + -
    + + +This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. - - -This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. If you enable this policy setting, you must select one of the following values: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This audio transmission requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. +- If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. -If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. - -For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. +The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. -If you disable or don't configure this policy setting, audio playback quality will be set to Dynamic. +- If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. + - + + + - -ADMX Info: -- GP Friendly name: *Limit audio playback quality* -- GP name: *TS_CLIENT_AUDIO_QUALITY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_CLIPBOARD** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_AUDIO_QUALITY | +| Friendly Name | Limit audio playback quality | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_CLIPBOARD - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_CLIPBOARD +``` + -
    - - - + + This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. -If you enable this policy setting, users can't redirect Clipboard data. +- If you enable this policy setting, users cannot redirect Clipboard data. -If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. +- If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. -If you don't configure this policy setting, Clipboard redirection isn't specified at the Group Policy level. +- If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Clipboard redirection* -- GP name: *TS_CLIENT_CLIPBOARD* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_COM** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_CLIPBOARD | +| Friendly Name | Do not allow Clipboard redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableClip | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_COM - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_COM +``` + -
    - - - + + This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. -You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they're logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. +You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. -If you enable this policy setting, users can't redirect server data to the local COM port. +- If you enable this policy setting, users cannot redirect server data to the local COM port. -If you disable this policy setting, Remote Desktop Services always allows COM port redirection. +- If you disable this policy setting, Remote Desktop Services always allows COM port redirection. -If you don't configure this policy setting, COM port redirection isn't specified at the Group Policy level. +- If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow COM port redirection* -- GP name: *TS_CLIENT_COM* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_DEFAULT_M** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_COM | +| Friendly Name | Do not allow COM port redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCcm | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_DEFAULT_M - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DEFAULT_M +``` + -
    - - - + + This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD Session Host server. By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior. -If you enable this policy setting, the default printer is the printer specified on the remote computer. +- If you enable this policy setting, the default printer is the printer specified on the remote computer. + +- If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. + +- If you do not configure this policy setting, the default printer is not specified at the Group Policy level. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DEFAULT_M | +| Friendly Name | Do not set default client printer to be default printer in a session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fForceClientLptDef | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_DISABLE_HARDWARE_MODE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE +``` + + + + +This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. +- If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DISABLE_HARDWARE_MODE | +| Friendly Name | Do not allow hardware accelerated decoding | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client | +| Registry Value Name | EnableHardwareMode | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_DISABLE_PASSWORD_SAVING_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 +``` + + + + +Controls whether a user can save passwords using Remote Desktop Connection. + +- If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. + +- If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING_1 | +| Friendly Name | Do not allow passwords to be saved | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DisablePasswordSaving | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_LPT + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_LPT +``` + + + + +This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. + +You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. + +- If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. + +- If you disable this policy setting, LPT port redirection is always allowed. + +- If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_LPT | +| Friendly Name | Do not allow LPT port redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableLPT | +| ADMX File Name | TerminalServer.admx | + -If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. + + + -If you don't configure this policy setting, the default printer isn't specified at the Group Policy level. + - + +## TS_CLIENT_PNP - -ADMX Info: -- GP Friendly name: *Do not set default client printer to be default printer in a session* -- GP name: *TS_CLIENT_DEFAULT_M* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_PNP +``` + - - + + +This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. + +By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices. + +- If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. + +- If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. +- If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. + +> [!NOTE] +> You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. + + + + -
    + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_PNP | +| Friendly Name | Do not allow supported Plug and Play device redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisablePNPRedir | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_PRINTER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_PRINTER +``` + + + + +This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. + +You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. + +- If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. + +- If you disable this policy setting, users can redirect print jobs with client printer mapping. + +- If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. - -If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you've a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you'll know that there are more issues to investigate. - -If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. - - - - -ADMX Info: -- GP Friendly name: *Do not allow hardware accelerated decoding* -- GP name: *TS_CLIENT_DISABLE_HARDWARE_MODE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy specifies whether to allow Remote Desktop Connection Controls whether a user can save passwords using Remote Desktop Connection. - -If you enable this setting, the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When users open an RDP file using Remote Desktop Connection and save their settings, any password that previously existed in the RDP file will be deleted. - -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection - - - - -ADMX Info: -- GP Friendly name: *Do not allow passwords to be saved* -- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_LPT** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. - -If you enable this policy setting, users in a Remote Desktop Services session can't redirect server data to the local LPT port. - -If you disable this policy setting, LPT port redirection is always allowed. If you don't configure this policy setting, LPT port redirection isn't specified at the Group Policy level. - - - - -ADMX Info: -- GP Friendly name: *Do not allow LPT port redirection* -- GP name: *TS_CLIENT_LPT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_PNP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services doesn't allow redirection of supported Plug and Play and RemoteFX USB devices. - -If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. - -If you enable this policy setting, users can't redirect their supported Plug and Play devices to the remote computer. If you don't configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it's running Windows Server 2012 R2 and earlier versions. - ->[!NOTE] ->You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. - - - - -ADMX Info: -- GP Friendly name: *Do not allow supported Plug and Play device redirection* -- GP name: *TS_CLIENT_PNP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_PRINTER** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. - -If you enable this policy setting, users can't redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. - -If you disable this policy setting, users can redirect print jobs with client printer mapping. - -If you don't configure this policy setting, client printer mapping isn't specified at the Group Policy level. - - - - -ADMX Info: -- GP Friendly name: *Do not allow client printer redirection* -- GP name: *TS_CLIENT_PRINTER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_PRINTER | +| Friendly Name | Do not allow client printer redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCpm | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 +``` + + + + This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user doesn't receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. +- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. -If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. +- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. +**Note**: -If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. +You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. -This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that isn't a certificate thumbprint, it's ignored. +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. - +If the list contains a string that is not a certificate thumbprint, it is ignored. + - -ADMX Info: -- GP Friendly name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* -- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 | +| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 +``` + - - + + This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user doesn't receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. +- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. -If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. +- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. +**Note**: -If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. +You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. -This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that isn't a certificate thumbprint, it's ignored. +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. - +If the list contains a string that is not a certificate thumbprint, it is ignored. + - -ADMX Info: -- GP Friendly name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* -- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 | +| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_CLIENT_TURN_OFF_UDP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP +``` + - - + + This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. -If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. +- If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. -If you disable or don't configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. +- If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. + - + + + - -ADMX Info: -- GP Friendly name: *Turn Off UDP On Client* -- GP name: *TS_CLIENT_TURN_OFF_UDP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_COLORDEPTH** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_TURN_OFF_UDP | +| Friendly Name | Turn Off UDP On Client | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client | +| Registry Value Name | fClientDisableUDP | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_COLORDEPTH - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_COLORDEPTH +``` + -
    + + +This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. - - -This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. +You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. -If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. +- If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. -If you disable or don't configure this policy setting, the color depth for connections isn't specified at the Group Policy level. +- If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. ->[!NOTE] -> 1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. ->2. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. ->3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: -> - a. Value specified by this policy setting -> - b. Maximum color depth supported by the client -> - c. Value requested by the client If the client doesn't support at least 16 bits, the connection is terminated. +**Note**: - +1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. +2. The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. - -ADMX Info: -- GP Friendly name: *Limit maximum color depth* -- GP name: *TS_COLORDEPTH* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* +3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: +a. Value specified by this policy setting +b. Maximum color depth supported by the client +c. Value requested by the client - - +If the client does not support at least 16 bits, the connection is terminated. + + + + -
    + +**Description framework properties**: - -**ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TS_COLORDEPTH | +| Friendly Name | Limit maximum color depth | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TS_DELETE_ROAMING_USER_PROFILES - - -This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + ->[!NOTE] ->If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES +``` + -If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. + + +This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. -When the size of the entire roaming user profile cache exceeds the maximum size that you've specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. +> [!NOTE] +> If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. -If you disable or don't configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. +- If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. - +- If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. - -ADMX Info: -- GP Friendly name: *Limit the size of the entire roaming user profile cache* -- GP name: *TS_DELETE_ROAMING_USER_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* +> [!NOTE] +> This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. + - - + + + + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_DELETE_ROAMING_USER_PROFILES | +| Friendly Name | Limit the size of the entire roaming user profile cache | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DeleteRoamingUserProfile | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_DISABLE_REMOTE_DESKTOP_WALLPAPER -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER +``` + -You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 don't display wallpaper by default to Remote Desktop Services sessions. + + +Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. + +You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 do not display wallpaper by default to Remote Desktop Services sessions. If the status is set to Enabled, wallpaper never appears in a Remote Desktop Services session. -If the status is set to Disabled, wallpaper might appear in a Remote Desktop Services session, depending on the client configuration. If the status is set to Not Configured, the default behavior applies. +If the status is set to Disabled, wallpaper might appear in a Remote Desktop Services session, depending on the client configuration. - +If the status is set to Not Configured, the default behavior applies. + - -ADMX Info: -- GP Friendly name: *Enforce Removal of Remote Desktop Wallpaper* -- GP name: *TS_DISABLE_REMOTE_DESKTOP_WALLPAPER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_DISABLE_REMOTE_DESKTOP_WALLPAPER | +| Friendly Name | Enforce Removal of Remote Desktop Wallpaper | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fNoRemoteDesktopWallpaper | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_DX_USE_FULL_HWGPU -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU +``` + -If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. + + +This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. -If you don't configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. +- If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. ->[!NOTE] ->The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session isn't affected by this policy setting. +- If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. - +- If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. - -ADMX Info: -- GP Friendly name: *Use hardware graphics adapters for all Remote Desktop Services sessions* -- GP name: *TS_DX_USE_FULL_HWGPU* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* +NOTE: The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting. + - - + + + + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_EASY_PRINT** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_DX_USE_FULL_HWGPU | +| Friendly Name | Use hardware graphics adapters for all Remote Desktop Services sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | bEnumerateHWBeforeSW | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_EASY_PRINT -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT +``` + + + + This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. -If you enable or don't configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver can't be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server doesn't have a printer driver that matches the client printer, the client printer isn't available for the Remote Desktop session. +- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server doesn't have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver can't be used, the client printer isn't available for the Remote Desktop Services session. +- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. ->[!NOTE] ->If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. +> [!NOTE] +> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + - + + + - -ADMX Info: -- GP Friendly name: *Use Remote Desktop Easy Print printer driver first* -- GP name: *TS_EASY_PRINT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_EASY_PRINT_User** +| Name | Value | +|:--|:--| +| Name | TS_EASY_PRINT | +| Friendly Name | Use Remote Desktop Easy Print printer driver first | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseUniversalPrinterDriverFirst | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_EASY_PRINT_User - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT_User +``` + -
    - - - + + This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. -If you enable or don't configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver can't be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server doesn't have a printer driver that matches the client printer, the client printer isn't available for the Remote Desktop session. +- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server doesn't have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver can't be used, the client printer isn't available for the Remote Desktop Services session. +- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. ->[!NOTE] ->If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. +> [!NOTE] +> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + - + + + - -ADMX Info: -- GP Friendly name: *Use Remote Desktop Easy Print printer driver first* -- GP name: *TS_EASY_PRINT_User* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_EnableVirtualGraphics** +| Name | Value | +|:--|:--| +| Name | TS_EASY_PRINT_User | +| Friendly Name | Use Remote Desktop Easy Print printer driver first | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseUniversalPrinterDriverFirst | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_EnableVirtualGraphics - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EnableVirtualGraphics +``` + -
    + + +This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. - - -This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). +When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. -By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. +When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. -If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. +- If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. -If you disable this policy setting, RemoteFX will be disabled. +- If you disable this policy setting, RemoteFX will be disabled. -If you don't configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. +- If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Configure RemoteFX* -- GP name: *TS_EnableVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE** +| Name | Value | +|:--|:--| +| Name | TS_EnableVirtualGraphics | +| Friendly Name | Configure RemoteFX | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > RemoteFX for Windows Server 2008 R2 | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableVirtualizedGraphics | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_FALLBACKPRINTDRIVERTYPE - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE +``` + -
    + + +This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. - - -This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server doesn't have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. +By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. -If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one isn't found, the client's printer isn't available. You can choose to change this default behavior. The available options are: +- If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: -- **Do nothing if one is not found** - If there's a printer driver mismatch, the server will attempt to find a suitable driver. If one isn't found, the client's printer isn't available. This behavior is the default behavior. -- **Default to PCL if one is not found** - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. -- **Default to PS if one is not found**- If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. -- **Show both PCL and PS if one is not found**- If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. +"Do nothing if one is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. -If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server won't attempt to use the fallback printer driver. If you don't configure this policy setting, the fallback printer driver behavior is off by default. +"Default to PCL if one is not found" - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. ->[!NOTE] ->If the **Do not allow client printer redirection** setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. +"Default to PS if one is not found" - If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. - +"Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. - -ADMX Info: -- GP Friendly name: *Specify RD Session Host server fallback printer driver behavior* -- GP name: *TS_FALLBACKPRINTDRIVERTYPE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* +- If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. - - +- If you do not configure this policy setting, the fallback printer driver behavior is off by default. +> [!NOTE] +> If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. + -
    + + + - -**ADMX_TerminalServer/TS_FORCIBLE_LOGOFF** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | TS_FALLBACKPRINTDRIVERTYPE | +| Friendly Name | Specify RD Session Host server fallback printer driver behavior | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fPolicyFallbackPrintDriver | +| ADMX File Name | TerminalServer.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting determines whether an administrator attempting to connect remotely to the console of a server can sign out an administrator currently signed in to the console. This policy is useful when the currently connected administrator doesn't want to be signed out by another administrator. If the connected administrator is signed out, any data not previously saved is lost. + +## TS_FORCIBLE_LOGOFF -If you enable this policy setting, signing out the connected administrator isn't allowed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable or don't configure this policy setting, signing out the connected administrator is allowed. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_FORCIBLE_LOGOFF +``` + ->[!NOTE] ->The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. + + +This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. - +This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. - -ADMX Info: -- GP Friendly name: *Deny logoff of an administrator logged in to the console session* -- GP name: *TS_FORCIBLE_LOGOFF* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* +- If you enable this policy setting, logging off the connected administrator is not allowed. - - +- If you disable or do not configure this policy setting, logging off the connected administrator is allowed. -
    +> [!NOTE] +> The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. + - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | TS_FORCIBLE_LOGOFF | +| Friendly Name | Deny logoff of an administrator logged in to the console session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableForcibleLogoff | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_GATEWAY_POLICY_AUTH_METHOD + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +``` + + + + +Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. + +- If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. + + + + + -
    + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_AUTH_METHOD | +| Friendly Name | Set RD Gateway authentication method | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - - -If you enable this policy setting, when Remote Desktop Connection can't connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. - -In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. - -By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client can't connect directly to the remote computer. - -To enhance security, it's also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you don't specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. - -When you enable this setting, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify a connection method, the connection method that you specify in this policy setting is used by default. - -If you disable or don't configure this policy setting, clients won't use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - - - -ADMX Info: -- GP Friendly name: *Enable connection through RD Gateway* -- GP name: *TS_GATEWAY_POLICY_ENABLE* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. - -By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you enable this setting, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. - -If you disable or don't configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method isn't specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. - - - - - - -ADMX Info: -- GP Friendly name: *Set RD Gateway authentication method* -- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. - -By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - ->[!NOTE] ->It's highly recommended that you also specify the authentication method by using the **Set RD Gateway authentication method** policy setting. If you don't specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. - -To allow users to overwrite the **Set RD Gateway server address** policy setting and connect to another RD Gateway server, you must select the **Allow users to change this setting** check box and users will be allowed to specify an alternate RD Gateway server. - -Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. - ->[!NOTE] ->If you disable or don't configure this policy setting, but enable the **Enable connections through RD Gateway** policy setting, client connection attempts to any remote computer will fail, if the client can't connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - - - -ADMX Info: -- GP Friendly name: *Set RD Gateway server address* -- GP name: *TS_GATEWAY_POLICY_SERVER* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - -**ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + + + +## TS_GATEWAY_POLICY_ENABLE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +``` + + + + +- If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. + +You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +> [!NOTE] +> To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. + +- If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_ENABLE | +| Friendly Name | Enable connection through RD Gateway | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseProxy | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_GATEWAY_POLICY_SERVER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER +``` + + + + +Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +> [!NOTE] +> It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. + +> [!NOTE] +> If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_SERVER | +| Friendly Name | Set RD Gateway server address | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_JOIN_SESSION_DIRECTORY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY +``` + + + + This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server. If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting. -If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed. If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. +- If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. -If the policy setting isn't configured, the policy setting isn't specified at the Group Policy level. +If the policy setting is not configured, the policy setting is not specified at the Group Policy level. ->[!NOTE] ->1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. ->2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +**Note**: - +1. +- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. - -ADMX Info: -- GP Friendly name: *Join RD Connection Broker* -- GP name: *TS_JOIN_SESSION_DIRECTORY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* +2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + - - + + + + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_KEEP_ALIVE** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_JOIN_SESSION_DIRECTORY | +| Friendly Name | Join RD Connection Broker | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | SessionDirectoryActive | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_KEEP_ALIVE -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_KEEP_ALIVE +``` + + + + This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. -After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client signs in to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. +After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. -If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. +- If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. -If you disable or don't configure this policy setting, a keep-alive interval isn't set and the server won't check the session state. +- If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. + - + + + - -ADMX Info: -- GP Friendly name: *Configure keep-alive connection interval* -- GP name: *TS_KEEP_ALIVE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_LICENSE_SECGROUP** +| Name | Value | +|:--|:--| +| Name | TS_KEEP_ALIVE | +| Friendly Name | Configure keep-alive connection interval | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | KeepAliveEnable | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_LICENSE_SECGROUP - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSE_SECGROUP +``` + -
    - - - + + This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop Services client access licenses (RDS CALs). You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one. -If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. By default, the RDS Endpoint Servers group is empty. +- If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. -If you disable or don't configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group isn't deleted or changed in any way by disabling or not configuring this policy setting. +By default, the RDS Endpoint Servers group is empty. ->[!NOTE] ->You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. +- If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. - +> [!NOTE] +> You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. + - -ADMX Info: -- GP Friendly name: *License server security group* -- GP name: *TS_LICENSE_SECGROUP* -- GP path: *Windows Components\Remote Desktop Services\RD Licensing* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_TerminalServer/TS_LICENSE_SERVERS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_LICENSE_SECGROUP | +| Friendly Name | License server security group | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > RD Licensing | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fSecureLicensing | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_LICENSE_SERVERS -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSE_SERVERS +``` + - - + + This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers. -If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers can't be located, the RD Session Host server will attempt automatic license server discovery. +- If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: -In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: 1. Remote Desktop license servers that are published in Active Directory Domain Services. + 2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server. -1If you disable or don't configure this policy setting, the RD Session Host server doesn't specify a license server at the Group Policy level. +- If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Use the specified Remote Desktop license servers* -- GP name: *TS_LICENSE_SERVERS* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_LICENSE_TOOLTIP** +| Name | Value | +|:--|:--| +| Name | TS_LICENSE_SERVERS | +| Friendly Name | Use the specified Remote Desktop license servers | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_LICENSE_TOOLTIP - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSE_TOOLTIP +``` + -
    - - - + + This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. -By default, notifications are displayed on an RD Session Host server after you sign in as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. +By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. -If you enable this policy setting, these notifications won't be displayed on the RD Session Host server. +- If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. -If you disable or don't configure this policy setting, these notifications will be displayed on the RD Session Host server after you sign in as a local administrator. +- If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. + - + + + - -ADMX Info: -- GP Friendly name: *Hide notifications about RD Licensing problems that affect the RD Session Host server* -- GP name: *TS_LICENSE_TOOLTIP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_LICENSING_MODE** +| Name | Value | +|:--|:--| +| Name | TS_LICENSE_TOOLTIP | +| Friendly Name | Hide notifications about RD Licensing problems that affect the RD Session Host server | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_LICENSING_MODE - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSING_MODE +``` + -
    - - - + + This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. -You can use this policy setting to select one of three licensing modes: Per User, Per Device, and Azure Active Directory Per User. -- Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. -- Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. -- Azure AD Per User licensing mode requires that each user account connecting to this RD Session Host server have a service plan that supports RDS licenses assigned in Azure AD. +You can use this policy setting to select one of two licensing modes: Per User or Per Device. -If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. +Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. -If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level. +Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. - +- If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. - -ADMX Info: -- GP Friendly name: *Set the Remote Desktop licensing mode* -- GP name: *TS_LICENSING_MODE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* +- If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. + - - + + + + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_MAX_CON_POLICY** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_LICENSING_MODE | +| Friendly Name | Set the Remote Desktop licensing mode | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_MAX_CON_POLICY -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, other users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_MAX_CON_POLICY +``` + -By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. + + +Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. + +You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999. If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Remote Desktop Services running on the server. -If the status is set to Disabled or Not Configured, limits to the number of connections aren't enforced at the Group Policy level. +If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level. ->[!NOTE] ->This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). +> [!NOTE] +> This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). + - + + + - -ADMX Info: -- GP Friendly name: *Limit number of connections* -- GP name: *TS_MAX_CON_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_MAXDISPLAYRES** +| Name | Value | +|:--|:--| +| Name | TS_MAX_CON_POLICY | +| Friendly Name | Limit number of connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_MAXDISPLAYRES - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_MAXDISPLAYRES +``` + -
    - - - + + This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load. -If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. +- If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. -If you disable or don't configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. +- If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. + - + + + - -ADMX Info: -- GP Friendly name: *Limit maximum display resolution* -- GP name: *TS_MAXDISPLAYRES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_MAXMONITOR** +| Name | Value | +|:--|:--| +| Name | TS_MAXDISPLAYRES | +| Friendly Name | Limit maximum display resolution | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_MAXMONITOR - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_MAXMONITOR +``` + -
    - - - + + This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load. -If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. +- If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. -If you disable or don't configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session isn't specified at the Group Policy level. +- If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Limit number of monitors* -- GP name: *TS_MAXMONITOR* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_NoDisconnectMenu** +| Name | Value | +|:--|:--| +| Name | TS_MAXMONITOR | +| Friendly Name | Limit number of monitors | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_NoDisconnectMenu - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_NoDisconnectMenu +``` + -
    + + +This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. - - -This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. +You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. -If you enable this policy setting, "Disconnect" doesn't appear as an option in the drop-down list in the Shut Down Windows dialog box. +- If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. -If you disable or don't configure this policy setting, "Disconnect" isn't removed from the list in the Shut Down Windows dialog box. +- If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. ->[!NOTE] ->This policy setting affects only the Shut Down Windows dialog box. It doesn't prevent users from using other methods to disconnect from a Remote Desktop Services session. +> [!NOTE] +> This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting. + -This policy setting also doesn't prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the **Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions** policy setting. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove "Disconnect" option from Shut Down dialog* -- GP name: *TS_NoDisconnectMenu* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | TS_NoDisconnectMenu | +| Friendly Name | Remove "Disconnect" option from Shut Down dialog | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDisconnect | +| ADMX File Name | TerminalServer.admx | + - -**ADMX_TerminalServer/TS_NoSecurityMenu** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_NoSecurityMenu - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_NoSecurityMenu +``` + -> [!div class = "checklist"] -> * Device + + +Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. -
    - - - -This policy specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. - -If the status is set to Enabled, Windows Security doesn't appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. +If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. If the status is set to Disabled or Not Configured, Windows Security remains in the Settings menu. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Windows Security item from Start menu* -- GP name: *TS_NoSecurityMenu* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_PreventLicenseUpgrade** +| Name | Value | +|:--|:--| +| Name | TS_NoSecurityMenu | +| Friendly Name | Remove Windows Security item from Start menu | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNTSecurity | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_PreventLicenseUpgrade - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_PreventLicenseUpgrade +``` + -
    - - - + + This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based operating systems. A license server attempts to provide the most appropriate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008, and will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003. -By default, if the most appropriate RDS CAL isn't available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following types of clients: -- A client connecting to a Windows Server 2003 terminal server -- A client connecting to a Windows 2000 terminal server +By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following: -If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server isn't available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client won't be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server hasn't expired. +* A client connecting to a Windows Server 2003 terminal server +* A client connecting to a Windows 2000 terminal server -If you disable or don't configure this policy setting, the license server will exhibit the default behavior noted earlier. +- If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. - +- If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. + - -ADMX Info: -- GP Friendly name: *Prevent license upgrade* -- GP name: *TS_PreventLicenseUpgrade* -- GP path: *Windows Components\Remote Desktop Services\RD Licensing* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_PreventLicenseUpgrade | +| Friendly Name | Prevent license upgrade | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > RD Licensing | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fPreventLicenseUpgrade | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_PROMT_CREDS_CLIENT_COMP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP +``` + - - + + This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. -If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user won't be prompted to provide credentials. +- If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. ->[!NOTE] ->If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. +> [!NOTE] +> If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. + +- If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. + -If you disable or don't configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. + + + -For Windows Server 2003 and Windows 2000 Server, a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Prompt for credentials on the client computer* -- GP name: *TS_PROMT_CREDS_CLIENT_COMP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* +| Name | Value | +|:--|:--| +| Name | TS_PROMT_CREDS_CLIENT_COMP | +| Friendly Name | Prompt for credentials on the client computer | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | PromptForCredsOnClient | +| ADMX File Name | TerminalServer.admx | + - - + + + + -
    + +## TS_RADC_DefaultConnection - -**ADMX_TerminalServer/TS_RADC_DefaultConnection** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RADC_DefaultConnection +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. + +The default connection URL must be configured in the form of . + +- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. + +- If you disable or do not configure this policy setting, the user has no default connection URL. + +> [!NOTE] +> RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. + - -
    + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RADC_DefaultConnection | +| Friendly Name | Specify default connection URL | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RemoteApp and Desktop Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Workspaces | +| ADMX File Name | TerminalServer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + + + -> [!div class = "checklist"] -> * User + +## TS_RDSAppX_WaitForRegistration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration +``` + + + + +This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. + +By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. + +- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. + +- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. + + + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RDSAppX_WaitForRegistration | +| Friendly Name | Suspend user sign-in to complete app registration | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AllUserInstallAgent | +| Registry Value Name | LogonWaitForPackageRegistration | +| ADMX File Name | TerminalServer.admx | + -This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. The default connection URL must be configured in the form of [http://contoso.com/rdweb/Feed/webfeed.aspx](http://contoso.com/rdweb/Feed/webfeed.aspx). + + + + + + + +## TS_RemoteControl_1 -- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user can't change the default connection URL. The user's default sign-in credentials are used when setting up the default connection URL. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_1 +``` + -- If you disable or don't configure this policy setting, the user has no default connection URL. + + +- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: + +1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. +2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. + +3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. +4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. + +5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. + +- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. + -RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RemoteControl_1 | +| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + + + + + +## TS_RemoteControl_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_2 +``` + + + + +- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: + +1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. +2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. + +3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. +4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. +5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. - -ADMX Info: -- GP Friendly name: *Specify default connection URL* -- GP name: *TS_RADC_DefaultConnection* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* +- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. + - - -
    + + + - -**ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | TS_RemoteControl_2 | +| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -> [!div class = "checklist"] -> * User + + + + + -
    - - - - -This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. - -- If you enable this policy setting, user sign in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. - -- If you disable or don't configure this policy setting, the Start screen is shown and apps are registered in the background. - - - - - - -ADMX Info: -- GP Friendly name: *Suspend user sign-in to complete app registration* -- GP name: *TS_RDSAppX_WaitForRegistration* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_RemoteControl_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. - -To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. - - - - - - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* -- GP name: *TS_RemoteControl_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_RemoteControl_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. - -To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. - - - - - - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* -- GP name: *TS_RemoteControl_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. - -You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). -If you've a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. + +## TS_RemoteDesktopVirtualGraphics + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics +``` + + + + +This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. + +Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). + +If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. +- If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). + -If you disable or don't configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Optimize visual experience when using RemoteFX* -- GP name: *TS_RemoteDesktopVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_SD_ClustName** +| Name | Value | +|:--|:--| +| Name | TS_RemoteDesktopVirtualGraphics | +| Friendly Name | Optimize visual experience when using RemoteFX | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > RemoteFX for Windows Server 2008 R2 | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Terminal Services\ | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SD_ClustName - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SD_ClustName +``` + -
    + + +This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. - - -This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. - -Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name doesn't have to correspond to a name in Active Directory Domain Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. +If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. - If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. -- If you disable or don't configure this policy setting, the farm name isn't specified at the Group Policy level. +- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. -> [!NOTE] -> This policy setting isn't effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. +**Note**: -For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. - +2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + - -ADMX Info: -- GP Friendly name: *Configure RD Connection Broker farm name* -- GP name: *TS_SD_ClustName* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TS_SD_ClustName | +| Friendly Name | Configure RD Connection Broker farm name | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TS_SD_EXPOSE_ADDRESS - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS +``` + + + + This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. - If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. -- If you disable this policy setting, the IP address of the RD Session Host server isn't sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you don't want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. +- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. -If you don't configure this policy setting, the Use IP address redirection policy setting isn't enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. +- If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. -> [!NOTE] -> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +**Note**: - +1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + - -ADMX Info: -- GP Friendly name: *Use IP Address Redirection* -- GP name: *TS_SD_EXPOSE_ADDRESS* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_TerminalServer/TS_SD_Loc** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TS_SD_EXPOSE_ADDRESS | +| Friendly Name | Use IP Address Redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | SessionDirectoryExposeServerIP | +| ADMX File Name | TerminalServer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TS_SD_Loc - - -This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. -The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SD_Loc +``` + + + + +This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. - If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. -- If you disable or don't configure this policy setting, the policy setting isn't specified at the Group Policy level. +- If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. +**Note**: -> [!NOTE] -> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. -> This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled. -> To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. +1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +2. This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. - +3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. + - -ADMX Info: -- GP Friendly name: *Configure RD Connection Broker server name* -- GP name: *TS_SD_Loc* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_SD_Loc | +| Friendly Name | Configure RD Connection Broker server name | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_SECURITY_LAYER_POLICY -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY +``` + + + + This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. -- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. +- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available: -The following security methods are available: +* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -- **Negotiate**: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it's used to authenticate the RD Session Host server. If TLS isn't supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server isn't authenticated. Native RDP encryption (as opposed to SSL encryption) isn't recommended. -- **RDP**: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server isn't authenticated. Native RDP encryption (as opposed to SSL encryption) isn't recommended. -- **SSL (TLS 1.0)**: The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS isn't supported, the connection fails. This enablement is the recommended setting for this policy. +* RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -If you disable or don't configure this policy setting, the security method to be used for remote connections to RD Session Host servers isn't specified at the Group Policy level. +* SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. - +- If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. + - -ADMX Info: -- GP Friendly name: *Require use of specific security layer for remote (RDP) connections* -- GP name: *TS_SECURITY_LAYER_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_SECURITY_LAYER_POLICY | +| Friendly Name | Require use of specific security layer for remote (RDP) connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_SELECT_NETWORK_DETECT -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT +``` + + + + This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). + You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Network Detect. -- If you disable Connect Time Detect, Remote Desktop Protocol won't determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. +If you disable Connect Time Detect, Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. -- If you disable Continuous Network Detect, Remote Desktop Protocol won't try to adapt the remote user experience to varying network quality. +If you disable Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. -- If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol won't try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it won't try to adapt the user experience to varying network quality. +If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. -- If you disable or don't configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. +- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. + - + + + - -ADMX Info: -- GP Friendly name: *Select network detection on the server* -- GP name: *TS_SELECT_NETWORK_DETECT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SELECT_TRANSPORT** +| Name | Value | +|:--|:--| +| Name | TS_SELECT_NETWORK_DETECT | +| Friendly Name | Select network detection on the server | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SELECT_TRANSPORT - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SELECT_TRANSPORT +``` + -
    - - - + + This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. -- If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" +- If you enable this policy setting, you must specify if you would like RDP to use UDP. -If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. If the UDP connection isn't successful or if you select "Use only TCP," all of the RDP traffic will use TCP. +You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" -- If you disable or don't configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. +If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. - +If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. - -ADMX Info: -- GP Friendly name: *Select RDP transport protocols* -- GP name: *TS_SELECT_TRANSPORT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* +- If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_SELECT_TRANSPORT | +| Friendly Name | Select RDP transport protocols | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. -This policy setting applies only to RemoteApp programs and doesn't apply to remote desktop sessions. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP +``` + -- If you enable or don't configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. + + +This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. -- If you disable this policy setting, RemoteApp programs published from this RD Session Host server won't use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs don't support these advanced graphics. +- If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. - +- If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. + - -ADMX Info: -- GP Friendly name: *Use advanced RemoteFX graphics for RemoteApp* -- GP name: *TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**ADMX_TerminalServer/TS_SERVER_AUTH** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP | +| Friendly Name | Use advanced RemoteFX graphics for RemoteApp | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableRemoteFXAdvancedRemoteApp | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_SERVER_AUTH -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_AUTH +``` + - - -This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client can't authenticate the RD Session Host server. + + +This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. - If you enable this policy setting, you must specify one of the following settings: - - Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client can't authenticate the RD Session Host server. - - Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server can't be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. - - don't connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. +Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. -- If you disable or don't configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client can't authenticate the RD Session Host server. +Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. - +Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. - -ADMX Info: -- GP Friendly name: *Configure server authentication for client* -- GP name: *TS_SERVER_AUTH* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* +- If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_SERVER_AUTH | +| Friendly Name | Configure server authentication for client | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_SERVER_AVC_HW_ENCODE_PREFERRED -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED +``` + -- When you enable hardware encoding, if an error occurs, we'll attempt to use software encoding. + + +This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. +- If you disable or do not configure this policy, we will always use software encoding. + -- If you disable or don't configure this policy, we'll always use software encoding. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure H.264/AVC hardware encoding for Remote Desktop Connections* -- GP name: *TS_SERVER_AVC_HW_ENCODE_PREFERRED* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_AVC_HW_ENCODE_PREFERRED | +| Friendly Name | Configure H.264/AVC hardware encoding for Remote Desktop Connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AVCHardwareEncodePreferred | +| ADMX File Name | TerminalServer.admx | + -**ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_SERVER_AVC444_MODE_PREFERRED - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. + -
    + + + - - -This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. + +**Description framework properties**: -When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* -- GP name: *TS_SERVER_AVC444_MODE_PREFERRED* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_AVC444_MODE_PREFERRED | +| Friendly Name | Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AVC444ModePreferred | +| ADMX File Name | TerminalServer.admx | + -
    + + + - + -**ADMX_TerminalServer/TS_SERVER_COMPRESSOR** + +## TS_SERVER_COMPRESSOR - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_COMPRESSOR +``` + - -
    + + +This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. -> [!div class = "checklist"] -> * Device +- If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. -
    +You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. - - -This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. +- If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. + -- If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. + + + -If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. + +**Description framework properties**: -In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you're using a hardware device that is designed to optimize network traffic. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -- If you disable or don't configure this policy setting, the default RDP compression algorithm will be used. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_COMPRESSOR | +| Friendly Name | Configure compression for RemoteFX data | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -ADMX Info: -- GP Friendly name: *Configure compression for RemoteFX data* -- GP name: *TS_SERVER_COMPRESSOR* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + -
    + +## TS_SERVER_IMAGE_QUALITY - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -**ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - + + This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. - - If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. - - If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. - - If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. +- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. +- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. + -- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data isn't impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you enable this setting for specific cases only. + + + -- If you disable or don't configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure image quality for RemoteFX Adaptive Graphics* -- GP name: *TS_SERVER_IMAGE_QUALITY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | TS_SERVER_IMAGE_QUALITY | +| Friendly Name | Configure image quality for RemoteFX Adaptive Graphics | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -**ADMX_TerminalServer/TS_SERVER_LEGACY_RFX** + - + +## TS_SERVER_LEGACY_RFX -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_LEGACY_RFX +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. +- If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. +- If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions. + -> [!div class = "checklist"] -> * Device + + + -
    - - -This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. + +**Description framework properties**: -When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -- If you disable this policy setting, RemoteFX will be disabled. If you don't configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_LEGACY_RFX | +| Friendly Name | Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1 | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableVirtualizedGraphics | +| ADMX File Name | TerminalServer.admx | + - -ADMX Info: -- GP Friendly name: *Configure RemoteFX* -- GP name: *TS_SERVER_LEGACY_RFX* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* + + + - - + -
    + +## TS_SERVER_PROFILE - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -**ADMX_TerminalServer/TS_SERVER_PROFILE** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_PROFILE +``` + - + + +This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, the RemoteFX experience could be set to one of the following options: - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available network bandwidth. - -If you enable this policy setting, the RemoteFX experience could be set to one of the following options: 1. Let the system choose the experience for the network condition 2. Optimize for server scalability -3. Optimize for minimum bandwidth usage. If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." - +3. Optimize for minimum bandwidth usage - -ADMX Info: -- GP Friendly name: *Configure RemoteFX Adaptive Graphics* -- GP name: *TS_SERVER_PROFILE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* +- If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**ADMX_TerminalServer/TS_SERVER_VISEXP** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_SERVER_PROFILE | +| Friendly Name | Configure RemoteFX Adaptive Graphics | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_SERVER_VISEXP -
    - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience. By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_VISEXP +``` + + + + +This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience. + +By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. - If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. -- If you disable or don't configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. +- If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. + - + + + - -ADMX Info: -- GP Friendly name: *Optimize visual experience for Remote Desktop Service Sessions* -- GP name: *TS_SERVER_VISEXP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER** +| Name | Value | +|:--|:--| +| Name | TS_SERVER_VISEXP | +| Friendly Name | Optimize visual experience for Remote Desktop Service Sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > RemoteFX for Windows Server 2008 R2 | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SERVER_WDDM_GRAPHICS_DRIVER - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device - -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER +``` + + + This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections. -- If you enable or don't configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. +- If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. -- If you disable this policy setting, Remote Desktop Connections won't use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. For this change to take effect, you must restart Windows. +- If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. - +For this change to take effect, you must restart Windows. + - -ADMX Info: -- GP Friendly name: *Use WDDM graphics display driver for Remote Desktop Connections* -- GP name: *TS_SERVER_WDDM_GRAPHICS_DRIVER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**ADMX_TerminalServer/TS_Session_End_On_Limit_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_WDDM_GRAPHICS_DRIVER | +| Friendly Name | Use WDDM graphics display driver for Remote Desktop Connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableWddmDriver | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_Session_End_On_Limit_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_1 +``` + -This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time limits are set locally by the server administrator or by using Group Policy. + + +This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. -See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. +You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. + +Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. - If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. -- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you don't configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. -This policy setting only applies to time-out limits that are explicitly set by the administrator. +- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. -This policy setting doesn't apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. +> [!NOTE] +> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *End session when time limits are reached* -- GP name: *TS_Session_End_On_Limit_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_Session_End_On_Limit_2** +| Name | Value | +|:--|:--| +| Name | TS_Session_End_On_Limit_1 | +| Friendly Name | End session when time limits are reached | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fResetBroken | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_Session_End_On_Limit_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_2 +``` + -
    - - + + +This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. -This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time limits are set locally by the server administrator or by using Group Policy. +You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. -See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. +Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. - If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. -- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you don't configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. -This policy setting only applies to time-out limits that are explicitly set by the administrator. +- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. -This policy setting doesn't apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. +> [!NOTE] +> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *End session when time limits are reached* -- GP name: *TS_Session_End_On_Limit_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1** +| Name | Value | +|:--|:--| +| Name | TS_Session_End_On_Limit_2 | +| Friendly Name | End session when time limits are reached | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fResetBroken | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SESSIONS_Disconnected_Timeout_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 +``` + -
    - - + + +This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. + +You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. -This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. -- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you've a console session, disconnected session time limits don't apply. +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. ->[!NOTE] +> [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Set time limit for disconnected sessions* -- GP name: *TS_SESSIONS_Disconnected_Timeout_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2** +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Disconnected_Timeout_1 | +| Friendly Name | Set time limit for disconnected sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SESSIONS_Disconnected_Timeout_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 +``` + -
    - - + + +This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. + +You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. -This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. -- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you've a console session, disconnected session time limits don't apply. +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. ->[!NOTE] +> [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Set time limit for disconnected sessions* -- GP name: *TS_SESSIONS_Disconnected_Timeout_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1** +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Disconnected_Timeout_2 | +| Friendly Name | Set time limit for disconnected sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SESSIONS_Idle_Limit_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 +``` + -
    - - + + +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. -This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it's automatically disconnected. +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. -- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you've a console session, idle session time limits don't apply. - -- If you disable or don't configure this policy setting, the time limit isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. ->[!NOTE] +> [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Set time limit for active but idle Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Idle_Limit_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2** +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Idle_Limit_1 | +| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SESSIONS_Idle_Limit_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 +``` + -
    - - + + +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. -This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it's automatically disconnected. +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. -- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you've a console session, idle session time limits don't apply. - -- If you disable or don't configure this policy setting, the time limit isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. ->[!NOTE] +> [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Set time limit for active but idle Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Idle_Limit_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SESSIONS_Limits_1** +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Idle_Limit_2 | +| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SESSIONS_Limits_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_1 +``` + -
    - - + + +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. -This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it's automatically disconnected. +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. -- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you've a console session, active session time limits don't apply. - -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. ->[!NOTE] +> [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set time limit for active Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Limits_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Limits_1 | +| Friendly Name | Set time limit for active Remote Desktop Services sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -**ADMX_TerminalServer/TS_SESSIONS_Limits_2** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_SESSIONS_Limits_2 - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_2 +``` + -> [!div class = "checklist"] -> * User + + +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. -
    - - +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. -This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it's automatically disconnected. - -- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you've a console session, active session time limits don't apply. - -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. ->[!NOTE] +> [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set time limit for active Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Limits_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Limits_2 | +| Friendly Name | Set time limit for active Remote Desktop Services sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -**ADMX_TerminalServer/TS_SINGLE_SESSION** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_SINGLE_SESSION - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SINGLE_SESSION +``` + -> [!div class = "checklist"] -> * User + + +This policy setting allows you to restrict users to a single Remote Desktop Services session. -
    - - +- If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. -This policy setting allows you to restrict users to a single Remote Desktop Services session. If you enable this policy setting, users who sign in remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. +- If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. -If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next sign in. +- If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. + -If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. If you don't configure this policy setting, this policy setting isn't specified at the Group Policy level. + + + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* -- GP name: *TS_SINGLE_SESSION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | TS_SINGLE_SESSION | +| Friendly Name | Restrict Remote Desktop Services users to a single Remote Desktop Services session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fSingleSessionPerUser | +| ADMX File Name | TerminalServer.admx | + - + + + -**ADMX_TerminalServer/TS_SMART_CARD** + - + +## TS_SMART_CARD -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SMART_CARD +``` + + + This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. -- If you enable this policy setting, Remote Desktop Services users can't use a smart card to sign in to a Remote Desktop Services session. +- If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. -- If you disable or don't configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. +- If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. ->[!NOTE] +> [!NOTE] > The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow smart card device redirection* -- GP name: *TS_SMART_CARD* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_START_PROGRAM_1** +| Name | Value | +|:--|:--| +| Name | TS_SMART_CARD | +| Friendly Name | Do not allow smart card device redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableSmartCard | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_START_PROGRAM_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_1 +``` + -
    - - + + +Configures Remote Desktop Services to run a specified program automatically upon connection. -Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user signs in to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. +You can use this setting to specify a program to run automatically when a user logs on to a remote computer. -The Start menu and Windows Desktop aren't displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. +By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. -If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory isn't the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) +To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. ->[!NOTE] +If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. + +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +> [!NOTE] > This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + - + + + - -ADMX Info: -- GP Friendly name: *Start a program on connection* -- GP name: *TS_START_PROGRAM_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_START_PROGRAM_2** +| Name | Value | +|:--|:--| +| Name | TS_START_PROGRAM_1 | +| Friendly Name | Start a program on connection | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fInheritInitialProgram | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_START_PROGRAM_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_2 +``` + -
    - - + + +Configures Remote Desktop Services to run a specified program automatically upon connection. -Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user signs in to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. +You can use this setting to specify a program to run automatically when a user logs on to a remote computer. -The Start menu and Windows Desktop aren't displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. +By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. -If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory isn't the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) +To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. ->[!NOTE] +If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. + +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +> [!NOTE] > This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + - + + + - -ADMX Info: -- GP Friendly name: *Start a program on connection* -- GP name: *TS_START_PROGRAM_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_TEMP_DELETE** +| Name | Value | +|:--|:--| +| Name | TS_START_PROGRAM_2 | +| Friendly Name | Start a program on connection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_TEMP_DELETE - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TEMP_DELETE +``` + -
    - - + + +This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. -This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at sign out. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user signs out from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user signs out. +You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off. -If you enable this policy setting, a user's per-session temporary folders are retained when the user signs out from a session. +- If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. -If you disable this policy setting, temporary folders are deleted when a user signs out, even if the server administrator specifies otherwise. If you don't configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at sign out, unless specified otherwise by the server administrator. +- If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. ->[!NOTE] -> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the don't use temporary folders per session policy setting, this policy setting has no effect. +- If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. - +> [!NOTE] +> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. + - -ADMX Info: -- GP Friendly name: *Do not delete temp folders upon exit* -- GP name: *TS_TEMP_DELETE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**ADMX_TerminalServer/TS_TEMP_PER_SESSION** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_TEMP_DELETE | +| Friendly Name | Do not delete temp folders upon exit | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary folders | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DeleteTempDirsOnExit | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_TEMP_PER_SESSION -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TEMP_PER_SESSION +``` + + + This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. -You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the session ID. +You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid. -- If you enable this policy setting, per-session temporary folders aren't created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. +- If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. -- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. If you don't configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. +- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. - +- If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. + - -ADMX Info: -- GP Friendly name: *Do not use temporary folders per session* -- GP name: *TS_TEMP_PER_SESSION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**ADMX_TerminalServer/TS_TIME_ZONE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_TEMP_PER_SESSION | +| Friendly Name | Do not use temporary folders per session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary folders | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | PerSessionTempDir | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_TIME_ZONE -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TIME_ZONE +``` + -This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. + + +This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session. - If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). -- If you disable or don't configure this policy setting, the client computer doesn't redirect its time zone information and the session time zone is the same as the server time zone. +- If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. ->[!NOTE] -> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. +> [!NOTE] +> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later. + - + + + - -ADMX Info: -- GP Friendly name: *Allow time zone redirection* -- GP name: *TS_TIME_ZONE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY** +| Name | Value | +|:--|:--| +| Name | TS_TIME_ZONE | +| Friendly Name | Allow time zone redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableTimeZoneRedirection | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_TSCC_PERMISSIONS_POLICY - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY +``` + -
    - - + + +This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. -This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. +You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. -- If you enable this policy setting, the default security descriptors for existing groups on the RD Session Host server can't be changed. All the security descriptors are read-only. +- If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. -- If you disable or don't configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. +- If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. ->[!NOTE] +> [!NOTE] > The preferred method of managing user access is by adding a user to the Remote Desktop Users group. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow local administrators to customize permissions* -- GP name: *TS_TSCC_PERMISSIONS_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP** +| Name | Value | +|:--|:--| +| Name | TS_TSCC_PERMISSIONS_POLICY | +| Friendly Name | Do not allow local administrators to customize permissions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fWritableTSCCPermTab | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_TURNOFF_SINGLEAPP - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device - -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP +``` + + + This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy. - If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. -- If you disable or don't configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program isn't specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. +- If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. ->[!NOTE] +> [!NOTE] > If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. + - + + + - -ADMX Info: -- GP Friendly name: *Always show desktop on connection* -- GP name: *TS_TURNOFF_SINGLEAPP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_TURNOFF_SINGLEAPP | +| Friendly Name | Always show desktop on connection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fTurnOffSingleAppMode | +| ADMX File Name | TerminalServer.admx | + - - + + + -
    + - + +## TS_UIA -**ADMX_TerminalServer/TS_UIA** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_UIA +``` + + + + +This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. + +UI Automation gives programs access to most UI elements, which lets you use assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. + +Remote Desktop sessions don't currently support UI Automation redirection. + +- If you enable or don't configure this policy setting, any UI Automation clients on your local computer can interact with remote apps. For example, you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote session. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps. + - -
    + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_UIA | +| Friendly Name | Allow UI Automation redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | EnableUiaRedirection | +| ADMX File Name | TerminalServer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    - - + +## TS_USB_REDIRECTION_DISABLE -This policy setting allows you to restrict users to a single Remote Desktop Services session. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, users who sign in remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next sign in. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE +``` + -- If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. + + +This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. + +- If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. + +- If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. + +For this change to take effect, you must restart Windows. + -- If you don't configure this policy setting, this policy setting isn't specified at the Group Policy level. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* -- GP name: *TS_UIA* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_USB_REDIRECTION_DISABLE | +| Friendly Name | Allow RDP redirection of other supported RemoteFX USB devices from this computer | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client > RemoteFX USB Device Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client | +| ADMX File Name | TerminalServer.admx | + -**ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_USER_AUTHENTICATION_POLICY - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. -
    - - +- If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. -This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices won't be available for local usage on this computer. +To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. + +- If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. + +- If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. -If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. +> [!IMPORTANT] +> Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. + -If you disable or don't configure this policy setting, other supported RemoteFX USB devices aren't available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow RDP redirection of other supported RemoteFX USB devices from this computer* -- GP name: *TS_USB_REDIRECTION_DISABLE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_USER_AUTHENTICATION_POLICY | +| Friendly Name | Require user authentication for remote connections by using Network Level Authentication | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UserAuthentication | +| ADMX File Name | TerminalServer.admx | + -**ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY** + + + - + + + +## TS_USER_HOME + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_HOME +``` + - -
    + + +Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's home directory for a Remote Desktop Services session. + +To use this setting, select the location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network share, type the Home Dir Root Path in the form \\Computername\Sharename, and then select the drive letter to which you want the network share to be mapped. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form "Drive:\Path" (without quotes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatically appends this at logon. -> [!div class = "checklist"] -> * Device +> [!NOTE] +> The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location. -
    - - +If the status is set to Enabled, Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias. -This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. +If the status is set to Disabled or Not Configured, the user's home directory is as specified at the server. + -- If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. + + + -- If you disable this policy setting, Network Level Authentication isn't required for user authentication before allowing remote connections to the RD Session Host server. If you don't configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. + +**Description framework properties**: -Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Require user authentication for remote connections by using Network Level Authentication* -- GP name: *TS_USER_AUTHENTICATION_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* +**ADMX mapping**: - - - -
    - - - -**ADMX_TerminalServer/TS_USER_HOME** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. - -- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate hasn't been selected. - -If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. - -- If you disable or don't configure this policy, the certificate template name isn't specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. - -If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. - - - - -ADMX Info: -- GP Friendly name: *Server authentication certificate template* -- GP name: *TS_USER_HOME* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - +| Name | Value | +|:--|:--| +| Name | TS_USER_HOME | +| Friendly Name | Set Remote Desktop Services User Home Directory | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_USER_MANDATORY_PROFILES + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES +``` + + + This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. - If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. -- If you disable or don't configure this policy setting, mandatory user profiles aren't used by users connecting remotely to the RD Session Host server. +- If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. + +**Note**: For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use mandatory profiles on the RD Session Host server* -- GP name: *TS_USER_MANDATORY_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_USER_MANDATORY_PROFILES | +| Friendly Name | Use mandatory profiles on the RD Session Host server | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | WFDontAppendUserNameToProfile | +| ADMX File Name | TerminalServer.admx | + -**ADMX_TerminalServer/TS_USER_PROFILES** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_USER_PROFILES - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_PROFILES +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. -
    - - +By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. -This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. +- If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. -To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Don't specify a placeholder for the user account name, because Remote Desktop Services automatically adds this location when the user signs in and the profile is created. +To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. -If the specified network share doesn't exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. +- If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. -If you disable or don't configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. +**Note**: 1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. 2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. + - + + + - -ADMX Info: -- GP Friendly name: *Set path for Remote Desktop Services Roaming User Profile* -- GP name: *TS_USER_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | TS_USER_PROFILES | +| Friendly Name | Set path for Remote Desktop Services Roaming User Profile | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 89ee3b1b5c..8e006a237e 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -1,192 +1,222 @@ --- -title: Policy CSP - ADMX_Thumbnails -description: Learn about Policy CSP - ADMX_Thumbnails. +title: ADMX_Thumbnails Policy CSP +description: Learn more about the ADMX_Thumbnails Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/25/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Thumbnails -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_Thumbnails policies + + + -
    -
    - ADMX_Thumbnails/DisableThumbnails -
    -
    - ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders -
    -
    - ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders -
    -
    + +## DisableThumbnails -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_Thumbnails/DisableThumbnails** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Thumbnails/DisableThumbnails +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. File Explorer displays thumbnail images by default. -If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images. +- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images. -If you disable or do not configure this policy setting, File Explorer displays only thumbnail images. +- If you disable or do not configure this policy setting, File Explorer displays only thumbnail images. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display of thumbnails and only display icons.* -- GP name: *DisableThumbnails* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Thumbnails.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableThumbnails | +| Friendly Name | Turn off the display of thumbnails and only display icons. | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableThumbnails | +| ADMX File Name | Thumbnails.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisableThumbnailsOnNetworkFolders -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders +``` + + + + This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. File Explorer displays thumbnail images on network folders by default. -If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders. +- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders. -If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders. +- If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display of thumbnails and only display icons on network folders* -- GP name: *DisableThumbnailsOnNetworkFolders* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Thumbnails.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableThumbnailsOnNetworkFolders | +| Friendly Name | Turn off the display of thumbnails and only display icons on network folders | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableThumbnailsOnNetworkFolders | +| ADMX File Name | Thumbnails.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisableThumbsDBOnNetworkFolders -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting turns off the caching of thumbnails in hidden thumbs.db files. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders +``` + + + + +Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. -If you enable this policy setting, File Explorer does not create, read from, or write to thumbs.db files. +- If you enable this policy setting, File Explorer does not create, read from, or write to thumbs.db files. -If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files. +- If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files. + - -> - -ADMX Info: -- GP Friendly name: *Turn off the caching of thumbnails in hidden thumbs.db files* -- GP name: *DisableThumbsDBOnNetworkFolders* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Thumbnails.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | DisableThumbsDBOnNetworkFolders | +| Friendly Name | Turn off the caching of thumbnails in hidden thumbs.db files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableThumbsDBOnNetworkFolders | +| ADMX File Name | Thumbnails.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 4ca4f12b6f..28c4c48fb4 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -1,251 +1,302 @@ --- -title: Policy CSP - ADMX_TouchInput -description: Learn about Policy CSP - ADMX_TouchInput. +title: ADMX_TouchInput Policy CSP +description: Learn more about the ADMX_TouchInput Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TouchInput -
    - - -## ADMX_TouchInput policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_TouchInput/TouchInputOff_1 -
    -
    - ADMX_TouchInput/TouchInputOff_2 -
    -
    - ADMX_TouchInput/PanningEverywhereOff_1 -
    -
    - ADMX_TouchInput/PanningEverywhereOff_2 -
    -
    + + + + +## PanningEverywhereOff_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_TouchInput/TouchInputOff_1** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TouchInput/PanningEverywhereOff_1 +``` + - + + +Turn off Panning +Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this setting, the user will not be able to pan windows by touch. - -
    +- If you disable this setting, the user can pan windows by touch. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting turns off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. - -If you enable this setting, the user won't be able to produce input with touch. They won't be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. - -If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. - -If you don't configure this setting, touch input is on by default. - ->[!NOTE] -> Changes to this setting won't take effect until the user signs out. - - - - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC touch input* -- GP name: *TouchInputOff_1* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* - - - - -**ADMX_TouchInput/TouchInputOff_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting turns off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. - -If you enable this setting, the user won't be able to produce input with touch. They won't be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. - -If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. - -If you don't configure this setting, touch input is on by default. - ->[!NOTE] ->Changes to this setting won't take effect until the user signs out. - - - - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC touch input* -- GP name: *TouchInputOff_2* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* - - - - -
    - - -**ADMX_TouchInput/PanningEverywhereOff_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. - -If you enable this setting, the user won't be able to pan windows by touch. - -If you disable this setting, the user can pan windows by touch. If you don't configure this setting, Touch Panning is on by default. +- If you do not configure this setting, Touch Panning is on by default. > [!NOTE] -> Changes to this setting won't take effect until the user logs off. +> Changes to this setting will not take effect until the user logs off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Touch Panning* -- GP name: *PanningEverywhereOff_1* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**ADMX_TouchInput/PanningEverywhereOff_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PanningEverywhereOff_1 | +| Friendly Name | Turn off Touch Panning | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPanning | +| ADMX File Name | TouchInput.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## PanningEverywhereOff_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/PanningEverywhereOff_2 +``` + -If you enable this setting, the user won't be able to pan windows by touch. + + +Turn off Panning +Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. -If you disable this setting, the user can pan windows by touch. If you don't configure this setting, Touch Panning is on by default. +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. + +- If you do not configure this setting, Touch Panning is on by default. > [!NOTE] -> Changes to this setting won't take effect until the user logs off. +> Changes to this setting will not take effect until the user logs off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Touch Panning* -- GP name: *PanningEverywhereOff_2* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | PanningEverywhereOff_2 | +| Friendly Name | Turn off Touch Panning | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPanning | +| ADMX File Name | TouchInput.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + +## TouchInputOff_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TouchInput/TouchInputOff_1 +``` + + + + +Turn off Tablet PC touch input + +Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. + +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +- If you do not configure this setting, touch input is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TouchInputOff_1 | +| Friendly Name | Turn off Tablet PC touch input | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffTouchInput | +| ADMX File Name | TouchInput.admx | + + + + + + + + + +## TouchInputOff_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/TouchInputOff_2 +``` + + + + +Turn off Tablet PC touch input + +Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. + +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +- If you do not configure this setting, touch input is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TouchInputOff_2 | +| Friendly Name | Turn off Tablet PC touch input | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffTouchInput | +| ADMX File Name | TouchInput.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index a17ffa7fcc..9237bb81e7 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -1,284 +1,350 @@ --- -title: Policy CSP - ADMX_TPM -description: Learn about Policy CSP - ADMX_TPM. +title: ADMX_TPM Policy CSP +description: Learn more about the ADMX_TPM Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/25/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TPM + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_TPM policies + +## BlockedCommandsList_Name -
    -
    - ADMX_TPM/BlockedCommandsList_Name -
    -
    - ADMX_TPM/ClearTPMIfNotReady_Name -
    -
    - ADMX_TPM/IgnoreDefaultList_Name -
    -
    - ADMX_TPM/IgnoreLocalList_Name -
    -
    - ADMX_TPM/OSManagedAuth_Name -
    -
    - ADMX_TPM/OptIntoDSHA_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureDuration_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name -
    -
    - ADMX_TPM/UseLegacyDAP_Name -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/BlockedCommandsList_Name +``` + -
    + + +This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. - -**ADMX_TPM/BlockedCommandsList_Name** +- If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. - +- If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy setting allows you to manage the Policy list of Trusted Platform Module (TPM) commands blocked by Windows. +| Name | Value | +|:--|:--| +| Name | BlockedCommandsList_Name | +| Friendly Name | Configure the list of blocked TPM commands | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands | +| Registry Value Name | Enabled | +| ADMX File Name | TPM.admx | + -If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. + + + -If you disable or don't configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. + - + +## ClearTPMIfNotReady_Name - -ADMX Info: -- GP Friendly name: *Configure the list of blocked TPM commands* -- GP name: *BlockedCommandsList_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/ClearTPMIfNotReady_Name +``` + - -**ADMX_TPM/ClearTPMIfNotReady_Name** + + +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | ClearTPMIfNotReady_Name | +| Friendly Name | Configure the system to clear the TPM if it is not in a ready state. | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| Registry Value Name | ClearTPMIfNotReadyGP | +| ADMX File Name | TPM.admx | + - - -This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user sign in only if the signed in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and sign in until the policy is disabled or until the TPM is in a Ready state. + + + - + - -ADMX Info: -- GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.* -- GP name: *ClearTPMIfNotReady_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +## IgnoreDefaultList_Name - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_TPM/IgnoreDefaultList_Name** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/IgnoreDefaultList_Name +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Policy or the local list. +- If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. -The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Policy list of blocked TPM commands. +The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands. -If you disable or don't configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Policy and local lists of blocked TPM commands. +- If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands. + - + + + - -ADMX Info: -- GP Friendly name: *Ignore the default list of blocked TPM commands* -- GP name: *IgnoreDefaultList_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/IgnoreLocalList_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IgnoreDefaultList_Name | +| Friendly Name | Ignore the default list of blocked TPM commands | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM\BlockedCommands | +| Registry Value Name | IgnoreDefaultList | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## IgnoreLocalList_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/IgnoreLocalList_Name +``` + + + + This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Policy or the default list. +- If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. -The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Policy list of blocked TPM commands. +The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. -If you disable or don't configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Policy and default lists of blocked TPM commands. +- If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands. + - + + + - -ADMX Info: -- GP Friendly name: *Ignore the local list of blocked TPM commands* -- GP name: *IgnoreLocalList_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/OSManagedAuth_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IgnoreLocalList_Name | +| Friendly Name | Ignore the local list of blocked TPM commands | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM\BlockedCommands | +| Registry Value Name | IgnoreLocalList | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## OptIntoDSHA_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions that require TPM owner authorization without requiring the user to enter the TPM owner password. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/OptIntoDSHA_Name +``` + + + + +This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OptIntoDSHA_Name | +| Friendly Name | Enable Device Health Attestation Monitoring and Reporting | +| Location | Computer Configuration | +| Path | System > Device Health Attestation Service | +| Registry Key Name | Software\Policies\Microsoft\DeviceHealthAttestationService | +| Registry Value Name | EnableDeviceHealthAttestationService | +| ADMX File Name | TPM.admx | + + + + + + + + + +## OSManagedAuth_Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/OSManagedAuth_Name +``` + + + + +This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. -If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. +- If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. -Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that don't depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting to be changed before making the features that depend on the TPM anti-hammering logic usable. +Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used. Choose the operating system managed TPM authentication setting of "Delegated" to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. @@ -286,89 +352,60 @@ Choose the operating system managed TPM authentication setting of "None" for com > [!NOTE] > If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. + - + + + - -ADMX Info: -- GP Friendly name: *Configure the level of TPM owner authorization information available to the operating system* -- GP name: *OSManagedAuth_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/OptIntoDSHA_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | OSManagedAuth_Name | +| Friendly Name | Configure the level of TPM owner authorization information available to the operating system | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## StandardUserAuthorizationFailureDuration_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or Configuration Manager), and won't interfere with their workflows. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/StandardUserAuthorizationFailureDuration_Name +``` + - - - -ADMX Info: -- GP Friendly name: *Enable Device Health Attestation Monitoring and Reporting* -- GP name: *OptIntoDSHA_Name* -- GP path: *System\Device Health Attestation Service* -- GP ADMX file name: *TPM.admx* - - - -
    - - -**ADMX_TPM/StandardUserAuthorizationFailureDuration_Name** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -377,195 +414,263 @@ An authorization failure occurs each time a standard user sends a command to the For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. -The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value isn't configured, a default value of 480 minutes (8 hours) is used. +If this value is not configured, a default value of 480 minutes (8 hours) is used. + - -> - -ADMX Info: -- GP Friendly name: *Standard User Lockout Duration* -- GP name: *StandardUserAuthorizationFailureDuration_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | StandardUserAuthorizationFailureDuration_Name | +| Friendly Name | Standard User Lockout Duration | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\Tpm | +| Registry Value Name | StandardUserAuthorizationFailureDuration | +| ADMX File Name | TPM.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## StandardUserAuthorizationFailureIndividualThreshold_Name - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name +``` + + + + This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. -For each standard user, two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. +For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -This value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. +This value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. -The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it's global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value isn't configured, a default value of 4 is used. +If this value is not configured, a default value of 4 is used. -A value of 0 means the OS won't allow standard users to send commands to the TPM, which may cause an authorization failure. +A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. + - + + + - -ADMX Info: -- GP Friendly name: *Standard User Individual Lockout Threshold* -- GP name: *StandardUserAuthorizationFailureIndividualThreshold_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | StandardUserAuthorizationFailureIndividualThreshold_Name | +| Friendly Name | Standard User Individual Lockout Threshold | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\Tpm | +| Registry Value Name | StandardUserAuthorizationFailureIndividualThreshold | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## StandardUserAuthorizationFailureTotalThreshold_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name +``` + + + + This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. -For each standard user, two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. +For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. +The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. -This value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. +This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it's global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value isn't configured, a default value of 9 is used. +If this value is not configured, a default value of 9 is used. -A value of 0 means the OS won't allow standard users to send commands to the TPM, which may cause an authorization failure. +A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. + - + + + - -ADMX Info: -- GP Friendly name: *Standard User Total Lockout Threshold* -- GP name: *StandardUserAuthorizationFailureTotalThreshold_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/UseLegacyDAP_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | StandardUserAuthorizationFailureTotalThreshold_Name | +| Friendly Name | Standard User Total Lockout Threshold | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\Tpm | +| Registry Value Name | StandardUserAuthorizationFailureTotalThreshold | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## UseLegacyDAP_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this Policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from Policy and b) clear the TPM on the system. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/UseLegacyDAP_Name +``` + - + + +This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. **Note** that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. + - -ADMX Info: -- GP Friendly name: *Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.* -- GP name: *UseLegacyDAP_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | UseLegacyDAP_Name | +| Friendly Name | Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0. | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| Registry Value Name | UseLegacyDictionaryAttackParameters | +| ADMX File Name | TPM.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index cc67fba5d3..15da8637a6 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,6664 +1,7960 @@ --- -title: Policy CSP - ADMX_UserExperienceVirtualization -description: Learn about Policy CSP - ADMX_UserExperienceVirtualization. +title: ADMX_UserExperienceVirtualization Policy CSP +description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/30/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_UserExperienceVirtualization + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_UserExperienceVirtualization policies + +## Calculator -
    -
    - ADMX_UserExperienceVirtualization/Calculator -
    -
    - ADMX_UserExperienceVirtualization/ConfigureSyncMethod -
    -
    - ADMX_UserExperienceVirtualization/ConfigureVdi -
    -
    - ADMX_UserExperienceVirtualization/ContactITDescription -
    -
    - ADMX_UserExperienceVirtualization/ContactITUrl -
    -
    - ADMX_UserExperienceVirtualization/DisableWin8Sync -
    -
    - ADMX_UserExperienceVirtualization/DisableWindowsOSSettings -
    -
    - ADMX_UserExperienceVirtualization/EnableUEV -
    -
    - ADMX_UserExperienceVirtualization/Finance -
    -
    - ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled -
    -
    - ADMX_UserExperienceVirtualization/Games -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer8 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer9 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer10 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer11 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorerCommon -
    -
    - ADMX_UserExperienceVirtualization/Maps -
    -
    - ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 -
    -
    - ADMX_UserExperienceVirtualization/Music -
    -
    - ADMX_UserExperienceVirtualization/News -
    -
    - ADMX_UserExperienceVirtualization/Notepad -
    -
    - ADMX_UserExperienceVirtualization/Reader -
    -
    - ADMX_UserExperienceVirtualization/RepositoryTimeout -
    -
    - ADMX_UserExperienceVirtualization/SettingsStoragePath -
    -
    - ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath -
    -
    - ADMX_UserExperienceVirtualization/Sports -
    -
    - ADMX_UserExperienceVirtualization/SyncEnabled -
    -
    - ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork -
    -
    - ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming -
    -
    - ADMX_UserExperienceVirtualization/SyncProviderPingEnabled -
    -
    - ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps -
    -
    - ADMX_UserExperienceVirtualization/Travel -
    -
    - ADMX_UserExperienceVirtualization/TrayIconEnabled -
    -
    - ADMX_UserExperienceVirtualization/Video -
    -
    - ADMX_UserExperienceVirtualization/Weather -
    -
    - ADMX_UserExperienceVirtualization/Wordpad -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Calculator +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Calculator +``` + - -**ADMX_UserExperienceVirtualization/Calculator** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting configures the synchronization of user settings of Calculator. - By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. +- If you enable this policy setting, the Calculator user settings continue to synchronize. +- If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + -If you enable this policy setting, the Calculator user settings continue to synchronize. + + + -If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. + +**Description framework properties**: -If you don't configure this policy setting, any defined values will be deleted. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Calculator* -- GP name: *Calculator* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | Calculator | +| Friendly Name | Calculator | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftCalculator6 | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/ConfigureSyncMethod** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConfigureSyncMethod - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureSyncMethod +``` -> [!div class = "checklist"] -> * Device -> * User +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureSyncMethod +``` + -
    - - - -This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. - -With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. - -When SyncMethod is set to “None,” the UE-V Agent uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. - -Set SyncMethod to “External” when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users’ computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. - -These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. + + +This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users' computers. With Sync Method set to "SyncProvider," the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. +When SyncMethod is set to "None," the UE-V Agent uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. +Set SyncMethod to "External" when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users' computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. With notifications enabled, UE-V users receive a message when the settings sync is delayed. The notification delay policy setting defines the delay before a notification appears. +- If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. +- If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure Sync Method* -- GP name: *ConfigureSyncMethod* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/ConfigureVdi** +| Name | Value | +|:--|:--| +| Name | ConfigureSyncMethod | +| Friendly Name | Configure Sync Method | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ConfigureVdi - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureVdi +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureVdi +``` + - - -This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. + + +This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to "last-known-good" configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. +- If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. +- If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. +- If you do not configure this policy, no UE-V rollback state is copied to the settings storage location. + -UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. + + + -Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to “last-known-good” configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. + +**Description framework properties**: -If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you don't configure this policy, no UE-V rollback state is copied to the settings storage location. - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *VDI Configuration* -- GP name: *ConfigureVdi* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Name | Value | +|:--|:--| +| Name | ConfigureVdi | +| Friendly Name | VDI Configuration | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings | +| Registry Value Name | VdiState | +| ADMX File Name | UserExperienceVirtualization.admx | + - - -
    + + + - -**ADMX_UserExperienceVirtualization/ContactITDescription** + - + +## ContactITDescription -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ContactITDescription +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. +- If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. +- If you disable this policy setting, the Company Settings Center does not display an IT Contact link. +- If you do not configure this policy setting, any defined values will be deleted. + -If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. + + + -If you disable this policy setting, the Company Settings Center doesn't display an IT Contact link. + +**Description framework properties**: -If you don't configure this policy setting, any defined values will be deleted. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Contact IT Link Text* -- GP name: *ContactITDescription* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | ContactITDescription | +| Friendly Name | Contact IT Link Text | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/ContactITUrl** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ContactITUrl - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ContactITUrl +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the URL for the Contact IT link in the Company Settings Center. +- If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. +- If you disable this policy setting, the Company Settings Center does not display an IT Contact link. +- If you do not configure this policy setting, any defined values will be deleted. + -If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. + + + -If you disable this policy setting, the Company Settings Center doesn't display an IT Contact link. + +**Description framework properties**: -If you don't configure this policy setting, any defined values will be deleted. - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Contact IT URL* -- GP name: *ContactITUrl* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/DisableWin8Sync** +| Name | Value | +|:--|:--| +| Name | ContactITUrl | +| Friendly Name | Contact IT URL | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableWin8Sync - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWin8Sync +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWin8Sync +``` + - - + + This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. - By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. - -If you enable this policy setting, the UE-V Agent won't synchronize settings for Windows apps. - -If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. - -If you don't configure this policy setting, any defined values are deleted. - +- If you enable this policy setting, the UE-V Agent will not synchronize settings for Windows apps. +- If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. +- If you do not configure this policy setting, any defined values are deleted. > [!NOTE] -> If the user connects their Microsoft account for their computer then the UE-V Agent won't synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. +> If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. + - + + + - -ADMX Info: -- GP Friendly name: *don't synchronize Windows Apps* -- GP name: *DisableWin8Sync* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserExperienceVirtualization/DisableWindowsOSSettings** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableWin8Sync | +| Friendly Name | Do not synchronize Windows Apps | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | DontSyncWindows8AppSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## DisableWindowsOSSettings -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWindowsOSSettings +``` -If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWindowsOSSettings +``` + -If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. + + +This policy setting configures the synchronization of Windows settings between computers. +Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. +- If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. +- If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize Windows settings* -- GP name: *DisableWindowsOSSettings* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_UserExperienceVirtualization/EnableUEV** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableWindowsOSSettings | +| Friendly Name | Synchronize Windows settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableUEV -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/EnableUEV +``` + - - -This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. + + +This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. + -Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable UEV* -- GP name: *EnableUEV* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_UserExperienceVirtualization/Finance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableUEV | +| Friendly Name | Enable UEV | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent | +| Registry Value Name | Enabled | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Finance -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Finance +``` - - -This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Finance +``` + -If you enable this policy setting, Finance user settings continue to sync. + + +This policy setting configures the synchronization of user settings for the Finance app. +By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. +- If you enable this policy setting, Finance user settings continue to sync. +- If you disable this policy setting, Finance user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, Finance user settings are excluded from synchronization. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Finance* -- GP name: *Finance* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled** +| Name | Value | +|:--|:--| +| Name | Finance | +| Friendly Name | Finance | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingFinance_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## FirstUseNotificationEnabled - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled +``` + + + +This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. +By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. With this setting enabled, the notification appears the first time that the UE-V Agent runs. - With this setting disabled, no notification appears. +- If you do not configure this policy setting, any defined values are deleted. + -If you don't configure this policy setting, any defined values are deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *First Use Notification* -- GP name: *FirstUseNotificationEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_UserExperienceVirtualization/Games** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | FirstUseNotificationEnabled | +| Friendly Name | First Use Notification | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | FirstUseNotificationEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Games -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Games +``` - - -This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Games +``` + -If you enable this policy setting, Games user settings continue to sync. + + +This policy setting configures the synchronization of user settings for the Games app. +By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. +- If you enable this policy setting, Games user settings continue to sync. +- If you disable this policy setting, Games user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, Games user settings are excluded from synchronization. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Games* -- GP name: *Games* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/InternetExplorer8** +| Name | Value | +|:--|:--| +| Name | Games | +| Friendly Name | Games | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.XboxLIVEGames_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## InternetExplorer10 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer10 +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer10 +``` + - - + + +This policy setting configures the synchronization of user settings of Internet Explorer 10. +By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. +- If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | InternetExplorer10 | +| Friendly Name | Internet Explorer 10 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version10 | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## InternetExplorer11 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer11 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer11 +``` + + + + +This policy setting configures the synchronization of user settings of Internet Explorer 11. +By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. +- If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | InternetExplorer11 | +| Friendly Name | Internet Explorer 11 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version11 | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## InternetExplorer8 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer8 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer8 +``` + + + + This policy setting configures the synchronization of user settings for Internet Explorer 8. - By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. +- If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + -If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. + + + -If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. + +**Description framework properties**: -If you don't configure this policy setting, any defined values will be deleted. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Internet Explorer 8* -- GP name: *InternetExplorer8* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | InternetExplorer8 | +| Friendly Name | Internet Explorer 8 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version8 | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/InternetExplorer9** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## InternetExplorer9 - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer9 +``` -> [!div class = "checklist"] -> * Device -> * User +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer9 +``` + -
    + + +This policy setting configures the synchronization of user settings for Internet Explorer 9. +By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. +- If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + - - -This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. + + + -If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. + +**Description framework properties**: -If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you don't configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | InternetExplorer9 | +| Friendly Name | Internet Explorer 9 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version9 | +| ADMX File Name | UserExperienceVirtualization.admx | + - -ADMX Info: -- GP Friendly name: *Internet Explorer 9* -- GP name: *InternetExplorer9* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + + + - - -
    + - -**ADMX_UserExperienceVirtualization/InternetExplorer10** + +## InternetExplorerCommon - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorerCommon +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorerCommon +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. - -If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. - -If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer 10* -- GP name: *InternetExplorer10* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/InternetExplorer11** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. - -If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. - -If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer 11* -- GP name: *InternetExplorer11* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/InternetExplorerCommon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. - -If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. - -If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer Common Settings* -- GP name: *InternetExplorerCommon* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - - - -**ADMX_UserExperienceVirtualization/Maps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. - -If you enable this policy setting, Maps user settings continue to sync. - -If you disable this policy setting, Maps user settings are excluded from synchronization. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Maps* -- GP name: *Maps* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent doesn't report information about package file size. - -If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. - -If you disable or don't configure this policy setting, no event is written to the event log to report settings package size. - - - - -ADMX Info: -- GP Friendly name: *Settings package size warning threshold* -- GP name: *MaxPackageSizeInBytes* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Access 2010* -- GP name: *MicrosoftOffice2010Access* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. - -If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. - -If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 2010 Common Settings* -- GP name: *MicrosoftOffice2010Common* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Excel 2010* -- GP name: *MicrosoftOffice2010Excel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft InfoPath 2010* -- GP name: *MicrosoftOffice2010InfoPath* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Lync 2010* -- GP name: *MicrosoftOffice2010Lync* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - -ADMX Info: -- GP Friendly name: *Microsoft OneNote 2010* -- GP name: *MicrosoftOffice2010OneNote* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Outlook 2010* -- GP name: *MicrosoftOffice2010Outlook* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft PowerPoint 2010* -- GP name: *MicrosoftOffice2010PowerPoint* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Project 2010* -- GP name: *MicrosoftOffice2010Project* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Publisher 2010* -- GP name: *MicrosoftOffice2010Publisher* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft SharePoint Designer 2010* -- GP name: *MicrosoftOffice2010SharePointDesigner* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft SharePoint Workspace 2010* -- GP name: *MicrosoftOffice2010SharePointWorkspace* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Visio 2010* -- GP name: *MicrosoftOffice2010Visio* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. - -If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Word 2010* -- GP name: *MicrosoftOffice2010Word* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - -ADMX Info: -- GP Friendly name: *Microsoft Access 2013* -- GP name: *MicrosoftOffice2013Access* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Access 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Access 2013 backup only* -- GP name: *MicrosoftOffice2013AccessBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. - -If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. - -If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 2013 Common Settings* -- GP name: *MicrosoftOffice2013Common* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - +- If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. +- If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | InternetExplorerCommon | +| Friendly Name | Internet Explorer Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## Maps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Maps +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Maps +``` + + + + +This policy setting configures the synchronization of user settings for the Maps app. +By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. +- If you enable this policy setting, Maps user settings continue to sync. +- If you disable this policy setting, Maps user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Maps | +| Friendly Name | Maps | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingMaps_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MaxPackageSizeInBytes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes +``` + + + + +This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. +- If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. +- If you disable or do not configure this policy setting, no event is written to the event log to report settings package size. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MaxPackageSizeInBytes | +| Friendly Name | Settings package size warning threshold | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Access + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Access 2010. +By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Access | +| Friendly Name | Microsoft Access 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Common + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common +``` + + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. +By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. +- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. +- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Common | +| Friendly Name | Microsoft Office 2010 Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Excel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Excel 2010. +By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Excel | +| Friendly Name | Microsoft Excel 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010InfoPath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. +By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010InfoPath | +| Friendly Name | Microsoft InfoPath 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Lync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Lync 2010. +By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Lync | +| Friendly Name | Microsoft Lync 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftLync2010 | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010OneNote + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. +By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010OneNote | +| Friendly Name | Microsoft OneNote 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Outlook + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. +By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Outlook | +| Friendly Name | Microsoft Outlook 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010PowerPoint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. +By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010PowerPoint | +| Friendly Name | Microsoft PowerPoint 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Project + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Project 2010. +By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Project | +| Friendly Name | Microsoft Project 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. +By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Publisher | +| Friendly Name | Microsoft Publisher 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010SharePointDesigner + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. +By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010SharePointDesigner | +| Friendly Name | Microsoft SharePoint Designer 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010SharePointWorkspace + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. +By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010SharePointWorkspace | +| Friendly Name | Microsoft SharePoint Workspace 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Visio + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Visio 2010. +By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Visio | +| Friendly Name | Microsoft Visio 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2010Word + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Word 2010. +By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. +- If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Word | +| Friendly Name | Microsoft Word 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Access + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Access 2013. +By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Access | +| Friendly Name | Microsoft Access 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013AccessBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Access 2013. +Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Access 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013AccessBackup | +| Friendly Name | Access 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Common + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common +``` + + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. +By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. +- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. +- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Common | +| Friendly Name | Microsoft Office 2013 Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013CommonBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup +``` + + + + This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. - Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. +- If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. +- If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + -If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. + + + -If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications won't be backed up. + +**Description framework properties**: -If you don't configure this policy setting, any defined values will be deleted. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Common 2013 backup only* -- GP name: *MicrosoftOffice2013CommonBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013CommonBackup | +| Friendly Name | Common 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013Excel - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel +``` -> [!div class = "checklist"] -> * Device -> * User +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel +``` + -
    - - - + + This policy setting configures the synchronization of user settings for Microsoft Excel 2013. - By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - -ADMX Info: -- GP Friendly name: *Microsoft Excel 2013* -- GP name: *MicrosoftOffice2013Excel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Excel 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Excel 2013 backup only* -- GP name: *MicrosoftOffice2013ExcelBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft InfoPath 2013* -- GP name: *MicrosoftOffice2013InfoPath* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *InfoPath 2013 backup only* -- GP name: *MicrosoftOffice2013InfoPathBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Lync 2013* -- GP name: *MicrosoftOffice2013Lync* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Lync 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Lync 2013 backup only* -- GP name: *MicrosoftOffice2013LyncBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. - -If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. - -If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft OneDrive for Business 2013* -- GP name: *MicrosoftOffice2013OneDriveForBusiness* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft OneNote 2013* -- GP name: *MicrosoftOffice2013OneNote* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft OneNote 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *OneNote 2013 backup only* -- GP name: *MicrosoftOffice2013OneNoteBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Outlook 2013* -- GP name: *MicrosoftOffice2013Outlook* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Outlook 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Outlook 2013 backup only* -- GP name: *MicrosoftOffice2013OutlookBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft PowerPoint 2013* -- GP name: *MicrosoftOffice2013PowerPoint* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *PowerPoint 2013 backup only* -- GP name: *MicrosoftOffice2013PowerPointBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Project 2013* -- GP name: *MicrosoftOffice2013Project* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Project 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Project 2013 backup only* -- GP name: *MicrosoftOffice2013ProjectBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Publisher 2013* -- GP name: *MicrosoftOffice2013Publisher* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Publisher 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Publisher 2013 backup only* -- GP name: *MicrosoftOffice2013PublisherBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft SharePoint Designer 2013* -- GP name: *MicrosoftOffice2013SharePointDesigner* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *SharePoint Designer 2013 backup only* -- GP name: *MicrosoftOffice2013SharePointDesignerBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. - -If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. - -If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 2013 Upload Center* -- GP name: *MicrosoftOffice2013UploadCenter* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Visio 2013* -- GP name: *MicrosoftOffice2013Visio* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Visio 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Visio 2013 backup only* -- GP name: *MicrosoftOffice2013VisioBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. - -If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Word 2013* -- GP name: *MicrosoftOffice2013Word* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. - -If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Word 2013 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Word 2013 backup only* -- GP name: *MicrosoftOffice2013WordBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Access 2016* -- GP name: *MicrosoftOffice2016Access* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Access 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Access 2016 backup only* -- GP name: *MicrosoftOffice2016AccessBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. - -If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. - -If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 2016 Common Settings* -- GP name: *MicrosoftOffice2016Common* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - +- If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Excel | +| Friendly Name | Microsoft Excel 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013ExcelBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Excel 2013. +Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Excel 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013ExcelBackup | +| Friendly Name | Excel 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013InfoPath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. +By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013InfoPath | +| Friendly Name | Microsoft InfoPath 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013InfoPathBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. +Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013InfoPathBackup | +| Friendly Name | InfoPath 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Lync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Lync 2013. +By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Lync | +| Friendly Name | Microsoft Lync 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013LyncBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Lync 2013. +Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Lync 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013LyncBackup | +| Friendly Name | Lync 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013OneDriveForBusiness + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness +``` + + + + +This policy setting configures the synchronization of user settings for OneDrive for Business 2013. +By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. +- If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. +- If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OneDriveForBusiness | +| Friendly Name | Microsoft OneDrive for Business 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013OneNote + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. +By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OneNote | +| Friendly Name | Microsoft OneNote 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013OneNoteBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. +Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft OneNote 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OneNoteBackup | +| Friendly Name | OneNote 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Outlook + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. +By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Outlook | +| Friendly Name | Microsoft Outlook 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013OutlookBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. +Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Outlook 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OutlookBackup | +| Friendly Name | Outlook 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013PowerPoint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. +By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013PowerPoint | +| Friendly Name | Microsoft PowerPoint 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013PowerPointBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. +Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013PowerPointBackup | +| Friendly Name | PowerPoint 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Project + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Project 2013. +By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Project | +| Friendly Name | Microsoft Project 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013ProjectBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Project 2013. +Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Project 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013ProjectBackup | +| Friendly Name | Project 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. +By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Publisher | +| Friendly Name | Microsoft Publisher 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013PublisherBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. +Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Publisher 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013PublisherBackup | +| Friendly Name | Publisher 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013SharePointDesigner + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. +By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013SharePointDesigner | +| Friendly Name | Microsoft SharePoint Designer 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013SharePointDesignerBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. +Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013SharePointDesignerBackup | +| Friendly Name | SharePoint Designer 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013UploadCenter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. +By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. +- If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. +- If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013UploadCenter | +| Friendly Name | Microsoft Office 2013 Upload Center | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Visio + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Visio 2013. +By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Visio | +| Friendly Name | Microsoft Visio 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013VisioBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Visio 2013. +Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Visio 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013VisioBackup | +| Friendly Name | Visio 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013Word + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Word 2013. +By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. +- If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Word | +| Friendly Name | Microsoft Word 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2013WordBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Word 2013. +Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. +- If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Word 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013WordBackup | +| Friendly Name | Word 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Access + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Access 2016. +By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Access | +| Friendly Name | Microsoft Access 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016AccessBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Access 2016. +Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Access 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016AccessBackup | +| Friendly Name | Access 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Common + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common +``` + + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. +By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. +- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. +- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Common | +| Friendly Name | Microsoft Office 2016 Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016CommonBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup +``` + + + + This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. - -If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. - -If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Common 2016 backup only* -- GP name: *MicrosoftOffice2016CommonBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Excel 2016* -- GP name: *MicrosoftOffice2016Excel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Excel 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Excel 2016 backup only* -- GP name: *MicrosoftOffice2016ExcelBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Lync 2016* -- GP name: *MicrosoftOffice2016Lync* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Lync 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Lync 2016 backup only* -- GP name: *MicrosoftOffice2016LyncBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. - -If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. - -If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft OneDrive for Business 2016* -- GP name: *MicrosoftOffice2016OneDriveForBusiness* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft OneNote 2016* -- GP name: *MicrosoftOffice2016OneNote* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft OneNote 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *OneNote 2016 backup only* -- GP name: *MicrosoftOffice2016OneNoteBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Outlook 2016* -- GP name: *MicrosoftOffice2016Outlook* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Outlook 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Outlook 2016 backup only* -- GP name: *MicrosoftOffice2016OutlookBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft PowerPoint 2016* -- GP name: *MicrosoftOffice2016PowerPoint* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *PowerPoint 2016 backup only* -- GP name: *MicrosoftOffice2016PowerPointBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - +- If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. +- If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016CommonBackup | +| Friendly Name | Common 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Excel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Excel 2016. +By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Excel | +| Friendly Name | Microsoft Excel 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016ExcelBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Excel 2016. +Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Excel 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016ExcelBackup | +| Friendly Name | Excel 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Lync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Lync 2016. +By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Lync | +| Friendly Name | Microsoft Lync 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016LyncBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Lync 2016. +Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Lync 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016LyncBackup | +| Friendly Name | Lync 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016OneDriveForBusiness + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness +``` + + + + +This policy setting configures the synchronization of user settings for OneDrive for Business 2016. +By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. +- If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. +- If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OneDriveForBusiness | +| Friendly Name | Microsoft OneDrive for Business 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016OneNote + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. +By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OneNote | +| Friendly Name | Microsoft OneNote 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016OneNoteBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. +Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft OneNote 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OneNoteBackup | +| Friendly Name | OneNote 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Outlook + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. +By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Outlook | +| Friendly Name | Microsoft Outlook 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016OutlookBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. +Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Outlook 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OutlookBackup | +| Friendly Name | Outlook 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016PowerPoint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. +By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016PowerPoint | +| Friendly Name | Microsoft PowerPoint 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016PowerPointBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. +Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016PowerPointBackup | +| Friendly Name | PowerPoint 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Project + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project +``` + + + + This policy setting configures the synchronization of user settings for Microsoft Project 2016. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Project 2016* -- GP name: *MicrosoftOffice2016Project* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Project 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Project 2016 backup only* -- GP name: *MicrosoftOffice2016ProjectBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Publisher 2016* -- GP name: *MicrosoftOffice2016Publisher* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Publisher 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Publisher 2016 backup only* -- GP name: *MicrosoftOffice2016PublisherBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. - -If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. - -If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 2016 Upload Center* -- GP name: *MicrosoftOffice2016UploadCenter* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Visio 2016* -- GP name: *MicrosoftOffice2016Visio* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Visio 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Visio 2016 backup only* -- GP name: *MicrosoftOffice2016VisioBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. - -If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. - -If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Word 2016* -- GP name: *MicrosoftOffice2016Word* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. - -If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. - -If you disable this policy setting, certain user settings of Microsoft Word 2016 won't be backed up. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Word 2016 backup only* -- GP name: *MicrosoftOffice2016WordBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Access 2013* -- GP name: *MicrosoftOffice365Access2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Access 2016* -- GP name: *MicrosoftOffice365Access2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. - -If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. - -If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Common 2013* -- GP name: *MicrosoftOffice365Common2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. - -If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. - -If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Common 2016* -- GP name: *MicrosoftOffice365Common2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Excel 2013* -- GP name: *MicrosoftOffice365Excel2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Excel 2016* -- GP name: *MicrosoftOffice365Excel2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 InfoPath 2013* -- GP name: *MicrosoftOffice365InfoPath2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Lync 2013* -- GP name: *MicrosoftOffice365Lync2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Lync 2016* -- GP name: *MicrosoftOffice365Lync2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 OneNote 2013* -- GP name: *MicrosoftOffice365OneNote2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 OneNote 2016* -- GP name: *MicrosoftOffice365OneNote2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Outlook 2013* -- GP name: *MicrosoftOffice365Outlook2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Outlook 2016* -- GP name: *MicrosoftOffice365Outlook2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 PowerPoint 2013* -- GP name: *MicrosoftOffice365PowerPoint2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 PowerPoint 2016* -- GP name: *MicrosoftOffice365PowerPoint2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Project 2013* -- GP name: *MicrosoftOffice365Project2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Project 2016* -- GP name: *MicrosoftOffice365Project2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Publisher 2013* -- GP name: *MicrosoftOffice365Publisher2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Publisher 2016* -- GP name: *MicrosoftOffice365Publisher2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 SharePoint Designer 2013* -- GP name: *MicrosoftOffice365SharePointDesigner2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Visio 2013* -- GP name: *MicrosoftOffice365Visio2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Visio 2016* -- GP name: *MicrosoftOffice365Visio2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Word 2013* -- GP name: *MicrosoftOffice365Word2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. - -If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. - -If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Word 2016* -- GP name: *MicrosoftOffice365Word2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/Music** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. - -If you enable this policy setting, Music user settings continue to sync. - -If you disable this policy setting, Music user settings are excluded from the synchronizing settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Music* -- GP name: *Music* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/News** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. - -If you enable this policy setting, News user settings continue to sync. - -If you disable this policy setting, News user settings are excluded from synchronization. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *News* -- GP name: *News* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/Notepad** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. - -If you enable this policy setting, the Notepad user settings continue to synchronize. - -If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Notepad* -- GP name: *Notepad* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/Reader** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. - -If you enable this policy setting, Reader user settings continue to sync. - -If you disable this policy setting, Reader user settings are excluded from the synchronization. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - - -ADMX Info: -- GP Friendly name: *Reader* -- GP name: *Reader* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/RepositoryTimeout** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. - -If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. - -If you disable or don't configure this policy setting, the default value of 2000 milliseconds is used. - - - - - -ADMX Info: -- GP Friendly name: *Synchronization timeout* -- GP name: *RepositoryTimeout* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/SettingsStoragePath** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - +- If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Project | +| Friendly Name | Microsoft Project 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016ProjectBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Project 2016. +Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Project 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016ProjectBackup | +| Friendly Name | Project 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Publisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. +By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Publisher | +| Friendly Name | Microsoft Publisher 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016PublisherBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. +Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Publisher 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016PublisherBackup | +| Friendly Name | Publisher 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016UploadCenter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. +By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. +- If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. +- If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016UploadCenter | +| Friendly Name | Microsoft Office 2016 Upload Center | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Visio + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Visio 2016. +By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Visio | +| Friendly Name | Microsoft Visio 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016VisioBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Visio 2016. +Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Visio 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016VisioBackup | +| Friendly Name | Visio 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016Word + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Word 2016. +By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. +- If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Word | +| Friendly Name | Microsoft Word 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice2016WordBackup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Word 2016. +Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. +- If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Word 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016WordBackup | +| Friendly Name | Word 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Access2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Access2013 | +| Friendly Name | Microsoft Office 365 Access 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Access2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Access2016 | +| Friendly Name | Microsoft Office 365 Access 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Common2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 +``` + + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. +- If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. +- If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Common2013 | +| Friendly Name | Microsoft Office 365 Common 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Common2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 +``` + + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. +- If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. +- If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Common2016 | +| Friendly Name | Microsoft Office 365 Common 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Excel2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Excel2013 | +| Friendly Name | Microsoft Office 365 Excel 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Excel2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Excel2016 | +| Friendly Name | Microsoft Office 365 Excel 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365InfoPath2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365InfoPath2013 | +| Friendly Name | Microsoft Office 365 InfoPath 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Lync2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Lync2013 | +| Friendly Name | Microsoft Office 365 Lync 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Lync2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Lync2016 | +| Friendly Name | Microsoft Office 365 Lync 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365OneNote2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365OneNote2013 | +| Friendly Name | Microsoft Office 365 OneNote 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365OneNote2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365OneNote2016 | +| Friendly Name | Microsoft Office 365 OneNote 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Outlook2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Outlook2013 | +| Friendly Name | Microsoft Office 365 Outlook 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Outlook2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Outlook2016 | +| Friendly Name | Microsoft Office 365 Outlook 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365PowerPoint2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365PowerPoint2013 | +| Friendly Name | Microsoft Office 365 PowerPoint 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365PowerPoint2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365PowerPoint2016 | +| Friendly Name | Microsoft Office 365 PowerPoint 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Project2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Project2013 | +| Friendly Name | Microsoft Office 365 Project 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Project2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Project2016 | +| Friendly Name | Microsoft Office 365 Project 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Publisher2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Publisher2013 | +| Friendly Name | Microsoft Office 365 Publisher 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Publisher2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Publisher2016 | +| Friendly Name | Microsoft Office 365 Publisher 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365SharePointDesigner2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365SharePointDesigner2013 | +| Friendly Name | Microsoft Office 365 SharePoint Designer 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Visio2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Visio2013 | +| Friendly Name | Microsoft Office 365 Visio 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Visio2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Visio2016 | +| Friendly Name | Microsoft Office 365 Visio 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Word2013 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Word2013 | +| Friendly Name | Microsoft Office 365 Word 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## MicrosoftOffice365Word2016 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Word2016 | +| Friendly Name | Microsoft Office 365 Word 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## Music + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Music +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Music +``` + + + + +This policy setting configures the synchronization of user settings for the Music app. +By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. +- If you enable this policy setting, Music user settings continue to sync. +- If you disable this policy setting, Music user settings are excluded from the synchronizing settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Music | +| Friendly Name | Music | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneMusic_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## News + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/News +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/News +``` + + + + +This policy setting configures the synchronization of user settings for the News app. +By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. +- If you enable this policy setting, News user settings continue to sync. +- If you disable this policy setting, News user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | News | +| Friendly Name | News | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingNews_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## Notepad + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Notepad +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Notepad +``` + + + + +This policy setting configures the synchronization of user settings of Notepad. +By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. +- If you enable this policy setting, the Notepad user settings continue to synchronize. +- If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Notepad | +| Friendly Name | Notepad | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftNotepad6 | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## Reader + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Reader +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Reader +``` + + + + +This policy setting configures the synchronization of user settings for the Reader app. +By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. +- If you enable this policy setting, Reader user settings continue to sync. +- If you disable this policy setting, Reader user settings are excluded from the synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Reader | +| Friendly Name | Reader | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.Reader_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## RepositoryTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/RepositoryTimeout +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/RepositoryTimeout +``` + + + + +This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. +You can use this setting to override the default value of 2000 milliseconds. +- If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. +- If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RepositoryTimeout | +| Friendly Name | Synchronization timeout | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## SettingsStoragePath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SettingsStoragePath +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SettingsStoragePath +``` + + + + This policy setting configures where the settings package files that contain user settings are stored. +- If you enable this policy setting, the user settings are stored in the specified location. +- If you disable or do not configure this policy setting, the user settings are stored in the user's home directory if configured for your environment. + -If you enable this policy setting, the user settings are stored in the specified location. + + + -If you disable or don't configure this policy setting, the user settings are stored in the user’s home directory if configured for your environment. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Settings storage path* -- GP name: *SettingsStoragePath* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | SettingsStoragePath | +| Friendly Name | Settings storage path | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SettingsTemplateCatalogPath - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath +``` + -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. - -If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. - +- If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored. - If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used. +- If you disable this policy setting, the UE-V Agent will not use the custom settings location templates. +- If you disable this policy setting after it has been enabled, the UE-V Agent will not restore the default Microsoft templates. +- If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, the UE-V Agent won't use the custom settings location templates. If you disable this policy setting after it has been enabled, the UE-V Agent won't restore the default Microsoft templates. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Settings template catalog path* -- GP name: *SettingsTemplateCatalogPath* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | SettingsTemplateCatalogPath | +| Friendly Name | Settings template catalog path | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/Sports** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Sports - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Sports +``` -> [!div class = "checklist"] -> * Device -> * User +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Sports +``` + -
    + + +This policy setting configures the synchronization of user settings for the Sports app. +By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. +- If you enable this policy setting, Sports user settings continue to sync. +- If you disable this policy setting, Sports user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + - - -This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. + + + -If you enable this policy setting, Sports user settings continue to sync. + +**Description framework properties**: -If you disable this policy setting, Sports user settings are excluded from synchronization. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you don't configure this policy setting, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Sports | +| Friendly Name | Sports | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingSports_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - -ADMX Info: -- GP Friendly name: *Sports* -- GP name: *Sports* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + + + - - -
    + - -**ADMX_UserExperienceVirtualization/SyncEnabled** + +## SyncEnabled - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncEnabled +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncEnabled +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use User Experience Virtualization (UE-V)* -- GP name: *SyncEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SyncEnabled | +| Friendly Name | Use User Experience Virtualization (UE-V) | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SyncOverMeteredNetwork -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork +``` - - -This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent doesn't synchronize settings over a metered connection. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork +``` + + + +This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. +By default, the UE-V Agent does not synchronize settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. +With this setting disabled, the UE-V Agent does not synchronize settings over a metered connection. +- If you do not configure this policy setting, any defined values are deleted. + -With this setting disabled, the UE-V Agent doesn't synchronize settings over a metered connection. + + + -If you don't configure this policy setting, any defined values are deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Sync settings over metered connections* -- GP name: *SyncOverMeteredNetwork* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | SyncOverMeteredNetwork | +| Friendly Name | Sync settings over metered connections | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncOverMeteredNetwork | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SyncOverMeteredNetworkWhenRoaming - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent doesn't synchronize settings over a metered connection that is roaming. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming +``` + + + +This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. +By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. +With this setting disabled, the UE-V Agent will not synchronize settings over a metered connection that is roaming. +- If you do not configure this policy setting, any defined values are deleted. + -With this setting disabled, the UE-V Agent won't synchronize settings over a metered connection that is roaming. + + + -If you don't configure this policy setting, any defined values are deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Sync settings over metered connections even when roaming* -- GP name: *SyncOverMeteredNetworkWhenRoaming* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | SyncOverMeteredNetworkWhenRoaming | +| Friendly Name | Sync settings over metered connections even when roaming | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncOverMeteredNetworkWhenRoaming | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/SyncProviderPingEnabled** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SyncProviderPingEnabled - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncProviderPingEnabled +``` -> [!div class = "checklist"] -> * Device -> * User +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncProviderPingEnabled +``` + -
    + + +This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn't attempt the synchronization. +- If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. +- If you disable this policy setting, the sync provider doesn't ping the settings storage location before synchronizing settings packages. +- If you do not configure this policy, any defined values will be deleted. + - - -This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. + + + -If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. + +**Description framework properties**: -If you disable this policy setting, the sync provider doesn’t ping the settings storage location before synchronizing settings packages. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you don't configure this policy, any defined values will be deleted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SyncProviderPingEnabled | +| Friendly Name | Ping the settings storage location before sync | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncProviderPingEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + - -ADMX Info: -- GP Friendly name: *Ping the settings storage location before sync* -- GP name: *SyncProviderPingEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + + + - - -
    + - -**ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps** + +## SyncUnlistedWindows8Apps - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps +``` + + + +This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. +By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. - With this setting disabled, only the settings of the Windows apps set to synchronize in the Windows App List are synchronized. +- If you do not configure this policy setting, any defined values are deleted. + -If you don't configure this policy setting, any defined values are deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Sync Unlisted Windows Apps* -- GP name: *SyncUnlistedWindows8Apps* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Travel** +| Name | Value | +|:--|:--| +| Name | SyncUnlistedWindows8Apps | +| Friendly Name | Sync Unlisted Windows Apps | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncUnlistedWindows8Apps | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Travel - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Travel +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Travel +``` + - - -This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. + + +This policy setting configures the synchronization of user settings for the Travel app. +By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. +- If you enable this policy setting, Travel user settings continue to sync. +- If you disable this policy setting, Travel user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + -If you enable this policy setting, Travel user settings continue to sync. + + + -If you disable this policy setting, Travel user settings are excluded from synchronization. + +**Description framework properties**: -If you don't configure this policy setting, any defined values will be deleted. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Travel* -- GP name: *Travel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Name | Value | +|:--|:--| +| Name | Travel | +| Friendly Name | Travel | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingTravel_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - - -
    + + + - -**ADMX_UserExperienceVirtualization/TrayIconEnabled** + - + +## TrayIconEnabled -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/TrayIconEnabled +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. +With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. +- If you do not configure this policy setting, any defined values are deleted. + -With this setting disabled, the tray icon doesn't appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. + + + -If you don't configure this policy setting, any defined values are deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Tray Icon* -- GP name: *TrayIconEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Video** +| Name | Value | +|:--|:--| +| Name | TrayIconEnabled | +| Friendly Name | Tray Icon | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | TrayIconEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Video - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Video +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Video +``` + - - -This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. + + +This policy setting configures the synchronization of user settings for the Video app. +By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. +- If you enable this policy setting, Video user settings continue to sync. +- If you disable this policy setting, Video user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + -If you enable this policy setting, Video user settings continue to sync. + + + -If you disable this policy setting, Video user settings are excluded from synchronization. + +**Description framework properties**: -If you don't configure this policy setting, any defined values will be deleted. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Video* -- GP name: *Video* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Name | Value | +|:--|:--| +| Name | Video | +| Friendly Name | Video | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneVideo_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - - -
    + + + - -**ADMX_UserExperienceVirtualization/Weather** + - + +## Weather -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Weather +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Weather +``` + -> [!div class = "checklist"] -> * Device -> * User + + +This policy setting configures the synchronization of user settings for the Weather app. +By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. +- If you enable this policy setting, Weather user settings continue to sync. +- If you disable this policy setting, Weather user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. + -
    + + + - - -This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. + +**Description framework properties**: -If you enable this policy setting, Weather user settings continue to sync. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, Weather user settings are excluded from synchronization. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you don't configure this policy setting, any defined values will be deleted. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Weather | +| Friendly Name | Weather | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingWeather_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + - -ADMX Info: -- GP Friendly name: *Weather* -- GP name: *Weather* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + - - -
    - + +## Wordpad -**ADMX_UserExperienceVirtualization/Wordpad** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Wordpad +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Wordpad +``` + - -
    + + +This policy setting configures the synchronization of user settings of WordPad. +By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. +- If you enable this policy setting, the WordPad user settings continue to synchronize. +- If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device -> * User + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you enable this policy setting, the WordPad user settings continue to synchronize. +**ADMX mapping**: -If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. +| Name | Value | +|:--|:--| +| Name | Wordpad | +| Friendly Name | WordPad | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftWordpad6 | +| ADMX File Name | UserExperienceVirtualization.admx | + -If you don't configure this policy setting, any defined values will be deleted. + + + - + + + + - -ADMX Info: -- GP Friendly name: *WordPad* -- GP name: *Wordpad* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + - - -
    +## Related articles - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 67c7143e09..1f26fcf32f 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,241 +1,242 @@ --- -title: Policy CSP - ADMX_UserProfiles -description: Learn about Policy CSP - ADMX_UserProfiles. +title: ADMX_UserProfiles Policy CSP +description: Learn more about the ADMX_UserProfiles Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/11/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_UserProfiles -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_UserProfiles policies +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_UserProfiles/CleanupProfiles -
    -
    - ADMX_UserProfiles/DontForceUnloadHive -
    -
    - ADMX_UserProfiles/LeaveAppMgmtData -
    -
    - ADMX_UserProfiles/LimitSize -
    -
    - ADMX_UserProfiles/ProfileErrorAction -
    -
    - ADMX_UserProfiles/SlowLinkTimeOut -
    -
    - ADMX_UserProfiles/USER_HOME -
    -
    - ADMX_UserProfiles/UserInfoAccessAction -
    -
    + + + + +## CleanupProfiles -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_UserProfiles/CleanupProfiles** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/CleanupProfiles +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows an administrator to automatically delete user profiles on system restart that haven't been used within a specified number of days. + + +This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days > [!NOTE] > One day is interpreted as 24 hours after a specific user profile was accessed. -If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that haven't been used within the specified number of days. +- If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. -If you disable or don't configure this policy setting, User Profile Service won't automatically delete any profiles on the next system restart. +- If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. + - + + + - -ADMX Info: -- GP Friendly name: *Delete user profiles older than a specified number of days on system restart* -- GP name: *CleanupProfiles* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/DontForceUnloadHive** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CleanupProfiles | +| Friendly Name | Delete user profiles older than a specified number of days on system restart | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DontForceUnloadHive -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting controls whether Windows forcefully unloads the user's registry at sign out, even if there are open handles to the per-user registry keys. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/DontForceUnloadHive +``` + + + + +This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. > [!NOTE] > This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. -If you enable this policy setting, Windows won't forcefully unload the user's registry at sign out, but will unload the registry when all open handles to the per-user registry keys are closed. +- If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. -If you disable or don't configure this policy setting, Windows will always unload the user's registry at sign out, even if there are any open handles to the per-user registry keys at user sign out. +- If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. + - + + + - -ADMX Info: -- GP Friendly name: *Do not forcefully unload the users registry at user logoff* -- GP name: *DontForceUnloadHive* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/LeaveAppMgmtData** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DontForceUnloadHive | +| Friendly Name | Do not forcefully unload the users registry at user logoff | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableForceUnload | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LeaveAppMgmtData -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LeaveAppMgmtData +``` + + + + This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. -By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time roaming users whose profiles were previously deleted on that client sign in, they'll need to reinstall all apps published via policy at sign in, increasing sign-in time. You can use this policy setting to change this behavior. +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. -If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This data retention will improve the performance of Group Policy-based Software Installation during user sign in when a user profile is deleted and that user later signs in to the machine. +- If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. -If you disable or don't configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. +- If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. > [!NOTE] > If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. + - + + + - -ADMX Info: -- GP Friendly name: *Leave Windows Installer and Group Policy Software Installation Data* -- GP name: *LeaveAppMgmtData* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/LimitSize** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LeaveAppMgmtData | +| Friendly Name | Leave Windows Installer and Group Policy Software Installation Data | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | LeaveAppMgmtData | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## LimitSize -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize +``` + + + + This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. -If you disable this policy setting or don't configure it, the system doesn't limit the size of user profiles. +- If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. -If you enable this policy setting, you can: +- If you enable this policy setting, you can: - Set a maximum permitted user profile size. - Determine whether the registry files are included in the calculation of the profile size. @@ -243,226 +244,314 @@ If you enable this policy setting, you can: - Specify a customized message notifying users of the oversized profile. - Determine how often the customized message is displayed. - +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. + - -ADMX Info: -- GP Friendly name: *Limit profile size* -- GP name: *LimitSize* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_UserProfiles/ProfileErrorAction** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | LimitSize | +| Friendly Name | Limit profile size | +| Location | User Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | EnableProfileQuota | +| ADMX File Name | UserProfiles.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## ProfileErrorAction - - -This policy setting will automatically sign out a user when Windows can't load their profile. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If Windows can't access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/ProfileErrorAction +``` + -If you enable this policy setting, Windows won't sign in users with a temporary profile. Windows signs out the users if their profiles can't be loaded. + + +This policy setting will automatically log off a user when Windows cannot load their profile. -If you disable this policy setting or don't configure it, Windows logs on the user with a temporary profile when Windows can't load their user profile. +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile. + +- If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. + +- If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. Also, see the "Delete cached copies of roaming profiles" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Do not log users on with temporary profiles* -- GP name: *ProfileErrorAction* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/SlowLinkTimeOut** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ProfileErrorAction | +| Friendly Name | Do not log users on with temporary profiles | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | ProfileErrorAction | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## SlowLinkTimeOut -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/SlowLinkTimeOut +``` + + + + This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. -To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined. +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined. This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. -If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. +- If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. -If you disable or don't configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there's no local copy of the roaming profile to load when the system detects a slow connection. +- If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections - +> [!IMPORTANT] +> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + - -ADMX Info: -- GP Friendly name: *Control slow network connection timeout for user profiles* -- GP name: *SlowLinkTimeOut* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_UserProfiles/USER_HOME** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | SlowLinkTimeOut | +| Friendly Name | Control slow network connection timeout for user profiles | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | UserProfiles.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## USER_HOME - - -This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a sign-in session. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/USER_HOME +``` + -To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. + + +This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. -Don't specify environment variables or ellipses in the path. Also, don't specify a placeholder for the user name because the user name will be appended at sign in. +- If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. + +To use this policy setting, in the Location list, choose the location for the home folder. If you choose "On the network," enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose "On the local computer," enter a local path (for example, C:\HomeFolder) in the Path box. + +Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. > [!NOTE] -> The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. +> The Drive letter box is ignored if you choose "On the local computer" from the Location list. If you choose "On the local computer" and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. -If you disable or don't configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. +- If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. -If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. +If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the "Set user home folder" policy setting has no effect. + - + + + - -ADMX Info: -- GP Friendly name: *Set user home folder* -- GP name: *USER_HOME* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/UserInfoAccessAction** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | USER_HOME | +| Friendly Name | Set user home folder | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## UserInfoAccessAction -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/UserInfoAccessAction +``` + + + + This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. -If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: +- If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: -- "Always on" - users won't be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. -- "Always off" - users won't be able to change this setting and the user's name and account picture won't be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability won't be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. +"Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. -If you don't configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn off the setting. +"Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. - +If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. + - -ADMX Info: -- GP Friendly name: *User management of sharing user name, account picture, and domain information with apps (not desktop apps)* -- GP name: *UserInfoAccessAction* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | UserInfoAccessAction | +| Friendly Name | User management of sharing user name, account picture, and domain information with apps (not desktop apps) | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowUserInfoAccess | +| ADMX File Name | UserProfiles.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 550c9e6d4c..48ea1bbd7f 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -1,337 +1,373 @@ --- -title: Policy CSP - ADMX_W32Time -description: Learn about Policy CSP - ADMX_W32Time. +title: ADMX_W32Time Policy CSP +description: Learn more about the ADMX_W32Time Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/28/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_W32Time + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_W32Time policies + +## W32TIME_POLICY_CONFIG -
    -
    - ADMX_W32Time/W32TIME_POLICY_CONFIG -
    -
    - ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT -
    -
    - ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT -
    -
    - ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_CONFIG +``` + -
    - - -**ADMX_W32Time/W32TIME_POLICY_CONFIG** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. -If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the Service on target machines use locally configured settings values. +- If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. -For more information on individual parameters, combinations of parameter values, and definitions of flags, see https://go.microsoft.com/fwlink/?linkid=847809. +For more details on individual parameters, combinations of parameter values as well as definitions of flags, see . -**FrequencyCorrectRate** -This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause slower corrections; larger values cause more frequent corrections. Default: 4 (scalar). +FrequencyCorrectRate +This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause larger corrections; larger values cause smaller corrections. Default: 4 (scalar). -**HoldPeriod** +HoldPeriod This parameter indicates how many consistent time samples the client computer must receive in a series before subsequent time samples are evaluated as potential spikes. Default: 5 -**LargePhaseOffset** +LargePhaseOffset If a time sample differs from the client computer's local clock by more than LargePhaseOffset, the local clock is deemed to have drifted considerably, or in other words, spiked. Default: 50,000,000 100-nanosecond units (ns) or 5 seconds. -**MaxAllowedPhaseOffset** +MaxAllowedPhaseOffset If a response is received that has a time variation that is larger than this parameter value, W32time sets the client computer's local clock immediately to the time that is accepted as accurate from the Network Time Protocol (NTP) server. If the time variation is less than this value, the client computer's local clock is corrected gradually. Default: 300 seconds. -**MaxNegPhaseCorrection** +MaxNegPhaseCorrection If a time sample is received that indicates a time in the past (as compared to the client computer's local clock) that has a time difference that is greater than the MaxNegPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. -**MaxPosPhaseCorrection** +MaxPosPhaseCorrection If a time sample is received that indicates a time in the future (as compared to the client computer's local clock) that has a time difference greater than the MaxPosPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. -**PhaseCorrectRate** -This parameter controls how quickly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the NTP server. Lower values cause the clock to correct more slowly; larger values cause the clock to correct more quickly. Default: 7 (scalar). +PhaseCorrectRate +This parameter controls how quickly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the NTP server. Lower values cause the clock to correct more quickly; larger values cause the clock to correct more slowly. Default: 7 (scalar). -**PollAdjustFactor** +PollAdjustFactor This parameter controls how quickly W32time changes polling intervals. When responses are considered to be accurate, the polling interval lengthens automatically. When responses are considered to be inaccurate, the polling interval shortens automatically. Default: 5 (scalar). -**SpikeWatchPeriod** +SpikeWatchPeriod This parameter specifies the amount of time that samples with time offset larger than LargePhaseOffset are received before these samples are accepted as accurate. SpikeWatchPeriod is used in conjunction with HoldPeriod to help eliminate sporadic, inaccurate time samples that are returned from a peer. Default: 900 seconds. -**UpdateInterval** +UpdateInterval This parameter specifies the amount of time that W32time waits between corrections when the clock is being corrected gradually. When it makes a gradual correction, the service adjusts the clock slightly, waits this amount of time, and then checks to see if another adjustment is needed, until the correction is finished. Default: 100 1/100th second units, or 1 second. General parameters: -**AnnounceFlags** +AnnounceFlags This parameter is a bitmask value that controls how time service availability is advertised through NetLogon. Default: 0x0a hexadecimal -**EventLogFlags** +EventLogFlags This parameter controls special events that may be logged to the Event Viewer System log. Default: 0x02 hexadecimal bitmask. -**LocalClockDispersion** +LocalClockDispersion This parameter indicates the maximum error in seconds that is reported by the NTP server to clients that are requesting a time sample. (Applies only when the NTP server is using the time of the local CMOS clock.) Default: 10 seconds. -**MaxPollInterval** -This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Shouldn't be set higher than 15.) +MaxPollInterval +This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Should not be set higher than 15.) -**MinPollInterval** +MinPollInterval This parameter controls the minimum polling interval that defines the minimum amount of time between polls of a peer. Default: 6 in log base-2, or 64 seconds. -**ClockHoldoverPeriod** +ClockHoldoverPeriod This parameter indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7800 seconds. -**RequireSecureTimeSyncRequests** -This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC won't respond to requests using such protocols. Default: 0 Boolean. +RequireSecureTimeSyncRequests +This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. Default: 0 Boolean. -**UtilizeSslTimeData** -This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an extra input for correcting the local clock. Default: 1 (enabled) Boolean +UtilizeSslTimeData +This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock. Default: 1 (enabled) Boolean -**ClockAdjustmentAuditLimit** +ClockAdjustmentAuditLimit This parameter specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target machine. Default: 800 Parts per million (PPM). RODC parameters: -**ChainEntryTimeout** +ChainEntryTimeout This parameter specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. Default: 16 seconds. -**ChainMaxEntries** +ChainMaxEntries This parameter controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. Default: 128 entries. -**ChainMaxHostEntries** -This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: Four entries. +ChainMaxHostEntries +This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: 4 entries. -**ChainDisable** -This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that don't have their passwords cached on the RODC won't be able to synchronize with the RODC. Default: 0 Boolean. +ChainDisable +This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. Default: 0 Boolean. -**ChainLoggingRate** +ChainLoggingRate This parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Global Configuration Settings* -- GP name: *W32TIME_POLICY_CONFIG* -- GP path: *System\Windows Time Service* -- GP ADMX file name: *W32Time.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_CONFIG | +| Friendly Name | Global Configuration Settings | +| Location | Computer Configuration | +| Path | System > Windows Time Service | +| Registry Key Name | Software\Policies\Microsoft\W32Time\Config | +| ADMX File Name | W32Time.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## W32TIME_POLICY_CONFIGURE_NTPCLIENT -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT +``` + - - + + This policy setting specifies a set of parameters for controlling the Windows NTP Client. -If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. +- If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. -If you disable or don't configure this policy setting, the Windows NTP Client uses the defaults of each of the following parameters. +- If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. -**NtpServer** -The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". +NtpServer +The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where "flags" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is "time.windows.com,0x09". -**Type** +Type This value controls the authentication that W32time uses. The default value is NT5DS. -**CrossSiteSyncFlags** -This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client shouldn't attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value isn't set. The default value is 2 decimal (0x02 hexadecimal). +CrossSiteSyncFlags +This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal). -**ResolvePeerBackoffMinutes** +ResolvePeerBackoffMinutes This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. -**ResolvePeerBackoffMaxTimes** +ResolvePeerBackoffMaxTimes This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. -**SpecialPollInterval** +SpecialPollInterval This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. -**EventLogFlags** -This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it's a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. +EventLogFlags +This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Windows NTP Client* -- GP name: *W32TIME_POLICY_CONFIGURE_NTPCLIENT* -- GP path: *System\Windows Time Service\Time Providers* -- GP ADMX file name: *W32Time.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_CONFIGURE_NTPCLIENT | +| Friendly Name | Configure Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| ADMX File Name | W32Time.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## W32TIME_POLICY_ENABLE_NTPCLIENT -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT +``` + - - + + This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. -If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. +- If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. -If you disable or don't configure this policy setting, the local computer clock doesn't synchronize time with NTP servers. +- If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Windows NTP Client* -- GP name: *W32TIME_POLICY_ENABLE_NTPCLIENT* -- GP path: *System\Windows Time Service\Time Providers* -- GP ADMX file name: *W32Time.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_ENABLE_NTPCLIENT | +| Friendly Name | Enable Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| Registry Value Name | Enabled | +| ADMX File Name | W32Time.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## W32TIME_POLICY_ENABLE_NTPSERVER -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER +``` + - - + + This policy setting allows you to specify whether the Windows NTP Server is enabled. -If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. +- If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. -If you disable or don't configure this policy setting, your computer can't service NTP requests from other computers. +- If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers. + - + + + - -ADMX Info: -- GP Friendly name: *Enable Windows NTP Server* -- GP name: *W32TIME_POLICY_ENABLE_NTPSERVER* -- GP path: *System\Windows Time Service\Time Providers* -- GP ADMX file name: *W32Time.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_ENABLE_NTPSERVER | +| Friendly Name | Enable Windows NTP Server | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32Time\TimeProviders\NtpServer | +| Registry Value Name | Enabled | +| ADMX File Name | W32Time.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 4a75b6002b..f572e7a8d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -1,202 +1,228 @@ --- -title: Policy CSP - ADMX_WCM -description: Learn about Policy CSP - ADMX_WCM. +title: ADMX_WCM Policy CSP +description: Learn more about the ADMX_WCM Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WCM + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WCM policies + +## WCM_DisablePowerManagement -
    -
    - ADMX_WCM/WCM_DisablePowerManagement -
    -
    - ADMX_WCM/WCM_EnableSoftDisconnect -
    -
    - ADMX_WCM/WCM_MinimizeConnections -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WCM/WCM_DisablePowerManagement +``` + -
    - - -**ADMX_WCM/WCM_DisablePowerManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies that power management is disabled when the machine enters connected standby mode. -If this policy setting is enabled, Windows Connection Manager doesn't manage adapter radios to reduce power consumption when the machine enters connected standby mode. +- If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. -If this policy setting isn't configured or is disabled, power management is enabled when the machine enters connected standby mode. +- If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode. + - + + + - -ADMX Info: -- GP Friendly name: *Disable power management in connected standby mode* -- GP name: *WCM_DisablePowerManagement* -- GP path: *Network\Windows Connection Manager* -- GP ADMX file name: *WCM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WCM/WCM_EnableSoftDisconnect** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WCM_DisablePowerManagement | +| Friendly Name | Disable power management in connected standby mode | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fDisablePowerManagement | +| ADMX File Name | WCM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WCM_EnableSoftDisconnect -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WCM/WCM_EnableSoftDisconnect +``` + + + + This policy setting determines whether Windows will soft-disconnect a computer from a network. -If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. +- If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. -If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. +- If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. When soft disconnect is enabled: - -- Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. +- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. - Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection. -- Network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they’re not actively using it (for example, email apps) might lose their connection. If this connection loss happens, these apps should re-establish their connection over a different network. +- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they're not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network. -This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows won't disconnect from any networks. +This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Windows to soft-disconnect a computer from a network* -- GP name: *WCM_EnableSoftDisconnect* -- GP path: *Network\Windows Connection Manager* -- GP ADMX file name: *WCM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WCM/WCM_MinimizeConnections** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WCM_EnableSoftDisconnect | +| Friendly Name | Enable Windows to soft-disconnect a computer from a network | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fSoftDisconnectConnections | +| ADMX File Name | WCM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WCM_MinimizeConnections -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WCM/WCM_MinimizeConnections +``` + - - + + This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. -If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This value of 0 was previously the "Disabled" state for this policy setting. This option was first available in Windows 8. +- If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. -If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This value of 1 was previously the "Enabled" state for this policy setting. This option was first available in Windows 8. +- If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8. -If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). +- If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). -If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection. +- If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection. This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Minimize the number of simultaneous connections to the Internet or a Windows Domain* -- GP name: *WCM_MinimizeConnections* -- GP path: *Network\Windows Connection Manager* -- GP ADMX file name: *WCM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WCM_MinimizeConnections | +| Friendly Name | Minimize the number of simultaneous connections to the Internet or a Windows Domain | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| ADMX File Name | WCM.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index 97629732ad..7091d18390 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -1,147 +1,166 @@ --- -title: Policy CSP - ADMX_WDI -description: Learn about Policy CSP - ADMX_WDI. +title: ADMX_WDI Policy CSP +description: Learn more about the ADMX_WDI Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WDI -
    - - -## ADMX_WDI policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_WDI/WdiDpsScenarioExecutionPolicy -
    -
    - ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy -
    -
    + + + + +## WdiDpsScenarioDataSizeLimitPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_WDI/WdiDpsScenarioExecutionPolicy** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. -If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. +- If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. -If you disable or don't configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +- If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. ->[!NOTE] -> This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenario data won't be deleted. -> -> The DPS can be configured with the Services snap-in to the Microsoft Management Console. +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. - +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenario data will not be deleted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - -ADMX Info: -- GP Friendly name: *Diagnostics: Configure scenario retention* -- GP name: *WdiDpsScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics* -- GP ADMX file name: *WDI.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WdiDpsScenarioDataSizeLimitPolicy | +| Friendly Name | Diagnostics: Configure scenario retention | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI | +| Registry Value Name | DataRetentionBySizeEnabled | +| ADMX File Name | WDI.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## WdiDpsScenarioExecutionPolicy - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WDI/WdiDpsScenarioExecutionPolicy +``` + + + + This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios. -If you enable this policy setting, you must select an execution level from the drop-down menu. +- If you enable this policy setting, you must select an execution level from the drop-down menu. If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. -- If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. -- If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. +- If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS. -If you disable this policy setting, Windows can't detect, troubleshoot, or resolve any problems that are handled by the DPS. +- If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. -If you don't configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it's enabled or disabled. Scenario-specific policy settings only take effect if this policy setting isn't configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. - +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + - -ADMX Info: -- GP Friendly name: *Diagnostics: Configure scenario execution level* -- GP name: *WdiDpsScenarioDataSizeLimitPolicy* -- GP path: *System\Troubleshooting and Diagnostics* -- GP ADMX file name: *WDI.admx* + + + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiDpsScenarioExecutionPolicy | +| Friendly Name | Diagnostics: Configure scenario execution level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | WDI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index edc0cee9ca..874461182f 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -1,138 +1,160 @@ --- -title: Policy CSP - ADMX_WinCal -description: Policy CSP - ADMX_WinCal +title: ADMX_WinCal Policy CSP +description: Learn more about the ADMX_WinCal Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/28/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WinCal + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WinCal policies + +## TurnOffWinCal_1 -
    -
    - ADMX_WinCal/TurnOffWinCal_1 -
    -
    - ADMX_WinCal/TurnOffWinCal_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinCal/TurnOffWinCal_1 +``` + -
    - - -**ADMX_WinCal/TurnOffWinCal_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. - If you enable this setting, Windows Calendar will be turned off. + - If you disable or do not configure this setting, Windows Calendar will be turned on. The default is for Windows Calendar to be turned on. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Windows Calendar* -- GP name: *TurnOffWinCal_1* -- GP path: *Windows Components\Windows Calendar* -- GP ADMX file name: *WinCal.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WinCal/TurnOffWinCal_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TurnOffWinCal_1 | +| Friendly Name | Turn off Windows Calendar | +| Location | User Configuration | +| Path | Windows Components > Windows Calendar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Windows | +| Registry Value Name | TurnOffWinCal | +| ADMX File Name | WinCal.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOffWinCal_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinCal/TurnOffWinCal_2 +``` + - - + + Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. - If you enable this setting, Windows Calendar will be turned off. + - If you disable or do not configure this setting, Windows Calendar will be turned on. The default is for Windows Calendar to be turned on. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Calendar* -- GP name: *TurnOffWinCal_2* -- GP path: *Windows Components\Windows Calendar* -- GP ADMX file name: *WinCal.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | TurnOffWinCal_2 | +| Friendly Name | Turn off Windows Calendar | +| Location | Computer Configuration | +| Path | Windows Components > Windows Calendar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Windows | +| Registry Value Name | TurnOffWinCal | +| ADMX File Name | WinCal.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index 42a29e7391..ddc84d4371 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -1,136 +1,156 @@ --- -title: Policy CSP - ADMX_WindowsColorSystem -description: Policy CSP - ADMX_WindowsColorSystem +title: ADMX_WindowsColorSystem Policy CSP +description: Learn more about the ADMX_WindowsColorSystem Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/27/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsColorSystem -
    - - -## ADMX_WindowsColorSystem policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 -
    -
    - ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 -
    -
    + + + + +## ProhibitChangingInstalledProfileList_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**WindowsColorSystem/ProhibitChangingInstalledProfileList_1** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting affects the ability of users to install or uninstall color profiles. - If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. - If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + - + + + - -ADMX Info: -- GP Friendly name: *Prohibit installing or uninstalling color profiles* -- GP name: *ProhibitChangingInstalledProfileList_1* -- GP path: *Windows Components\Windows Color System* -- GP ADMX file name: *WindowsColorSystem.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**WindowsColorSystem/ProhibitChangingInstalledProfileList_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ProhibitChangingInstalledProfileList_1 | +| Friendly Name | Prohibit installing or uninstalling color profiles | +| Location | User Configuration | +| Path | Windows Components > Windows Color System | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsColorSystem | +| Registry Value Name | ProhibitInstallUninstall | +| ADMX File Name | WindowsColorSystem.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## ProhibitChangingInstalledProfileList_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 +``` + + + + This policy setting affects the ability of users to install or uninstall color profiles. - If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. - If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + - + + + - -ADMX Info: -- GP Friendly name: *Prohibit installing or uninstalling color profiles* -- GP name: *ProhibitChangingInstalledProfileList_2* -- GP path: *Windows Components\Windows Color System* -- GP ADMX file name: *WindowsColorSystem.admx* + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProhibitChangingInstalledProfileList_2 | +| Friendly Name | Prohibit installing or uninstalling color profiles | +| Location | Computer Configuration | +| Path | Windows Components > Windows Color System | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsColorSystem | +| Registry Value Name | ProhibitInstallUninstall | +| ADMX File Name | WindowsColorSystem.admx | + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 046317d948..5cacedd443 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -1,199 +1,222 @@ --- -title: Policy CSP - ADMX_WindowsConnectNow -description: Policy CSP - ADMX_WindowsConnectNow +title: ADMX_WindowsConnectNow Policy CSP +description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/28/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsConnectNow + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WindowsConnectNow policies + +## WCN_DisableWcnUi_1 -
    -
    - ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 -
    -
    - ADMX_WindowsConnectNow/WCN_DisableWcnUi_2 -
    -
    - ADMX_WindowsConnectNow/WCN_EnableRegistrar -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 +``` + -
    - - -**ADMX_WindowsConnectNow/WCN_DisableWcnUi_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prohibits access to Windows Connect Now (WCN) wizards. -- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. +- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. +- If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + -- If you disable or don't configure this policy setting, users can access the wizard tasks. + + + -They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prohibit access of the Windows Connect Now wizards* -- GP name: *WCN_DisableWcnUi_1* -- GP path: *Network\Windows Connect Now* -- GP ADMX file name: *WindowsConnectNow.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_WindowsConnectNow/WCN_DisableWcnUi_2** +| Name | Value | +|:--|:--| +| Name | WCN_DisableWcnUi_1 | +| Friendly Name | Prohibit access of the Windows Connect Now wizards | +| Location | User Configuration | +| Path | Network > Windows Connect Now | +| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\UI | +| Registry Value Name | DisableWcnUi | +| ADMX File Name | WindowsConnectNow.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## WCN_DisableWcnUi_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_DisableWcnUi_2 +``` + -
    - - - + + This policy setting prohibits access to Windows Connect Now (WCN) wizards. -- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. +- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. +- If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + -- If you disable or don't configure this policy setting, users can access the wizard tasks. + + + -They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Prohibit access of the Windows Connect Now wizards* -- GP name: *WCN_DisableWcnUi_2* -- GP path: *Network\Windows Connect Now* -- GP ADMX file name: *WindowsConnectNow.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | WCN_DisableWcnUi_2 | +| Friendly Name | Prohibit access of the Windows Connect Now wizards | +| Location | Computer Configuration | +| Path | Network > Windows Connect Now | +| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\UI | +| Registry Value Name | DisableWcnUi | +| ADMX File Name | WindowsConnectNow.admx | + - -**ADMX_WindowsConnectNow/WCN_EnableRegistrar** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## WCN_EnableRegistrar - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_EnableRegistrar +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. -More options are available to allow discovery and configuration over a specific medium. +Additional options are available to allow discovery and configuration over a specific medium. + +- If you enable this policy setting, additional choices are available to turn off the operations over a specific medium. -- If you enable this policy setting, more choices are available to turn off the operations over a specific medium. - If you disable this policy setting, operations are disabled over all media. -If you don't configure this policy setting, operations are enabled over all media. +- If you do not configure this policy setting, operations are enabled over all media. The default for this policy setting allows operations over all media. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configuration of wireless settings using Windows Connect Now* -- GP name: *WCN_EnableRegistrar* -- GP path: *Network\Windows Connect Now* -- GP ADMX file name: *WindowsConnectNow.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WCN_EnableRegistrar | +| Friendly Name | Configuration of wireless settings using Windows Connect Now | +| Location | Computer Configuration | +| Path | Network > Windows Connect Now | +| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\Registrars | +| Registry Value Name | EnableRegistrars | +| ADMX File Name | WindowsConnectNow.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index f50c1a3948..8a53921483 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,2384 +1,2782 @@ --- -title: Policy CSP - ADMX_WindowsExplorer -description: Policy CSP - ADMX_WindowsExplorer +title: ADMX_WindowsExplorer Policy CSP +description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 02/10/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/29/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsExplorer > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - + +## CheckSameSourceAndTargetForFRAndDFS -## ADMX_WindowsExplorer policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS -
    -
    - ADMX_WindowsExplorer/ClassicShell -
    -
    - ADMX_WindowsExplorer/ConfirmFileDelete -
    -
    - ADMX_WindowsExplorer/DefaultLibrariesLocation -
    -
    - ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage -
    -
    - ADMX_WindowsExplorer/DisableIndexedLibraryExperience -
    -
    - ADMX_WindowsExplorer/DisableKnownFolders -
    -
    - ADMX_WindowsExplorer/DisableSearchBoxSuggestions -
    -
    - ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath -
    -
    - ADMX_WindowsExplorer/EnableSmartScreen -
    -
    - ADMX_WindowsExplorer/EnforceShellExtensionSecurity -
    -
    - ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized -
    -
    - ADMX_WindowsExplorer/HideContentViewModeSnippets -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown -
    -
    - ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo -
    -
    - ADMX_WindowsExplorer/MaxRecentDocs -
    -
    - ADMX_WindowsExplorer/NoBackButton -
    -
    - ADMX_WindowsExplorer/NoCDBurning -
    -
    - ADMX_WindowsExplorer/NoCacheThumbNailPictures -
    -
    - ADMX_WindowsExplorer/NoChangeAnimation -
    -
    - ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators -
    -
    - ADMX_WindowsExplorer/NoDFSTab -
    -
    - ADMX_WindowsExplorer/NoDrives -
    -
    - ADMX_WindowsExplorer/NoEntireNetwork -
    -
    - ADMX_WindowsExplorer/NoFileMRU -
    -
    - ADMX_WindowsExplorer/NoFileMenu -
    -
    - ADMX_WindowsExplorer/NoFolderOptions -
    -
    - ADMX_WindowsExplorer/NoHardwareTab -
    -
    - ADMX_WindowsExplorer/NoManageMyComputerVerb -
    -
    - ADMX_WindowsExplorer/NoMyComputerSharedDocuments -
    -
    - ADMX_WindowsExplorer/NoNetConnectDisconnect -
    -
    - ADMX_WindowsExplorer/NoNewAppAlert -
    -
    - ADMX_WindowsExplorer/NoPlacesBar -
    -
    - ADMX_WindowsExplorer/NoRecycleFiles -
    -
    - ADMX_WindowsExplorer/NoRunAsInstallPrompt -
    -
    - ADMX_WindowsExplorer/NoSearchInternetTryHarderButton -
    -
    - ADMX_WindowsExplorer/NoSecurityTab -
    -
    - ADMX_WindowsExplorer/NoShellSearchButton -
    -
    - ADMX_WindowsExplorer/NoStrCmpLogical -
    -
    - ADMX_WindowsExplorer/NoViewContextMenu -
    -
    - ADMX_WindowsExplorer/NoViewOnDrive -
    -
    - ADMX_WindowsExplorer/NoWindowsHotKeys -
    -
    - ADMX_WindowsExplorer/NoWorkgroupContents -
    -
    - ADMX_WindowsExplorer/PlacesBar -
    -
    - ADMX_WindowsExplorer/PromptRunasInstallNetPath -
    -
    - ADMX_WindowsExplorer/RecycleBinSize -
    -
    - ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 -
    -
    - ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 -
    -
    - ADMX_WindowsExplorer/ShowHibernateOption -
    -
    - ADMX_WindowsExplorer/ShowSleepOption -
    -
    - ADMX_WindowsExplorer/TryHarderPinnedLibrary -
    -
    - ADMX_WindowsExplorer/TryHarderPinnedOpenSearch -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS +``` + - -
    - - -**ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. -If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files aren't copied or deleted. The temporary file is deleted. +- If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted. -If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different. +- If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different. > [!NOTE] > If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Verify old and new Folder Redirection targets point to the same share before redirecting* -- GP name: *CheckSameSourceAndTargetForFRAndDFS* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_WindowsExplorer/ClassicShell** +| Name | Value | +|:--|:--| +| Name | CheckSameSourceAndTargetForFRAndDFS | +| Friendly Name | Verify old and new Folder Redirection targets point to the same share before redirecting | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | CheckSameSourceAndTargetForFRAndDFS | +| ADMX File Name | WindowsExplorer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ClassicShell - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ClassicShell +``` + -
    - - - + + This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. -If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. - +- If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. -If you disable or not configure this policy, the default File Explorer behavior is applied to the user. +- If you disable or not configure this policy, the default File Explorer behavior is applied to the user. - +> [!NOTE] +> In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. +Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer. + - -ADMX Info: -- GP Friendly name: *Turn on Classic Shell* -- GP name: *ClassicShell* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/ConfirmFileDelete** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | ClassicShell | +| Friendly Name | Turn on Classic Shell | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ClassicShell | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## ConfirmFileDelete - - -Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ConfirmFileDelete +``` + -If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. + + +Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. - +- If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. - -ADMX Info: -- GP Friendly name: *Display confirmation dialog when deleting files* -- GP name: *ConfirmFileDelete* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +- If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. + - - -
    + + + - -**ADMX_WindowsExplorer/DefaultLibrariesLocation** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | ConfirmFileDelete | +| Friendly Name | Display confirmation dialog when deleting files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ConfirmFileDelete | +| ADMX File Name | WindowsExplorer.admx | + -> [!div class = "checklist"] -> * Device -> * User + + + -
    + - - + +## DefaultLibrariesLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DefaultLibrariesLocation +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DefaultLibrariesLocation +``` + + + + This policy setting allows you to specify a location where all default Library definition files for users/machines reside. -If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. +- If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. -If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. +- If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. + - + + + - -ADMX Info: -- GP Friendly name: *Location where all default Library definition files for users/machines reside.* -- GP name: *DefaultLibrariesLocation* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DefaultLibrariesLocation | +| Friendly Name | Location where all default Library definition files for users/machines reside. | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## DisableBindDirectlyToPropertySetStorage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +``` -This behavior is consistent with Windows Vista's behavior in this scenario. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +``` + + + + +Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This behavior is consistent with Windows Vista's behavior in this scenario. This disables access to user-defined properties, and properties stored in NTFS secondary streams. + - + + + - -ADMX Info: -- GP Friendly name: *Disable binding directly to IPropertySetStorage without intermediate layers.* -- GP name: *DisableBindDirectlyToPropertySetStorage* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/DisableIndexedLibraryExperience** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableBindDirectlyToPropertySetStorage | +| Friendly Name | Disable binding directly to IPropertySetStorage without intermediate layers. | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableBindDirectlyToPropertySetStorage | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisableIndexedLibraryExperience -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableIndexedLibraryExperience +``` + + + + This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. - -If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. - +- If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. Setting this policy will: +* Disable all Arrangement views except for "By Folder" +* Disable all Search filter suggestions other than "Date Modified" and "Size" +* Disable view of file content snippets in Content mode when search results are returned +* Disable ability to stack in the Context menu and Column headers +* Exclude Libraries from the scope of Start search +This policy will not enable users to add unsupported locations to Libraries. -- Disable all Arrangement views except for "By Folder" -- Disable all Search filter suggestions other than "Date Modified" and "Size" -- Disable view of file content snippets in Content mode when search results are returned -- Disable ability to stack in the Context menu and Column headers -- Exclude Libraries from the scope of Start search This policy will not enable users to add unsupported locations to Libraries +- If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. +- If you disable or do not configure this policy, all default Windows Libraries features will be enabled. + -If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. + + + -If you disable or do not configure this policy, all default Windows Libraries features will be enabled. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off Windows Libraries features that rely on indexed file data* -- GP name: *DisableIndexedLibraryExperience* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DisableIndexedLibraryExperience | +| Friendly Name | Turn off Windows Libraries features that rely on indexed file data | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableIndexedLibraryExperience | +| ADMX File Name | WindowsExplorer.admx | + - -**ADMX_WindowsExplorer/DisableKnownFolders** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableKnownFolders - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableKnownFolders +``` + -> [!div class = "checklist"] -> * User + + +This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. -
    - - - -This policy setting allows you to specify a list of known folders that should be disabled. - -Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. - -You can specify a known folder using its known folder ID or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. +You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. > [!NOTE] > Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable Known Folders* -- GP name: *DisableKnownFolders* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/DisableSearchBoxSuggestions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableKnownFolders | +| Friendly Name | Disable Known Folders | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableKnownFolders | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSearchBoxSuggestions -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableSearchBoxSuggestions +``` + - - + + Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. -File Explorer shows suggestion pop-ups as users type into the Search Box. - -These suggestions are based on their past entries into the Search Box. +File Explorer shows suggestion pop-ups as users type into the Search Box. These suggestions are based on their past entries into the Search Box. > [!NOTE] > If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off display of recent search entries in the File Explorer search box* -- GP name: *DisableSearchBoxSuggestions* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath** +| Name | Value | +|:--|:--| +| Name | DisableSearchBoxSuggestions | +| Friendly Name | Turn off display of recent search entries in the File Explorer search box | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableSearchBoxSuggestions | +| ADMX File Name | WindowsExplorer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## EnableShellShortcutIconRemotePath - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath +``` + -
    - - - + + This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. - If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. + - If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. > [!NOTE] -> Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks. +> Allowing the use of remote paths in file shortcut icons can expose users' computers to security risks. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow the use of remote paths in file shortcut icons* -- GP name: *EnableShellShortcutIconRemotePath* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_WindowsExplorer/EnableSmartScreen** +| Name | Value | +|:--|:--| +| Name | EnableShellShortcutIconRemotePath | +| Friendly Name | Allow the use of remote paths in file shortcut icons | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | EnableShellShortcutIconRemotePath | +| ADMX File Name | WindowsExplorer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## EnableSmartScreen - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnableSmartScreen +``` + -
    - - - + + This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. -If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: +- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: - Warn and prevent bypass - Warn -If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. +- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. -If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. +- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. -If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. +- If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. - +- If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. + + + - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *EnableSmartScreen* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +For more information, see [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview). + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/EnforceShellExtensionSecurity** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | EnableSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableSmartScreen | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## EnforceShellExtensionSecurity - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnforceShellExtensionSecurity +``` + + + + This setting is designed to ensure that shell extensions can operate on a per-user basis. +- If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. -If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry. +A shell extension only runs if there is an entry in at least one of the following locations in registry. For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow only per user or approved shell extensions* -- GP name: *EnforceShellExtensionSecurity* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnforceShellExtensionSecurity | +| Friendly Name | Allow only per user or approved shell extensions | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | EnforceShellExtensionSecurity | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExplorerRibbonStartsMinimized -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +``` + + + + This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. +- If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. +- If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. + -If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. + + + -If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Start File Explorer with ribbon minimized* -- GP name: *ExplorerRibbonStartsMinimized* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | ExplorerRibbonStartsMinimized | +| Friendly Name | Start File Explorer with ribbon minimized | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ExplorerRibbonStartsMinimized | +| ADMX File Name | WindowsExplorer.admx | + - -**ADMX_WindowsExplorer/HideContentViewModeSnippets** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## HideContentViewModeSnippets - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/HideContentViewModeSnippets +``` + -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to turn off the display of snippets in Content view mode. - If you enable this policy setting, File Explorer will not display snippets in Content view mode. + - If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the display of snippets in Content view mode* -- GP name: *HideContentViewModeSnippets* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HideContentViewModeSnippets | +| Friendly Name | Turn off the display of snippets in Content view mode | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideContentViewModeSnippets | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_Internet -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + - If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Internet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_Internet | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_InternetLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + - If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_InternetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_InternetLockdown | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_Intranet -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Intranet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_Intranet | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_IntranetLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_IntranetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_IntranetLockdown | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_LocalMachine -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_LocalMachine* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_LocalMachine | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_LocalMachineLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_LocalMachineLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_LocalMachineLockdown | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_Restricted -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Restricted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_Restricted | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_RestrictedLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_RestrictedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_RestrictedLockdown | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_Trusted -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Trusted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_Trusted | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchPreview_TrustedLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +``` + + + + This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_TrustedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchPreview_TrustedLockdown | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_Internet -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Internet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_Internet | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_InternetLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_InternetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_InternetLockdown | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_Intranet -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Intranet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_Intranet | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_IntranetLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_IntranetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_IntranetLockdown | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_LocalMachine -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_LocalMachine* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_LocalMachine | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_LocalMachineLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_LocalMachineLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_LocalMachineLockdown | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_Restricted -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Restricted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown** +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_Restricted | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## IZ_Policy_OpenSearchQuery_RestrictedLockdown - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +``` + - - + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_RestrictedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted** +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_RestrictedLockdown | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## IZ_Policy_OpenSearchQuery_Trusted - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +``` + - - + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Trusted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_Trusted | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IZ_Policy_OpenSearchQuery_TrustedLockdown -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +``` + + + + This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_TrustedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_OpenSearchQuery_TrustedLockdown | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LinkResolveIgnoreLinkInfo -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo +``` + - - + + This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system. Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server. -If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. +- If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. -If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. +- If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not track Shell shortcuts during roaming* -- GP name: *LinkResolveIgnoreLinkInfo* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/MaxRecentDocs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LinkResolveIgnoreLinkInfo | +| Friendly Name | Do not track Shell shortcuts during roaming | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | LinkResolveIgnoreLinkInfo | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MaxRecentDocs -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/MaxRecentDocs +``` + - - -This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. + + +"This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. -If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. +The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. -If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents. +- If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. - +- If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents." + + + + - -ADMX Info: -- GP Friendly name: *Maximum number of recent documents* -- GP name: *MaxRecentDocs* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/NoBackButton** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | MaxRecentDocs | +| Friendly Name | Maximum number of recent documents | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoBackButton -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoBackButton +``` + -If you enable this policy setting, the Back button is removed from the standard Open dialog box. + + +Hide the Back button in the Open dialog box. -If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. +This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. - +- If you enable this policy setting, the Back button is removed from the standard Open dialog box. +- If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. - -ADMX Info: -- GP Friendly name: *Hide the common dialog back button* -- GP name: *NoBackButton* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/NoCDBurning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. - -If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. - -If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features. +To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. > [!NOTE] -> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove CD Burning features* -- GP name: *NoCDBurning* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoCacheThumbNailPictures** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoBackButton | +| Friendly Name | Hide the common dialog back button | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 | +| Registry Value Name | NoBackButton | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoCacheThumbNailPictures -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoCacheThumbNailPictures +``` + - - + + This policy setting allows you to turn off caching of thumbnail pictures. -If you enable this policy setting, thumbnail views aren't cached. +- If you enable this policy setting, thumbnail views are not cached. -If you disable or do not configure this policy setting, thumbnail views are cached. +- If you disable or do not configure this policy setting, thumbnail views are cached. > [!NOTE] > For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off caching of thumbnail pictures* -- GP name: *NoCacheThumbNailPictures* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoChangeAnimation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoCacheThumbNailPictures | +| Friendly Name | Turn off caching of thumbnail pictures | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoThumbnailCache | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoCDBurning -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoCDBurning +``` + - - + + +This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. + +- If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. + +- If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features. + +> [!NOTE] +> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoCDBurning | +| Friendly Name | Remove CD Burning features | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoCDBurning | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## NoChangeAnimation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoChangeAnimation +``` + + + + This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. -If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. +- If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users. -If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. +- If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove UI to change menu animation setting* -- GP name: *NoChangeAnimation* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoChangeAnimation | +| Friendly Name | Remove UI to change menu animation setting | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoChangeAnimation | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoChangeKeyboardNavigationIndicators -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators +``` + - - -Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. + + +Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. + +When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove UI to change keyboard navigation indicator setting* -- GP name: *NoChangeKeyboardNavigationIndicators* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoDFSTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoChangeKeyboardNavigationIndicators | +| Friendly Name | Remove UI to change keyboard navigation indicator setting | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoChangeKeyboardNavigationIndicators | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoDFSTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoDFSTab +``` + - - + + This policy setting allows you to remove the DFS tab from File Explorer. -If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS. +- If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. -If you disable or do not configure this policy setting, the DFS tab is available. +This policy setting does not prevent users from using other methods to configure DFS. - +- If you disable or do not configure this policy setting, the DFS tab is available. + + + + - -ADMX Info: -- GP Friendly name: *Remove DFS tab* -- GP name: *NoDFSTab* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/NoDrives** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoDFSTab | +| Friendly Name | Remove DFS tab | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDFSTab | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoDrives -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoDrives +``` + + + + This policy setting allows you to hide these specified drives in My Computer. This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. -If you enable this policy setting, select a drive or combination of drives in the drop-down list. +- If you enable this policy setting, select a drive or combination of drives in the drop-down list. > [!NOTE] -> This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +> This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. -If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting. +Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. - +- If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. +Also, see the "Prevent access to drives from My Computer" policy setting. + - -ADMX Info: -- GP Friendly name: *Hide these specified drives in My Computer* -- GP name: *NoDrives* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoEntireNetwork** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoDrives | +| Friendly Name | Hide these specified drives in My Computer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoEntireNetwork - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoEntireNetwork +``` + + + + Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. -If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. +- If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box. @@ -2386,1388 +2784,1813 @@ To remove computers in the user's workgroup or domain from lists of network reso > [!NOTE] > It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *No Entire Network in Network Locations* -- GP name: *NoEntireNetwork* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoFileMRU** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoEntireNetwork | +| Friendly Name | No Entire Network in Network Locations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Network | +| Registry Value Name | NoEntireNetwork | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoFileMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoFileMenu +``` + - - -Removes the list of most recently used files from the Open dialog box. - -If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. - -This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. - -To see an example of the standard Open dialog box, start WordPad and, on the **File** menu, click **Open**. - - - - -ADMX Info: -- GP Friendly name: *Hide the dropdown list of recent files* -- GP name: *NoFileMRU* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/NoFileMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Removes the File menu from My Computer and File Explorer. This setting does not prevent users from using other methods to perform tasks available on the File menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove File menu from File Explorer* -- GP name: *NoFileMenu* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoFolderOptions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoFileMenu | +| Friendly Name | Remove File menu from File Explorer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFileMenu | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoFileMRU -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoFileMRU +``` + - - + + +Removes the list of most recently used files from the Open dialog box. + +- If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. +- If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. + +This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. + +To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoFileMRU | +| Friendly Name | Hide the dropdown list of recent files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 | +| Registry Value Name | NoFileMru | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## NoFolderOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoFolderOptions +``` + + + + This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer. Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings. -If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options. +- If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options. -If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. +- If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon* -- GP name: *NoFolderOptions* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoHardwareTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoFolderOptions | +| Friendly Name | Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFolderOptions | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoHardwareTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoHardwareTab +``` + - - -Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. + + +Removes the Hardware tab. - +This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. + + + + - -ADMX Info: -- GP Friendly name: *Remove Hardware tab* -- GP name: *NoHardwareTab* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/NoManageMyComputerVerb** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoHardwareTab | +| Friendly Name | Remove Hardware tab | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoHardwareTab | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoManageMyComputerVerb -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoManageMyComputerVerb +``` + + + + Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer. The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools. This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management. -> [!NOTE] +> [!TIP] > To hide all context menus, use the "Remove File Explorer's default context menu" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hides the Manage item on the File Explorer context menu* -- GP name: *NoManageMyComputerVerb* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoMyComputerSharedDocuments** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoManageMyComputerVerb | +| Friendly Name | Hides the Manage item on the File Explorer context menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoManageMyComputerVerb | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoMyComputerSharedDocuments -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoMyComputerSharedDocuments +``` + - - -This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. + + +This policy setting allows you to remove the Shared Documents folder from My Computer. + +When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. - If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. + - If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. +> [!NOTE] +> The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Shared Documents from My Computer* -- GP name: *NoMyComputerSharedDocuments* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/NoNetConnectDisconnect** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoMyComputerSharedDocuments | +| Friendly Name | Remove Shared Documents from My Computer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSharedDocuments | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoNetConnectDisconnect -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoNetConnectDisconnect +``` + + + + Prevents users from using File Explorer or Network Locations to map or disconnect network drives. -If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the **File Explorer** or **Network Locations** icons. +- If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. > [!NOTE] -> This setting was documented incorrectly on the Explain tab in MDM Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. -> +> + +This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. + +> [!NOTE] > It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove "Map Network Drive" and "Disconnect Network Drive"* -- GP name: *NoNetConnectDisconnect* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoNewAppAlert** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoNetConnectDisconnect | +| Friendly Name | Remove "Map Network Drive" and "Disconnect Network Drive" | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNetConnectDisconnect | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoNewAppAlert -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoNewAppAlert +``` + - - -This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:). + + +This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:) -If this MDM Policy is enabled, no notifications will be shown. If the MDM Policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. +If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not show the 'new application installed' notification* -- GP name: *NoNewAppAlert* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoPlacesBar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoNewAppAlert | +| Friendly Name | Do not show the 'new application installed' notification | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoNewAppAlert | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoPlacesBar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoPlacesBar +``` + - - -Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. + + +Removes the shortcut bar from the Open dialog box. -To see an example of the standard Open dialog box, start WordPad and, on the **File** menu, click **Open**. +This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. - +To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + - -ADMX Info: -- GP Friendly name: *Hide the common dialog places bar* -- GP name: *NoPlacesBar* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoRecycleFiles** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoPlacesBar | +| Friendly Name | Hide the common dialog places bar | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 | +| Registry Value Name | NoPlacesBar | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoRecycleFiles - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoRecycleFiles +``` + + + + When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. -If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. +- If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. -If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. +- If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not move deleted files to the Recycle Bin* -- GP name: *NoRecycleFiles* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoRunAsInstallPrompt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRecycleFiles | +| Friendly Name | Do not move deleted files to the Recycle Bin | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRecycleFiles | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoRunAsInstallPrompt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoRunAsInstallPrompt +``` + - - + + Prevents users from submitting alternate logon credentials to install a program. -This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who aren't administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. +This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. -Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. +Many programs can be installed only by an administrator. +- If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. -If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. +- If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. -By default, users aren't prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. +By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not request alternate credentials* -- GP name: *NoRunAsInstallPrompt* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoSearchInternetTryHarderButton** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRunAsInstallPrompt | +| Friendly Name | Do not request alternate credentials | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRunasInstallPrompt | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSearchInternetTryHarderButton -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoSearchInternetTryHarderButton +``` + - - -If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. + + +- If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. -If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. +- If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. -If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. +- If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove the Search the Internet "Search again" link* -- GP name: *NoSearchInternetTryHarderButton* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoSecurityTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSearchInternetTryHarderButton | +| Friendly Name | Remove the Search the Internet "Search again" link | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoSearchInternetTryHarderButton | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSecurityTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoSecurityTab +``` + - - + + Removes the Security tab from File Explorer. -If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. +- If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. -If you disable or do not configure this setting, users will be able to access the security tab. +- If you disable or do not configure this setting, users will be able to access the security tab. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Security tab* -- GP name: *NoSecurityTab* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoShellSearchButton** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSecurityTab | +| Friendly Name | Remove Security tab | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSecurityTab | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoShellSearchButton -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoShellSearchButton +``` + - - -This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. + + +This policy setting allows you to remove the Search button from the File Explorer toolbar. -If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. +- If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. + +Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. + +- If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Search button from File Explorer* -- GP name: *NoShellSearchButton* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoStrCmpLogical** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoShellSearchButton | +| Friendly Name | Remove Search button from File Explorer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoShellSearchButton | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStrCmpLogical -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical +``` + + + + This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. +- If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). +- If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). + -If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). + + + -If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Turn off numerical sorting in File Explorer* -- GP name: *NoStrCmpLogical* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | NoStrCmpLogical | +| Friendly Name | Turn off numerical sorting in File Explorer | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStrCmpLogical | +| ADMX File Name | WindowsExplorer.admx | + - -**ADMX_WindowsExplorer/NoViewContextMenu** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## NoViewContextMenu - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoViewContextMenu +``` + -> [!div class = "checklist"] -> * User - -
    - - - + + Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. -If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. +- If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove File Explorer's default context menu* -- GP name: *NoViewContextMenu* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/NoViewOnDrive** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoViewContextMenu | +| Friendly Name | Remove File Explorer's default context menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoViewContextMenu | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoViewOnDrive -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoViewOnDrive +``` + - - + + Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +- If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. > [!NOTE] > The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. -> -> Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting. - +Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. +Also, see the "Hide these specified drives in My Computer" setting. + - -ADMX Info: -- GP Friendly name: *Prevent access to drives from My Computer* -- GP name: *NoViewOnDrive* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoWindowsHotKeys** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoViewOnDrive | +| Friendly Name | Prevent access to drives from My Computer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoWindowsHotKeys - - -Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -By using this setting, you can disable these Windows Key hotkeys. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoWindowsHotKeys +``` + -If you enable this setting, the Windows Key hotkeys are unavailable. + + +Turn off Windows Key hotkeys. -If you disable or do not configure this setting, the Windows Key hotkeys are available. +Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. By using this setting, you can disable these Windows Key hotkeys. - +- If you enable this setting, the Windows Key hotkeys are unavailable. +- If you disable or do not configure this setting, the Windows Key hotkeys are available. + - -ADMX Info: -- GP Friendly name: *Turn off Windows Key hotkeys* -- GP name: *NoWindowsHotKeys* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoWorkgroupContents** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoWindowsHotKeys | +| Friendly Name | Turn off Windows Key hotkeys | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWinKeys | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoWorkgroupContents - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoWorkgroupContents +``` + + + + This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. -If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. +- If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. -If you disable or do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Network Locations. +- If you disable or do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Network Locations. This policy setting does not prevent users from connecting to computers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box. To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *No Computers Near Me in Network Locations* -- GP name: *NoWorkgroupContents* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/PlacesBar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWorkgroupContents | +| Friendly Name | No Computers Near Me in Network Locations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoComputersNearMe | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PlacesBar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/PlacesBar +``` + - - + + Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are: -1. Shortcuts to a local folders -- (example: `C:\Windows`) -2. Shortcuts to remote folders -- (`\\server\share`) -3. FTP folders -4. web folders -5. Common Shell folders. +1) Shortcuts to a local folders -- (ex. C:\Windows) + +2) Shortcuts to remote folders -- (\\server\share) + +3) FTP folders + +4) web folders + +5) Common Shell folders. The list of Common Shell Folders that may be specified: -Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments, and Saved Searches. +Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches. -If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. +- If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Items displayed in Places Bar* -- GP name: *PlacesBar* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/PromptRunasInstallNetPath** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PlacesBar | +| Friendly Name | Items displayed in Places Bar | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PromptRunasInstallNetPath -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/PromptRunasInstallNetPath +``` + - - + + Prompts users for alternate logon credentials during network-based installations. This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection. -If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media. +- If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media. The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. -If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions aren't sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. +If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. > [!NOTE] -> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users aren't prompted for alternate logon credentials on any installation. +> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Request credentials for network installations* -- GP name: *PromptRunasInstallNetPath* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/RecycleBinSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PromptRunasInstallNetPath | +| Friendly Name | Request credentials for network installations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PromptRunasInstallNetPath | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RecycleBinSize -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/RecycleBinSize +``` + - - + + Limits the percentage of a volume's disk space that can be used to store deleted files. -If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. +- If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. -If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin. +- If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin. > [!NOTE] > This setting is applied to all volumes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Maximum allowed Recycle Bin size* -- GP name: *RecycleBinSize* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RecycleBinSize | +| Friendly Name | Maximum allowed Recycle Bin size | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellProtocolProtectedModeTitle_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 +``` + - - -This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications aren't able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + + +This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. -If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. +- If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. -If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. +- If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. -If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. +- If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off shell protocol protected mode* -- GP name: *ShellProtocolProtectedModeTitle_1* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellProtocolProtectedModeTitle_1 | +| Friendly Name | Turn off shell protocol protected mode | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PreXPSP2ShellProtocolBehavior | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellProtocolProtectedModeTitle_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 +``` + - - -This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications aren't able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + + +This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. -If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. +- If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. -If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. +- If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. -If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. +- If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off shell protocol protected mode* -- GP name: *ShellProtocolProtectedModeTitle_2* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/ShowHibernateOption** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellProtocolProtectedModeTitle_2 | +| Friendly Name | Turn off shell protocol protected mode | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PreXPSP2ShellProtocolBehavior | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowHibernateOption -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowHibernateOption +``` + - - + + Shows or hides hibernate from the power options menu. -If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). +- If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). -If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. +- If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. -If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. +- If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show hibernate in the power options menu* -- GP name: *ShowHibernateOption* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/ShowSleepOption** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowHibernateOption | +| Friendly Name | Show hibernate in the power options menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowHibernateOption | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowSleepOption -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowSleepOption +``` + - - + + Shows or hides sleep from the power options menu. -If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). +- If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). -If you disable this policy setting, the sleep option will never be shown in the Power Options menu. +- If you disable this policy setting, the sleep option will never be shown in the Power Options menu. -If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. +- If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show sleep in the power options menu* -- GP name: *ShowSleepOption* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/TryHarderPinnedLibrary** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowSleepOption | +| Friendly Name | Show sleep in the power options menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowSleepOption | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TryHarderPinnedLibrary -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/TryHarderPinnedLibrary +``` + - - -This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file. + + +This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file. You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. -The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. +The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. -If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. +- If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. -If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. +- If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Pin Libraries or Search Connectors to the "Search again" links and the Start menu* -- GP name: *TryHarderPinnedLibrary* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsExplorer/TryHarderPinnedOpenSearch** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TryHarderPinnedLibrary | +| Friendly Name | Pin Libraries or Search Connectors to the "Search again" links and the Start menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TryHarderPinnedLibrary | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TryHarderPinnedOpenSearch -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/TryHarderPinnedOpenSearch +``` + - - + + This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`). You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. -The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. +The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. -If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. +- If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. -If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. +- If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. + - + + + + +**Description framework properties**: - -ADMX Info: ] -- GP Friendly name: *Pin Internet search sites to the "Search again" links and the Start menu* -- GP name: *TryHarderPinnedOpenSearch* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | TryHarderPinnedOpenSearch | +| Friendly Name | Pin Internet search sites to the "Search again" links and the Start menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TryHarderPinnedOpenSearch | +| ADMX File Name | WindowsExplorer.admx | + - + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index 4528596266..66dc23c872 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -1,89 +1,98 @@ --- -title: Policy CSP - ADMX_WindowsMediaDRM -description: Policy CSP - ADMX_WindowsMediaDRM +title: ADMX_WindowsMediaDRM Policy CSP +description: Learn more about the ADMX_WindowsMediaDRM Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsMediaDRM + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WindowsMediaDRM policies + +## DisableOnline -
    -
    - ADMX_WindowsMediaDRM/DisableOnline -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaDRM/DisableOnline +``` + -
    - - -**ADMX_WindowsMediaDRM/DisableOnline** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). + + +Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. -When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses. Secure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a CD and play this protected content on their computer, since the license is generated locally in this scenario. +When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses. Secure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a CD and play this protected content on their computer, since the license is generated locally in this scenario. When this policy is either disabled or not configured, Windows Media DRM functions normally and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform license restoration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Windows Media DRM Internet Access* -- GP name: *DisableOnline* -- GP path: *Windows Components\Windows Media Digital Rights Management* -- GP ADMX file name: *WindowsMediaDRM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisableOnline | +| Friendly Name | Prevent Windows Media DRM Internet Access | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Digital Rights Management | +| Registry Key Name | Software\Policies\Microsoft\WMDRM | +| Registry Value Name | DisableOnline | +| ADMX File Name | windowsmediadrm.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 30ea67c939..7644cbac0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1,129 +1,50 @@ --- -title: Policy CSP - ADMX_WindowsMediaPlayer -description: Policy CSP - ADMX_WindowsMediaPlayer +title: ADMX_WindowsMediaPlayer Policy CSP +description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsMediaPlayer + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WindowsMediaPlayer policies + +## ConfigureHTTPProxySettings -
    -
    - ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings -
    -
    - ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings -
    -
    - ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings -
    -
    - ADMX_WindowsMediaPlayer/DisableAutoUpdate -
    -
    - ADMX_WindowsMediaPlayer/DisableNetworkSettings -
    -
    - ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration -
    -
    - ADMX_WindowsMediaPlayer/DoNotShowAnchor -
    -
    - ADMX_WindowsMediaPlayer/DontUseFrameInterpolation -
    -
    - ADMX_WindowsMediaPlayer/EnableScreenSaver -
    -
    - ADMX_WindowsMediaPlayer/HidePrivacyTab -
    -
    - ADMX_WindowsMediaPlayer/HideSecurityTab -
    -
    - ADMX_WindowsMediaPlayer/NetworkBuffering -
    -
    - ADMX_WindowsMediaPlayer/PolicyCodecUpdate -
    -
    - ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventLibrarySharing -
    -
    - ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut -
    -
    - ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut -
    -
    - ADMX_WindowsMediaPlayer/SkinLockDown -
    -
    - ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings +``` + -
    - - -**ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. -If you enable this policy setting, select one of the following proxy types: +- If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. @@ -131,1018 +52,1306 @@ If you enable this policy setting, select one of the following proxy types: If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified because no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected. -The Configure button on the Network tab in the Player isn't available for the HTTP protocol and the proxy can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. +The Configure button on the Network tab in the Player is not available for the HTTP protocol and the proxy cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. -This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP isn't selected. +This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected. -If you disable this policy setting, the HTTP proxy server can't be used and the user can't configure the HTTP proxy. +- If you disable this policy setting, the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy. -If you don't configure this policy setting, users can configure the HTTP proxy settings. +- If you do not configure this policy setting, users can configure the HTTP proxy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure HTTP Proxy* -- GP name: *ConfigureHTTPProxySettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureHTTPProxySettings | +| Friendly Name | Configure HTTP Proxy | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\HTTP | +| Registry Value Name | ProxyPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureMMSProxySettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings +``` + - - + + This policy setting allows you to specify the MMS proxy settings for Windows Media Player. -If you enable this policy setting, select one of the following proxy types: +- If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. -The Configure button on the Network tab in the Player isn't available and the protocol can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. +The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. -This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast isn't selected. +This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected. -If you disable this policy setting, the MMS proxy server can't be used and users can't configure the MMS proxy settings. +- If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure the MMS proxy settings. -If you don't configure this policy setting, users can configure the MMS proxy settings. +- If you do not configure this policy setting, users can configure the MMS proxy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure MMS Proxy* -- GP name: *ConfigureMMSProxySettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureMMSProxySettings | +| Friendly Name | Configure MMS Proxy | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS | +| Registry Value Name | ProxyPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureRTSPProxySettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings +``` + - - + + This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. -If you enable this policy setting, select one of the following proxy types: +- If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. -The Configure button on the Network tab in the Player isn't available and the protocol can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. +The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. -If you disable this policy setting, the RTSP proxy server can't be used and users can't change the RTSP proxy settings. +- If you disable this policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings. -If you don't configure this policy setting, users can configure the RTSP proxy settings. +- If you do not configure this policy setting, users can configure the RTSP proxy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure RTSP Proxy* -- GP name: *ConfigureRTSPProxySettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/DisableAutoUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureRTSPProxySettings | +| Friendly Name | Configure RTSP Proxy | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\RTSP | +| Registry Value Name | ProxyPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAutoUpdate -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableAutoUpdate +``` + - - + + This policy setting allows you to turn off do not show first use dialog boxes. -If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. +- If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. -This policy setting prevents the dialog boxes that allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. +This policy setting prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. +- If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. + -If you disable or don't configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent Automatic Updates* -- GP name: *DisableAutoUpdate* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_WindowsMediaPlayer/DisableNetworkSettings** +| Name | Value | +|:--|:--| +| Name | DisableAutoUpdate | +| Friendly Name | Prevent Automatic Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DisableAutoUpdate | +| ADMX File Name | windowsmediaplayer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableNetworkSettings - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableNetworkSettings +``` + -
    - - - + + This policy setting allows you to hide the Network tab. -If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. +- If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. -If you disable or don't configure this policy setting, the Network tab appears and users can use it to configure network settings. +- If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Network Tab* -- GP name: *DisableNetworkSettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableNetworkSettings | +| Friendly Name | Hide Network Tab | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | HideNetworkTab | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSetupFirstUseConfiguration -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration +``` + - - + + This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. -If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays isn't available. +- If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. -If you disable or don't configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. +- If you disable or do not configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. -If you don't configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window aren't available. +- If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do Not Show First Use Dialog Boxes* -- GP name: *DisableSetupFirstUseConfiguration* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/DoNotShowAnchor** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSetupFirstUseConfiguration | +| Friendly Name | Do Not Show First Use Dialog Boxes | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | GroupPrivacyAcceptance | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotShowAnchor -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DoNotShowAnchor +``` + - - -This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. + + +Prevents the anchor window from being displayed when Windows Media Player is in skin mode. -This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays isn't available. +This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. -When this policy isn't configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. +When this policy is not configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. -When this policy isn't configured and the Set and Lock Skin policy is enabled, some options in the anchor window aren't available. +When this policy is not configured and the Set and Lock Skin policy is enabled, some options in the anchor window are not available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do Not Show Anchor* -- GP name: *DoNotShowAnchor* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/DontUseFrameInterpolation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DoNotShowAnchor | +| Friendly Name | Do Not Show Anchor | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DoNotShowAnchor | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DontUseFrameInterpolation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DontUseFrameInterpolation +``` + - - + + This policy setting allows you to prevent video smoothing from occurring. -If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and isn't available. +- If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. -If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and isn't available. +- If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and is not available. -If you don't configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box. +- If you do not configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box. Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Video Smoothing* -- GP name: *DontUseFrameInterpolation* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/EnableScreenSaver** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DontUseFrameInterpolation | +| Friendly Name | Prevent Video Smoothing | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DontUseFrameInterpolation | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableScreenSaver -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/EnableScreenSaver +``` + - - + + This policy setting allows a screen saver to interrupt playback. -If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and isn't available. +- If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. -If you disable this policy setting, a screen saver doesn't interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and isn't available. +- If you disable this policy setting, a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is not available. -If you don't configure this policy setting, users can change the setting for the Allow screen saver during playback check box. +- If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Screen Saver* -- GP name: *EnableScreenSaver* -- GP path: *Windows Components\Windows Media Player\Playback* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/HidePrivacyTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableScreenSaver | +| Friendly Name | Allow Screen Saver | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Playback | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | EnableScreenSaver | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HidePrivacyTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/HidePrivacyTab +``` + - - + + This policy setting allows you to hide the Privacy tab in Windows Media Player. -If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. +- If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. The default privacy settings are used for the options on the Privacy tab unless the user changed the settings previously. -If you disable or don't configure this policy setting, the Privacy tab isn't hidden, and users can configure any privacy settings not configured by other policies. +- If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Automatic Updates* -- GP name: *HidePrivacyTab* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/HideSecurityTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HidePrivacyTab | +| Friendly Name | Hide Privacy Tab | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | HidePrivacyTab | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideSecurityTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/HideSecurityTab +``` + - - + + This policy setting allows you to hide the Security tab in Windows Media Player. -If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. +- If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. -If you disable or don't configure this policy setting, users can configure the security settings on the Security tab. +- If you disable or do not configure this policy setting, users can configure the security settings on the Security tab. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Security Tab* -- GP name: *HideSecurityTab* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/NetworkBuffering** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HideSecurityTab | +| Friendly Name | Hide Security Tab | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | HideSecurityTab | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NetworkBuffering -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/NetworkBuffering +``` + - - + + This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. -If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it's played. +- If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. - Custom: the number of seconds, up to 60, that streaming media is buffered. - Default: default network buffering is used and the number of seconds that is specified is ignored. -The "Use default buffering" and "Buffer" options on the Performance tab in the Player aren't available. +The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available. -If you disable or don't configure this policy setting, users can change the buffering options on the Performance tab. +- If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Network Buffering* -- GP name: *NetworkBuffering* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/PolicyCodecUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NetworkBuffering | +| Friendly Name | Configure Network Buffering | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | NetworkBufferingPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PolicyCodecUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PolicyCodecUpdate +``` + - - + + This policy setting allows you to prevent Windows Media Player from downloading codecs. -If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player isn't available. +- If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. -If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box isn't available. +- If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box is not available. -If you don't configure this policy setting, users can change the setting for the Download codecs automatically check box. +- If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Codec Download* -- GP name: *PolicyCodecUpdate* -- GP path: *Windows Components\Windows Media Player\Playback* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PolicyCodecUpdate | +| Friendly Name | Prevent Codec Download | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Playback | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventCodecDownload | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventCDDVDMetadataRetrieval -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval +``` + - - + + This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player aren't selected and aren't available. +- If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. -If you disable or don't configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. +- If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent CD and DVD Media Information Retrieval* -- GP name: *PreventCDDVDMetadataRetrieval* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/PreventLibrarySharing** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventCDDVDMetadataRetrieval | +| Friendly Name | Prevent CD and DVD Media Information Retrieval | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventCDDVDMetadataRetrieval | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventLibrarySharing -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventLibrarySharing +``` + - - + + This policy setting allows you to prevent media sharing from Windows Media Player. -If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. +- If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. -If you disable or don't configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. +- If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Media Sharing* -- GP name: *PreventLibrarySharing* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventLibrarySharing | +| Friendly Name | Prevent Media Sharing | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventLibrarySharing | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventMusicFileMetadataRetrieval -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval +``` + - - + + This policy setting allows you to prevent media information for music files from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player aren't selected and aren't available. +- If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. -If you disable or don't configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. +- If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Music File Media Information Retrieval* -- GP name: *PreventMusicFileMetadataRetrieval* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventMusicFileMetadataRetrieval | +| Friendly Name | Prevent Music File Media Information Retrieval | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventMusicFileMetadataRetrieval | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventQuickLaunchShortcut -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut +``` + - - + + This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. -If you enable this policy setting, the user can't add the shortcut for the Player to the Quick Launch bar. +- If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. -If you disable or don't configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. +- If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Quick Launch Toolbar Shortcut Creation* -- GP name: *PreventQuickLaunchShortcut* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventQuickLaunchShortcut | +| Friendly Name | Prevent Quick Launch Toolbar Shortcut Creation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | QuickLaunchShortcut | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventRadioPresetsRetrieval -> [!div class = "checklist"] -> * User -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval +``` + + + + This policy setting allows you to prevent radio station presets from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured aren't updated, and the presets that a user adds aren't displayed. +- If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. -If you disable or don't configure this policy setting, the Player automatically retrieves radio station presets from the Internet. +- If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *PPrevent Radio Station Preset Retrieval* -- GP name: *PreventRadioPresetsRetrieval* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventRadioPresetsRetrieval | +| Friendly Name | Prevent Radio Station Preset Retrieval | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventRadioPresetsRetrieval | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventWMPDeskTopShortcut -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut +``` + - - + + This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. -If you enable this policy setting, users can't add the Player shortcut icon to their desktops. +- If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. -If you disable or don't configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. +- If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Desktop Shortcut Creation* -- GP name: *PreventWMPDeskTopShortcut* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/SkinLockDown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventWMPDeskTopShortcut | +| Friendly Name | Prevent Desktop Shortcut Creation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DesktopShortcut | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SkinLockDown -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/SkinLockDown +``` + - - + + This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. -If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. +- If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. -You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin isn't installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank. +You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank. -A user has access only to the Player features that are available with the specified skin. Users can't switch the Player to full mode and can't choose a different skin. +A user has access only to the Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different skin. -If you disable or don't configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. +- If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set and Lock Skin* -- GP name: *SkinLockDown* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SkinLockDown | +| Friendly Name | Set and Lock Skin | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | SetAndLockSkin | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WindowsStreamingMediaProtocols -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols +``` + - - + + This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. -If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user doesn't specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. +- If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. -If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator doesn't specify any protocols, the Player can't access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden. +- If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden. -If you don't configure this policy setting, users can select the protocols to use on the Network tab. +- If you do not configure this policy setting, users can select the protocols to use on the Network tab. -If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab aren't available and the Player can't receive an MMS or RTSP stream from a Windows Media server. +- If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Streaming Media Protocols* -- GP name: *WindowsStreamingMediaProtocols* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WindowsStreamingMediaProtocols | +| Friendly Name | Streaming Media Protocols | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols | +| Registry Value Name | WindowsMediaStreamingProtocols | +| ADMX File Name | windowsmediaplayer.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 636f40127c..92e853efe1 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -1,140 +1,156 @@ --- -title: Policy CSP - ADMX_WindowsRemoteManagement -description: Policy CSP - ADMX_WindowsRemoteManagement +title: ADMX_WindowsRemoteManagement Policy CSP +description: Learn more about the ADMX_WindowsRemoteManagement Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsRemoteManagement ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisallowKerberos_1 - -## ADMX_WindowsRemoteManagement policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WindowsRemoteManagement/DisallowKerberos_1 -
    -
    - ADMX_WindowsRemoteManagement/DisallowKerberos_2 -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsRemoteManagement/DisallowKerberos_1 +``` + - -
    - - -**ADMX_WindowsRemoteManagement/DisallowKerberos_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. -If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. +- If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. -If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disallow Kerberos authentication* -- GP name: *DisallowKerberos_1* -- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**ADMX_WindowsRemoteManagement/DisallowKerberos_2** +| Name | Value | +|:--|:--| +| Name | DisallowKerberos_1 | +| Friendly Name | Disallow Kerberos authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowKerberos | +| ADMX File Name | WindowsRemoteManagement.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisallowKerberos_2 - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsRemoteManagement/DisallowKerberos_2 +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly. -If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. +- If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. -If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. +- If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disallow Kerberos authentication* -- GP name: *DisallowKerberos_2* -- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisallowKerberos_2 | +| Friendly Name | Disallow Kerberos authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowKerberos | +| ADMX File Name | WindowsRemoteManagement.admx | + - \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 36044d5475..2187c471b8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,300 +1,338 @@ --- -title: Policy CSP - ADMX_WindowsStore -description: Policy CSP - ADMX_WindowsStore +title: ADMX_WindowsStore Policy CSP +description: Learn more about the ADMX_WindowsStore Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsStore ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + +## DisableAutoDownloadWin8 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableAutoDownloadWin8 +``` + + + + +Enables or disables the automatic download of app updates on PCs running Windows 8. + +- If you enable this setting, the automatic download of app updates is turned off. + +- If you disable this setting, the automatic download of app updates is turned on. + +- If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Microsoft Store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoDownloadWin8 | +| Friendly Name | Turn off Automatic Download of updates on Win8 machines | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | AutoDownload | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## DisableOSUpgrade_1 - -## ADMX_WindowsStore policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableOSUpgrade_1 +``` + + + + +Enables or disables the Store offer to update to the latest version of Windows. + +- If you enable this setting, the Store application will not offer updates to the latest version of Windows. + +- If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableOSUpgrade_1 | +| Friendly Name | Turn off the offer to update to the latest version of Windows | +| Location | User Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableOSUpgrade | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## DisableOSUpgrade_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableOSUpgrade_2 +``` + + + + +Enables or disables the Store offer to update to the latest version of Windows. + +- If you enable this setting, the Store application will not offer updates to the latest version of Windows. + +- If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableOSUpgrade_2 | +| Friendly Name | Turn off the offer to update to the latest version of Windows | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableOSUpgrade | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## RemoveWindowsStore_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_1 +``` + + + + +Denies or allows access to the Store application. + +- If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. + +- If you disable or don't configure this setting, access to the Store application is allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemoveWindowsStore_1 | +| Friendly Name | Turn off the Store application | +| Location | User Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RemoveWindowsStore | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## RemoveWindowsStore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2 +``` + + + + +Denies or allows access to the Store application. + +- If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. + +- If you disable or don't configure this setting, access to the Store application is allowed. + + + + + + + +**Description framework properties**: -
    -
    - ADMX_WindowsStore/DisableAutoDownloadWin8 -
    -
    - ADMX_WindowsStore/DisableOSUpgrade_1 -
    -
    - ADMX_WindowsStore/DisableOSUpgrade_2 -
    -
    - ADMX_WindowsStore/RemoveWindowsStore_1 -
    -
    - ADMX_WindowsStore/RemoveWindowsStore_2 -
    -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | RemoveWindowsStore_2 | +| Friendly Name | Turn off the Store application | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RemoveWindowsStore | +| ADMX File Name | WindowsStore.admx | + - -**ADMX_WindowsStore/DisableAutoDownloadWin8** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + + +## Related articles - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. - -If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. - -If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Windows Store. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Automatic Download of updates on Win8 machines* -- GP name: *DisableAutoDownloadWin8* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* - - - -
    - -
    - - -**ADMX_WindowsStore/DisableOSUpgrade_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting enables or disables the Store offer to update to the latest version of Windows. - -If you enable this setting, the Store application will not offer updates to the latest version of Windows. - -If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the offer to update to the latest version of Windows* -- GP name: *DisableOSUpgrade_1* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* - - - -
    - -
    - - -**ADMX_WindowsStore/DisableOSUpgrade_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting enables or disables the Store offer to update to the latest version of Windows. - -If you enable this setting, the Store application will not offer updates to the latest version of Windows. - -If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the offer to update to the latest version of Windows* -- GP name: *DisableOSUpgrade_2* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* - - - - - -
    - - -**ADMX_WindowsStore/RemoveWindowsStore_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting denies or allows access to the Store application. - -If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. - -If you disable or don't configure this setting, access to the Store application is allowed. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the Store application* -- GP name: *RemoveWindowsStore_1* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* - - - -
    - -
    - - -**ADMX_WindowsStore/RemoveWindowsStore_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting denies or allows access to the Store application. - -If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. - -If you disable or don't configure this setting, access to the Store application is allowed. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the Store application* -- GP name: *RemoveWindowsStore_2* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* - - - -
    - - - \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index df7be3051f..0e91181420 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -1,191 +1,215 @@ --- -title: Policy CSP - ADMX_WinInit -description: Policy CSP - ADMX_WinInit +title: ADMX_WinInit Policy CSP +description: Learn more about the ADMX_WinInit Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/29/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WinInit ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisableNamedPipeShutdownPolicyDescription - -## ADMX_WinInit policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription -
    -
    - ADMX_WinInit/Hiberboot -
    -
    - ADMX_WinInit/ShutdownTimeoutHungSessionsDescription -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription +``` + + + +This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. -
    +- If you enable this policy setting, the system does not create the named pipe remote shutdown interface. - -**ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription** +- If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DisableNamedPipeShutdownPolicyDescription | +| Friendly Name | Turn off legacy remote shutdown interface | +| Location | Computer Configuration | +| Path | Windows Components > Shutdown Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableShutdownNamedPipe | +| ADMX File Name | WinInit.admx | + -
    + + + - - -This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shut down this system from a remote Windows XP or Windows Server 2003 system. + -If you enable this policy setting, the system doesn't create the named pipe remote shutdown interface. + +## Hiberboot -If you disable or don't configure this policy setting, the system creates the named pipe remote shutdown interface. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinInit/Hiberboot +``` + - - -ADMX Info: -- GP Friendly name: *Turn off legacy remote shutdown interface* -- GP name: *DisableNamedPipeShutdownPolicyDescription* -- GP path: *Windows Components\Shutdown Options* -- GP ADMX file name: *WinInit.admx* - - - -
    - - -**ADMX_WinInit/Hiberboot** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the use of fast startup. -If you enable this policy setting, the system requires hibernate to be enabled. +- If you enable this policy setting, the system requires hibernate to be enabled. -If you disable or don't configure this policy setting, the local setting is used. +- If you disable or do not configure this policy setting, the local setting is used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Require use of fast startup* -- GP name: *Hiberboot* -- GP path: *System\Shutdown* -- GP ADMX file name: *WinInit.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WinInit/ShutdownTimeoutHungSessionsDescription** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Hiberboot | +| Friendly Name | Require use of fast startup | +| Location | Computer Configuration | +| Path | System > Shutdown | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | HiberbootEnabled | +| ADMX File Name | WinInit.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ShutdownTimeoutHungSessionsDescription - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinInit/ShutdownTimeoutHungSessionsDescription +``` + -
    - - - + + This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. -If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. +- If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. -If you disable or don't configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. +- If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Timeout for hung logon sessions during shutdown* -- GP name: *ShutdownTimeoutHungSessionsDescription* -- GP path: *Windows Components\Shutdown Options* -- GP ADMX file name: *WinInit.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | ShutdownTimeoutHungSessionsDescription | +| Friendly Name | Timeout for hung logon sessions during shutdown | +| Location | Computer Configuration | +| Path | Windows Components > Shutdown Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinInit.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index b5f0a3c887..97b2a94a4a 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -1,363 +1,420 @@ --- -title: Policy CSP - ADMX_WinLogon -description: Policy CSP - ADMX_WinLogon +title: ADMX_WinLogon Policy CSP +description: Learn more about the ADMX_WinLogon Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WinLogon ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## CustomShell - -## ADMX_WinLogon policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WinLogon/CustomShell -
    -
    - ADMX_WinLogon/DisplayLastLogonInfoDescription -
    -
    - ADMX_WinLogon/LogonHoursNotificationPolicyDescription -
    -
    - ADMX_WinLogon/LogonHoursPolicyDescription -
    -
    - ADMX_WinLogon/ReportCachedLogonPolicyDescription -
    -
    - ADMX_WinLogon/SoftwareSASGeneration -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/CustomShell +``` + + + +Specifies an alternate user interface. -
    +The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. +- If you enable this setting, the system starts the interface you specify instead of Explorer.exe. - -**ADMX_WinLogon/CustomShell** +To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. - -If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file isn't located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. - -If you disable this setting or don't configure it, the setting is ignored and the system displays the Explorer interface. +- If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. > [!TIP] > To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom User Interface* -- GP name: *CustomShell* -- GP path: *System* -- GP ADMX file name: *WinLogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WinLogon/DisplayLastLogonInfoDescription** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomShell | +| Friendly Name | Custom User Interface | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## DisplayLastLogonInfoDescription - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/DisplayLastLogonInfoDescription +``` + -
    + + +This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. - - -This policy setting controls whether or not the system displays information about previous sign-ins and sign-in failures to the user. +For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. -For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful sign in by that user, the date and time of the last unsuccessful sign in attempted with that user name, and the number of unsuccessful logons since the last successful sign in by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. +For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level. -For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows couldn't retrieve the information and the user won't be able to sign in. Therefore, you shouldn't enable this policy setting if the domain isn't at the Windows Server 2008 domain functional level. +- If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. + -If you disable or don't configure this setting, messages about the previous sign in or sign-in failures aren't displayed. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Display information about previous logons during user logon* -- GP name: *DisplayLastLogonInfoDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisplayLastLogonInfoDescription | +| Friendly Name | Display information about previous logons during user logon | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisplayLastLogonInfo | +| ADMX File Name | WinLogon.admx | + - -**ADMX_WinLogon/LogonHoursNotificationPolicyDescription** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## LogonHoursNotificationPolicyDescription + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursNotificationPolicyDescription +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. -> [!div class = "checklist"] -> * User +- If you enable this setting, warnings are not displayed to the user before the logon hours expire. -
    - - - -This policy controls whether the signed-in user should be notified when their sign-in hours are about to expire. By default, a user is notified before sign-in hours expire, if actions have been set to occur when the sign-in hours expire. - -If you enable this setting, warnings aren't displayed to the user before the sign-in hours expire. - -If you disable or don't configure this setting, users receive warnings before the sign-in hours expire, if actions have been set to occur when the sign-in hours expire. +- If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. > [!NOTE] -> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration +> If you configure this setting, you might want to examine and appropriately configure the "Set action to take when logon hours expire" setting. If "Set action to take when logon hours expire" is disabled or not configured, the "Remove logon hours expiration warnings" setting will have no effect, and users receive no warnings about logon hour expiration + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove logon hours expiration warnings* -- GP name: *LogonHoursNotificationPolicyDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WinLogon/LogonHoursPolicyDescription** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LogonHoursNotificationPolicyDescription | +| Friendly Name | Remove logon hours expiration warnings | +| Location | User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DontDisplayLogonHoursWarnings | +| ADMX File Name | WinLogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## LogonHoursPolicyDescription - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursPolicyDescription +``` + -
    + + +This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. - - -This policy controls which action will be taken when the sign-in hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. +If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. -If you choose to lock or disconnect a session, the user can't unlock the session or reconnect except during permitted sign-in hours. +If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. -If you choose to sign out a user, the user can't sign in again except during permitted sign-in hours. If you choose to sign out a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the user’s sign-in hours expire. +- If you enable this setting, the system will perform the action you specify when the user's logon hours expire. -If you disable or don't configure this setting, the system takes no action when the user’s sign-in hours expire. The user can continue the existing session, but can't sign in to a new session. +- If you disable or do not configure this setting, the system takes no action when the user's logon hours expire. The user can continue the existing session, but cannot log on to a new session. > [!NOTE] -> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting. +> If you configure this setting, you might want to examine and appropriately configure the "Remove logon hours expiration warnings" setting + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set action to take when logon hours expire* -- GP name: *LogonHoursPolicyDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WinLogon/ReportCachedLogonPolicyDescription** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LogonHoursPolicyDescription | +| Friendly Name | Set action to take when logon hours expire | +| Location | User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ReportCachedLogonPolicyDescription - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/ReportCachedLogonPolicyDescription +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/ReportCachedLogonPolicyDescription +``` + - - -This policy controls whether the signed-in user should be notified if the sign-in server couldn't be contacted during sign in and if they've been signed in using previously stored account information. + + +This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials. -If disabled or not configured, no pop up will be displayed to the user. +If disabled or not configured, no popup will be displayed to the user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Report when logon server was not available during user logon* -- GP name: *ReportCachedLogonPolicyDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WinLogon/SoftwareSASGeneration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ReportCachedLogonPolicyDescription | +| Friendly Name | Report when logon server was not available during user logon | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | ReportControllerMissing | +| ADMX File Name | WinLogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## SoftwareSASGeneration - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/SoftwareSASGeneration +``` + -
    + + +This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). - - -This policy setting controls whether the software can simulate the Secure Attention Sequence (SAS). +- If you enable this policy setting, you have one of four options: -If you enable this policy setting, you have one of four options: +If you set this policy setting to "None," user mode software cannot simulate the SAS. +If you set this policy setting to "Services," services can simulate the SAS. +If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. +If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. -- If you set this policy setting to "None," user mode software can't simulate the SAS. -- If you set this policy setting to "Services," services can simulate the SAS. -- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. -- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. +- If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. + -If you disable or don't configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Disable or enable software Secure Attention Sequence* -- GP name: *SoftwareSASGeneration* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SoftwareSASGeneration | +| Friendly Name | Disable or enable software Secure Attention Sequence | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + + + + - \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 50e594e0d2..e4b1d5df39 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -1,93 +1,99 @@ --- -title: Policy CSP - ADMX_Winsrv -description: Policy CSP - ADMX_Winsrv +title: ADMX_Winsrv Policy CSP +description: Learn more about the ADMX_Winsrv Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 02/25/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Winsrv ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowBlockingAppsAtShutdown - -## ADMX_Winsrv policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_Winsrv/AllowBlockingAppsAtShutdown -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Winsrv/AllowBlockingAppsAtShutdown +``` + + + +This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. -
    +- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during shutdown. - -**ADMX_Winsrv/AllowBlockingAppsAtShutdown** +- If you disable or do not configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that Windows can shut down faster and more smoothly. + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. - -By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. - -- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown won't be automatically terminated during shutdown. -- If you disable or don't configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that windows can shut down faster and more smoothly. + + > [!NOTE] > This policy setting applies to all sites in Trusted zones. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off automatic termination of applications that block or cancel shutdown* -- GP name: *AllowBlockingAppsAtShutdown* -- GP path: *System\Shutdown Options* -- GP ADMX file name: *Winsrv.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | AllowBlockingAppsAtShutdown | +| Friendly Name | Turn off automatic termination of applications that block or cancel shutdown | +| Location | Computer Configuration | +| Path | System > Shutdown Options | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowBlockingAppsAtShutdown | +| ADMX File Name | Winsrv.admx | + + + + - + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index 4fc49cd363..5dcf6b4493 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -1,190 +1,221 @@ --- -title: Policy CSP - ADMX_wlansvc -description: Policy CSP - ADMX_wlansvc +title: ADMX_wlansvc Policy CSP +description: Learn more about the ADMX_wlansvc Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/27/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_wlansvc ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## SetCost - -## ADMX_wlansvc policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_wlansvc/SetCost -
    -
    - ADMX_wlansvc/SetPINEnforced -
    -
    - ADMX_wlansvc/SetPINPreferred -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_wlansvc/SetCost +``` + - -
    - - -**ADMX_wlansvc/SetCost** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: +- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. -- Fixed: Use of this connection isn't restricted by usage charges and capacity constraints up to a certain data limit. -- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or isn't configured, the cost of Wireless LAN connections is Unrestricted by default. - +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. +- Variable: This connection is costed on a per byte basis. - -ADMX Info: -- GP Friendly name: *Set Cost* -- GP name: *IncludeCmdLine* -- GP path: *Network\WLAN Service\WLAN Media Cost* -- GP ADMX file name: *wlansvc.admx* +- If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default. + - - -
    + + + - -**ADMX_wlansvc/SetPINEnforced** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | SetCost | +| Friendly Name | Set Cost | +| Location | Computer Configuration | +| Path | Network > WLAN Service > WLAN Media Cost | +| Registry Key Name | Software\Policies\Microsoft\Windows\Wireless\NetCost | +| ADMX File Name | wlansvc.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## SetPINEnforced + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_wlansvc/SetPINEnforced +``` + + + + This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. Conversely it means that Push Button is NOT allowed. -If this policy setting is disabled or isn't configured, by default Push Button pairing is allowed (but not necessarily preferred). +- If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Require PIN pairing* -- GP name: *SetPINEnforced* -- GP path: *Network\Wireless Display* -- GP ADMX file name: *wlansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_wlansvc/SetPINPreferred** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SetPINEnforced | +| Friendly Name | Require PIN pairing | +| Location | Computer Configuration | +| Path | Network > Wireless Display | +| Registry Key Name | SOFTWARE\Policies\Microsoft\WirelessDisplay | +| Registry Value Name | EnforcePinBasedPairing | +| ADMX File Name | wlansvc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetPINPreferred -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_wlansvc/SetPINPreferred +``` + - - + + This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. -If this policy setting is disabled or isn't configured, by default Push Button pairing is preferred (if allowed by other policies). +- If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prefer PIN pairing* -- GP name: *SetPINPreferred* -- GP path: *Network\Wireless Display* -- GP ADMX file name: *wlansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SetPINPreferred | +| Friendly Name | Prefer PIN pairing | +| Location | Computer Configuration | +| Path | Network > Wireless Display | +| Registry Key Name | SOFTWARE\Policies\Microsoft\WirelessDisplay | +| Registry Value Name | PreferPinBasedPairing | +| ADMX File Name | wlansvc.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index 07a3a84c12..47c1744461 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -1,86 +1,95 @@ --- -title: Policy CSP - ADMX_WordWheel -description: Policy CSP - ADMX_WordWheel +title: ADMX_WordWheel Policy CSP +description: Learn more about the ADMX_WordWheel Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/22/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WordWheel > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WordWheel policies + +## CustomSearch -
    -
    - ADMX_WordWheel/CustomSearch -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WordWheel/CustomSearch +``` + -
    - - -**ADMX_WordWheel/CustomSearch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Set up the menu name and URL for the custom Internet search provider. - If you enable this setting, the specified menu name and URL will be used for Internet searches. + - If you disable or not configure this setting, the default Internet search provider will be used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Instant Search Internet search provider* -- GP name: *CustomSearch* -- GP path: *Windows Components\Instant Search* -- GP ADMX file name: *WordWheel.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomSearch | +| Friendly Name | Custom Instant Search Internet search provider | +| Location | User Configuration | +| Path | Windows Components > Instant Search | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions | +| ADMX File Name | WordWheel.admx | + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 5bd6d30977..1ba24c4abe 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -1,196 +1,225 @@ --- -title: Policy CSP - ADMX_WorkFoldersClient -description: Policy CSP - ADMX_WorkFoldersClient +title: ADMX_WorkFoldersClient Policy CSP +description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/22/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WorkFoldersClient > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WorkFoldersClient policies + +## Pol_MachineEnableWorkFolders -
    -
    - ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker -
    -
    - ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders -
    -
    - ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders +``` + -
    - - -**ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. -- If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. +- If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically set up. -This folder creation prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting doesn't apply to a user, Work Folders isn't automatically set up. -- If you disable or don't configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user. +- If you disable or do not configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Force automatic setup for all users* -- GP name: *Pol_UserEnableTokenBroker* -- GP path: *Windows Components\Work Folders* -- GP ADMX file name: *WorkFoldersClient.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Pol_MachineEnableWorkFolders | +| Friendly Name | Force automatic setup for all users | +| Location | Computer Configuration | +| Path | Windows Components > Work Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows\WorkFolders | +| Registry Value Name | AutoProvision | +| ADMX File Name | WorkFolders-Client.admx | + - -**ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Pol_UserEnableTokenBroker - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker +``` + -> [!div class = "checklist"] -> * User + + +This policy specifies whether Work Folders should use Token Broker for interactive AD FS authentication instead of its own OAuth2 token flow used in previous versions. + -
    + + + - - -This policy setting specifies the Work Folders server for affected users, and whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_UserEnableTokenBroker | +| Friendly Name | Enables the use of Token Broker for AD FS authentication | +| Location | User Configuration | +| Path | Windows Components > Work Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows\WorkFolders | +| Registry Value Name | EnableTokenBroker | +| ADMX File Name | WorkFolders-Client.admx | + + + + + + + + + +## Pol_UserEnableWorkFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders +``` + + + + +This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. - If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC. +- If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. -If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables. +The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. + +The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables > [!NOTE] > In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified. -The “On-demand file access preference” option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don’t take up any space on the PC, but the user must be connected to the Internet to access them. If you enable this policy setting, on-demand file access is enabled. +The "On-demand file access preference" option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don't take up any space on the PC, but the user must be connected to the Internet to access them. -- If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user’s files is required on each of their PCs. +- If you enable this policy setting, on-demand file access is enabled. +- If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user's files is required on each of their PCs. +If you specify User choice or do not configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled. -If you specify User choice or don't configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled. +The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders. + -The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This automatic setup prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option isn't specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify Work Folders settings* -- GP name: *Pol_UserEnableWorkFolders* -- GP path: *Windows Components\Work Folders* -- GP ADMX file name: *WorkFoldersClient.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders** +| Name | Value | +|:--|:--| +| Name | Pol_UserEnableWorkFolders | +| Friendly Name | Specify Work Folders settings | +| Location | User Configuration | +| Path | Windows Components > Work Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows\WorkFolders | +| ADMX File Name | WorkFolders-Client.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User +## Related articles -
    - - - -This policy specifies whether Work Folders should use Token Broker for interactive AD FS authentication instead of its own OAuth2 token flow used in previous versions. - - - - - -ADMX Info: -- GP Friendly name: *Enables the use of Token Broker for AD FS authentication* -- GP name: *Pol_MachineEnableWorkFolders* -- GP path: *Windows Components\Work Folders* -- GP ADMX file name: *WorkFoldersClient.admx* - - - - - - \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 2e7baef0be..e141fc1da3 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -1,361 +1,414 @@ --- -title: Policy CSP - ADMX_WPN -description: Policy CSP - ADMX_WPN +title: ADMX_WPN Policy CSP +description: Learn more about the ADMX_WPN Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WPN ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## NoCallsDuringQuietHours - -## ADMX_WPN policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WPN/NoCallsDuringQuietHours -
    -
    - ADMX_WPN/NoLockScreenToastNotification -
    -
    - ADMX_WPN/NoQuietHours -
    -
    - ADMX_WPN/NoToastNotification -
    -
    - ADMX_WPN/QuietHoursDailyBeginMinute -
    -
    - ADMX_WPN/QuietHoursDailyEndMinute -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoCallsDuringQuietHours +``` + - -
    - - -**ADMX_WPN/NoCallsDuringQuietHours** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting blocks voice and video calls during Quiet Hours. -If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users won't be able to customize any other Quiet Hours settings. +- If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. -If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users won't be able to customize this or any other Quiet Hours settings. +- If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. -If you don't configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting. +- If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Adminstrators and users will be able to modify this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off calls during Quiet Hours* -- GP name: *NoCallsDuringQuietHours* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WPN/NoLockScreenToastNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoCallsDuringQuietHours | +| Friendly Name | Turn off calls during Quiet Hours | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| Registry Value Name | AllowCalls | +| ADMX File Name | WPN.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## NoLockScreenToastNotification - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoLockScreenToastNotification +``` + -
    - - - + + This policy setting turns off toast notifications on the lock screen. -If you enable this policy setting, applications won't be able to raise toast notifications on the lock screen. +- If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. -If you disable or don't configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. +- If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off toast notifications on the lock screen* -- GP name: *NoLockScreenToastNotification* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WPN/NoQuietHours** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoLockScreenToastNotification | +| Friendly Name | Turn off toast notifications on the lock screen | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoToastApplicationNotificationOnLockScreen | +| ADMX File Name | WPN.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## NoQuietHours - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoQuietHours +``` + -
    - - - + + This policy setting turns off Quiet Hours functionality. -If you enable this policy setting, toast notifications won't be suppressed and some background tasks won't be deferred during the designated Quiet Hours time window each day. +- If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. -If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users won't be able to change this or any other Quiet Hours settings. +- If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings. -If you don't configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. +- If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Quiet Hours* -- GP name: *NoQuietHours* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WPN/NoToastNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoQuietHours | +| Friendly Name | Turn off Quiet Hours | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| Registry Value Name | Enable | +| ADMX File Name | WPN.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## NoToastNotification - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification +``` + - - + + This policy setting turns off toast notifications for applications. -If you enable this policy setting, applications won't be able to raise toast notifications. +- If you enable this policy setting, applications will not be able to raise toast notifications. -This policy doesn't affect taskbar notification balloons. +**Note** that this policy does not affect taskbar notification balloons. -Windows system features aren't affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. +**Note** that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. -If you disable or don't configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. +- If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off toast notifications* -- GP name: *NoToastNotification* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WPN/QuietHoursDailyBeginMinute** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoToastNotification | +| Friendly Name | Turn off toast notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoToastApplicationNotification | +| ADMX File Name | WPN.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## QuietHoursDailyBeginMinute - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/QuietHoursDailyBeginMinute +``` + -
    - - - + + This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. -If you enable this policy setting, the specified time will be used, and users won't be able to customize any Quiet Hours settings. +- If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. -If you disable this policy setting, a default value will be used, and users won't be able to change it or any other Quiet Hours setting. +- If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. -If you don't configure this policy setting, a default value will be used, which administrators and users will be able to modify. +- If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the time Quiet Hours begins each day* -- GP name: *QuietHoursDailyBeginMinute* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_WPN/QuietHoursDailyEndMinute** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | QuietHoursDailyBeginMinute | +| Friendly Name | Set the time Quiet Hours begins each day | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| ADMX File Name | WPN.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## QuietHoursDailyEndMinute - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/QuietHoursDailyEndMinute +``` + -
    - - - + + This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. -If you enable this policy setting, the specified time will be used, and users won't be able to customize any Quiet Hours settings. +- If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. -If you disable this policy setting, a default value will be used, and users won't be able to change it or any other Quiet Hours setting. +- If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. -If you don't configure this policy setting, a default value will be used, which administrators and users will be able to modify. +- If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the time Quiet Hours ends each day* -- GP name: *QuietHoursDailyEndMinute* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | QuietHoursDailyEndMinute | +| Friendly Name | Set the time Quiet Hours ends each day | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| ADMX File Name | WPN.admx | + + + + + - \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index de90f8c39c..849c9609bc 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,80 +1,76 @@ --- -title: Policy CSP - ApplicationDefaults -description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10. +title: ApplicationDefaults Policy CSP +description: Learn more about the ApplicationDefaults Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ApplicationDefaults + + + + +## DefaultAssociationsConfiguration -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -## ApplicationDefaults policies + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration +``` + -
    -
    - ApplicationDefaults/DefaultAssociationsConfiguration -
    -
    - ApplicationDefaults/EnableAppUriHandlers -
    -
    + + +This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. + + + + -
    + +**Description framework properties**: - -**ApplicationDefaults/DefaultAssociationsConfiguration** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DefaultAssociationsConfiguration | +| Friendly Name | Set a default associations configuration file | +| Element Name | Default Associations Configuration File | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + +**Example**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows an administrator to set default file type and protocol associations. When set, default associations are applied on sign in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). Then, it needs to be base64 encoded before being added to SyncML. - -If policy is enabled and the client machine is having Azure Active Directory, the associations assigned in SyncML are processed and default associations are applied. - - - -ADMX Info: -- GP Friendly name: *Set a default associations configuration file* -- GP name: *DefaultAssociationsConfiguration* -- GP element: *DefaultAssociationsConfiguration_TextBox* -- GP path: *File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - To create the SyncML, follow these steps:
    1. Install a few apps and change your defaults.
      2. @@ -84,7 +80,6 @@ To create the SyncML, follow these steps:
    Here's an example output from the dism default association export command: - ```xml @@ -101,8 +96,7 @@ Here's the base64 encoded result: ``` syntax PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= ``` - -Here's the SyncMl example: +Here's the SyncML example: ```xml @@ -126,64 +120,85 @@ Here's the SyncMl example: ``` + - - + -
    + +## EnableAppUriHandlers - -**ApplicationDefaults/EnableAppUriHandlers** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationDefaults/EnableAppUriHandlers +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines whether Windows supports web-to-app linking with app URI handlers. -Enabling this policy setting enables web-to-app linking so that apps can be launched with an http(s) URI. +Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI. Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app. -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + - - -ADMX Info: -- GP Friendly name: *Configure web-to-app linking with app URI handlers* -- GP name: *EnableAppUriHandlers* -- GP path: *System/Group Policy* -- GP ADMX file name: *GroupPolicy.admx* + + + - - -This setting supports a range of values between 0 and 1. + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | EnableAppUriHandlers | +| Friendly Name | Configure web-to-app linking with app URI handlers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableAppUriHandlers | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 65e5e7915b..8e2b18b64d 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,859 +1,1141 @@ --- -title: Policy CSP - ApplicationManagement -description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10. +title: ApplicationManagement Policy CSP +description: Learn more about the ApplicationManagement Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/11/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ApplicationManagement -
    + + + - -## ApplicationManagement policies + +## AllowAllTrustedApps -
    -
    - ApplicationManagement/AllowAutomaticAppArchiving -
    -
    - ApplicationManagement/AllowAllTrustedApps -
    -
    - ApplicationManagement/AllowAppStoreAutoUpdate -
    -
    - ApplicationManagement/AllowDeveloperUnlock -
    -
    - ApplicationManagement/AllowGameDVR -
    -
    - ApplicationManagement/AllowSharedUserAppData -
    -
    - ApplicationManagement/BlockNonAdminUserInstall -
    -
    - ApplicationManagement/DisableStoreOriginatedApps -
    -
    - ApplicationManagement/LaunchAppAfterLogOn -
    -
    - ApplicationManagement/MSIAllowUserControlOverInstall -
    -
    - ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges -
    -
    - ApplicationManagement/RequirePrivateStoreOnly -
    -
    - ApplicationManagement/RestrictAppDataToSystemVolume -
    -
    - ApplicationManagement/RestrictAppToSystemVolume -
    -
    - ApplicationManagement/ScheduleForceRestartForUpdateFailures -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps +``` + -
    + + +This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. - -**ApplicationManagement/AllowAutomaticAppArchiving** +- If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). - +- If you disable or do not configure this policy setting, you cannot install LOB or developer-signed Windows Store apps. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + -> [!div class = "checklist"] -> * Device -> * User + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit allow unlock. | +| 65535 (Default) | Not configured. | + - - + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppxDeploymentAllowAllTrustedApps | +| Friendly Name | Allow all trusted apps to install | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowAllTrustedApps | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowAppStoreAutoUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAppStoreAutoUpdate +``` + + + + +Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 | Allowed. | +| 2 (Default) | Not configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoInstall | +| Friendly Name | Turn off Automatic Download and Install of updates | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | AutoDownload | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## AllowAutomaticAppArchiving + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAutomaticAppArchiving +``` + + + + This policy setting controls whether the system can archive infrequently used apps. - If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. -- If you disable this policy setting, then the system won't archive any apps. -If you don't configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. +- If you disable this policy setting, then the system will not archive any apps. - - -ADMX Info: -- GP Friendly name: *Allow all trusted apps to install* -- GP name: *AllowAutomaticAppArchiving* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* +- If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. + - - -The following list shows the supported values: + + + -- 0 - Explicit disable. -- 1 - Explicit enable. -- 65535 (default) - Not configured. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + -
    + +**Allowed values**: - -**ApplicationManagement/AllowAllTrustedApps** +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit enable. | +| 65535 (Default) | Not configured. User's Choice. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AllowAutomaticAppArchiving | +| Friendly Name | Archive infrequently used apps | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowAutomaticAppArchiving | +| ADMX File Name | AppxPackageManager.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowDeveloperUnlock -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -Specifies whether non Microsoft Store apps are allowed. + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock +``` + -Most restricted value is 0. + + +Allows or denies development of Microsoft Store applications and installing them directly from an IDE. - - -ADMX Info: -- GP Friendly name: *Allow all trusted apps to install* -- GP name: *AppxDeploymentAllowAllTrustedApps* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* +- If you enable this setting and enable the "Allow all trusted apps to install" Group Policy, you can develop Microsoft Store apps and install them directly from an IDE. - - -The following list shows the supported values: +- If you disable or do not configure this setting, you cannot develop Microsoft Store apps or install them directly from an IDE. + -- 0 - Explicit deny. -- 1 - Explicit allow unlock. -- 65535 (default) - Not configured. + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + - -**ApplicationManagement/AllowAppStoreAutoUpdate** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit allow unlock. | +| 65535 (Default) | Not configured. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowDevelopmentWithoutDevLicense | +| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowDevelopmentWithoutDevLicense | +| ADMX File Name | AppxPackageManager.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowGameDVR - - -Specifies whether automatic update of apps from Microsoft Store is allowed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowGameDVR +``` + -Most restricted value is 0. + + +Windows Game Recording and Broadcasting. - - -ADMX Info: -- GP Friendly name: *Turn off Automatic Download and Install of updates* -- GP name: *DisableAutoInstall* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* +This setting enables or disables the Windows Game Recording and Broadcasting features. +- If you disable this setting, Windows Game Recording will not be allowed. +If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed. + - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**ApplicationManagement/AllowDeveloperUnlock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether developer unlock is allowed. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allows development of Windows Store apps and installing them from an integrated development environment (IDE)* -- GP name: *AllowDevelopmentWithoutDevLicense* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 - Explicit deny. -- 1 - Explicit allow unlock. -- 65535 (default) - Not configured. - - - - -
    - - -**ApplicationManagement/AllowGameDVR** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. + -Specifies whether DVR and broadcasting are allowed. + +**Description framework properties**: -Most restricted value is 0. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -ADMX Info: -- GP Friendly name: *Enables or disables Windows Game Recording and Broadcasting* -- GP name: *AllowGameDVR* -- GP path: *Windows Components/Windows Game Recording and Broadcasting* -- GP ADMX file name: *GameDVR.admx* + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AllowGameDVR | +| Friendly Name | Enables or disables Windows Game Recording and Broadcasting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Game Recording and Broadcasting | +| Registry Key Name | Software\Policies\Microsoft\Windows\GameDVR | +| Registry Value Name | AllowGameDVR | +| ADMX File Name | GameDVR.admx | + -
    + + + - -**ApplicationManagement/AllowSharedUserAppData** + - + +## AllowSharedUserAppData -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Manages a Windows app's ability to share data between users who have installed the app. -> [!div class = "checklist"] -> * Device +- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API. -
    +- If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder. + - - + + + -[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../includes/allow-windows-app-to-share-data-users-shortdesc.md)] + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Allow a Windows app to share application data between users* -- GP name: *AllowSharedLocalAppData* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -The following list shows the supported values: + +**Allowed values**: -- 0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. -- 1 – Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. | +| 1 | Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. | + -Most restricted value: 0 - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | AllowSharedLocalAppData | +| Friendly Name | Allow a Windows app to share application data between users | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager | +| Registry Value Name | AllowSharedLocalAppData | +| ADMX File Name | AppxPackageManager.admx | + - -**ApplicationManagement/BlockNonAdminUserInstall** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowStore - -
    +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowStore +``` + -
    + + +This policy is deprecated + - - + + + + +**Description framework properties**: -Manages non-administrator users' ability to install Windows app packages. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. + +**Allowed values**: -If you disable or don't configure this policy, all users will be able to initiate installation of Windows app packages. +| Value | Description | +|:--|:--| +| 0 | Disallow. | +| 1 (Default) | Allow. | + - - -ADMX Info: -- GP Friendly name: *Prevent non-admin users from installing packaged Windows apps* -- GP name: *BlockNonAdminUserInstall* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + + - - -The following list shows the supported values: -- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages. -- 1 - Enabled. Non-administrator users won't be able to initiate installation of Windows app packages. - - + - - + +## ApplicationRestrictions - - +> [!NOTE] +> This policy is deprecated and may be removed in a future release. -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -**ApplicationManagement/DisableStoreOriginatedApps** + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ApplicationRestrictions +``` + - + + +This policy is deprecated + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. + +## BlockNonAdminUserInstall - - -ADMX Info: -- GP Friendly name: *Disable all apps from Microsoft Store* -- GP name: *DisableStoreApps* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/BlockNonAdminUserInstall +``` + -- 0 (default) – Enable launch of apps. -- 1 – Disable launch of apps. + + +Manages non-Administrator users' ability to install Windows app packages. - - +- If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. -
    +- If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages. + - -**ApplicationManagement/LaunchAppAfterLogOn** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. All users will be able to initiate installation of Windows app packages. | +| 1 | Enabled. Non-administrator users will not be able to initiate installation of Windows app packages. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | BlockNonAdminUserInstall | +| Friendly Name | Prevent non-admin users from installing packaged Windows apps | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | BlockNonAdminUserInstall | +| ADMX File Name | AppxPackageManager.admx | + - - -List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after a sign in. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. + + + -For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. Example of the declaration here: + + + +## DisableStoreOriginatedApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/DisableStoreOriginatedApps +``` + + + + +Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise and Education editions of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable launch of apps. | +| 1 | Disable launch of apps. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableStoreApps | +| Friendly Name | Disable all apps from Microsoft Store | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableStoreApps | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## LaunchAppAfterLogOn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/LaunchAppAfterLogOn +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. + + + + +This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. + +> [!NOTE] +> This policy only works on modern apps. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + +For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. + +**Example**: ```xml ``` + -> [!NOTE] -> This policy only works on modern apps. + - - + +## MSIAllowUserControlOverInstall - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAllowUserControlOverInstall +``` + - - + + +This policy setting permits users to change installation options that typically are available only to system administrators. -
    +- If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. - -**ApplicationManagement/MSIAllowUserControlOverInstall** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1803. This policy setting permits users to change installation options that typically are available only to system administrators. - -If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. - -If you disable or don't configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. +- If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed. + - - -ADMX Info: -- GP Friendly name: *Allow user control over installs* -- GP name: *EnableUserControl* -- GP path: *Windows Components/Windows Installer* -- GP ADMX file name: *MSI.admx* + + + - - -This setting supports a range of values between 0 and 1. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges** +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableUserControl | +| Friendly Name | Allow user control over installs | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | EnableUserControl | +| ADMX File Name | MSI.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## MSIAlwaysInstallWithElevatedPrivileges -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - -Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. + +```User +./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges +``` -If you enable this policy setting, privileges are extended to all programs. These privileges are reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges +``` + -If you disable or don't configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator doesn't distribute or offer. + + +This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. + +- If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. + +- If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. > [!NOTE] > This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. > [!CAUTION] -> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. +> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. **Note** that the User Configuration version of this policy setting is not guaranteed to be secure. + - - -ADMX Info: -- GP Friendly name: *Always install with elevated privileges* -- GP name: *AlwaysInstallElevated* -- GP path: *Windows Components/Windows Installer* -- GP ADMX file name: *MSI.admx* + + + - - -This setting supports a range of values between 0 and 1. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**ApplicationManagement/RequirePrivateStoreOnly** +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AlwaysInstallElevated | +| Friendly Name | Always install with elevated privileges | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AlwaysInstallElevated | +| ADMX File Name | MSI.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RequirePrivateStoreOnly -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -Allows disabling of the retail catalog and only enables the Private store. + +```User +./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly +``` +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly +``` + -Most restricted value is 1. + + +Denies access to the retail catalog in the Microsoft Store, but displays the private store. - - -ADMX Info: -- GP Friendly name: *Only display the private store within the Microsoft Store* -- GP name: *RequirePrivateStoreOnly* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* +- If you enable this setting, users will not be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. - - -The following list shows the supported values: +- If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store. + -- 0 (default) – Allow both public and Private store. -- 1 – Only Private store is enabled. + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**ApplicationManagement/RestrictAppDataToSystemVolume** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Allow both public and Private store. | +| 1 | Only Private store is enabled. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | RequirePrivateStoreOnly | +| Friendly Name | Only display the private store within the Microsoft Store | +| Location | Computer and User Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RequirePrivateStoreOnly | +| ADMX File Name | WindowsStore.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## RestrictAppDataToSystemVolume - - -Specifies whether application data is restricted to the system drive. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Most restricted value is 1. + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume +``` + - - -ADMX Info: -- GP Friendly name: *Prevent users' app data from being stored on non-system volumes* -- GP name: *RestrictAppDataToSystemVolume* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + +Prevent users' app data from moving to another location when an app is moved or installed on another location. - - -The following list shows the supported values: +- If you enable this setting, all users' app data will stay on the system volume, regardless of where the app is installed. -- 0 (default) – Not restricted. -- 1 – Restricted. +- If you disable or do not configure this setting, then when an app is moved to a different volume, the users' app data will also move to this volume. + - - + + + -
    + +**Description framework properties**: - -**ApplicationManagement/RestrictAppToSystemVolume** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | RestrictAppDataToSystemVolume | +| Friendly Name | Prevent users' app data from being stored on non-system volumes | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | RestrictAppDataToSystemVolume | +| ADMX File Name | AppxPackageManager.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Specifies whether the installation of applications is restricted to the system drive. + +## RestrictAppToSystemVolume -Most restricted value is 1. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -ADMX Info: -- GP Friendly name: *Disable installing Windows apps on non-system volumes* -- GP name: *DisableDeploymentToNonSystemVolumes* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume +``` + - - -The following list shows the supported values: + + +This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions, USB drives, or SD cards. -- 0 (default) – Not restricted. -- 1 – Restricted. +- If you enable this setting, you can't move or install Windows apps on volumes that are not the system volume. - - +- If you disable or do not configure this setting, you can move or install Windows apps on other volumes. + -
    + + + - -**ApplicationManagement/ScheduleForceRestartForUpdateFailures** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DisableDeploymentToNonSystemVolumes | +| Friendly Name | Disable installing Windows apps on non-system volumes | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | RestrictAppToSystemVolume | +| ADMX File Name | AppxPackageManager.admx | + -
    + + + - - -To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. + -Value type is string. - - + +## ScheduleForceRestartForUpdateFailures -> [!NOTE] -> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - -Sample SyncML: + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures +``` + + + + +To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +
    +
    + Expand to see schema XML + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +
    + + + + + +**Example**: ```xml @@ -880,51 +1162,19 @@ Sample SyncML: ``` -XSD: -```xml - - - - - - - - - +> [!NOTE] +> The check for recurrence is done in a case sensitive manner. For instance the value needs to be "Daily" instead of "daily". The wrong case will cause SmartRetry to fail to execute. + - - - - - - + - - - - - + + + - - - - - - - - - - -``` + - - - - - -
    - - - +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 2a20687b94..2f7dee3b3c 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,90 +1,96 @@ --- -title: Policy CSP - AppRuntime -description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. +title: AppRuntime Policy CSP +description: Learn more about the AppRuntime Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AppRuntime > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowMicrosoftAccountsToBeOptional - -## AppRuntime policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    -
    - AppRuntime/AllowMicrosoftAccountsToBeOptional -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AppRuntime/AllowMicrosoftAccountsToBeOptional +``` + - -
    - - -**AppRuntime/AllowMicrosoftAccountsToBeOptional** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. -If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. +- If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. -If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account. +- If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Microsoft accounts to be optional* -- GP name: *AppxRuntimeMicrosoftAccountsOptional* -- GP path: *Windows Components/App runtime* -- GP ADMX file name: *AppXRuntime.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | AppxRuntimeMicrosoftAccountsOptional | +| Friendly Name | Allow Microsoft accounts to be optional | +| Location | Computer Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | MSAOptional | +| ADMX File Name | AppXRuntime.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 9998b990ad..f4f3975002 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,699 +1,731 @@ --- -title: Policy CSP - AppVirtualization -description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. +title: AppVirtualization Policy CSP +description: Learn more about the AppVirtualization Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AppVirtualization > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowAppVClient - -## AppVirtualization policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - AppVirtualization/AllowAppVClient -
    -
    - AppVirtualization/AllowDynamicVirtualization -
    -
    - AppVirtualization/AllowPackageCleanup -
    -
    - AppVirtualization/AllowPackageScripts -
    -
    - AppVirtualization/AllowPublishingRefreshUX -
    -
    - AppVirtualization/AllowReportingServer -
    -
    - AppVirtualization/AllowRoamingFileExclusions -
    -
    - AppVirtualization/AllowRoamingRegistryExclusions -
    -
    - AppVirtualization/AllowStreamingAutoload -
    -
    - AppVirtualization/ClientCoexistenceAllowMigrationmode -
    -
    - AppVirtualization/IntegrationAllowRootGlobal -
    -
    - AppVirtualization/IntegrationAllowRootUser -
    -
    - AppVirtualization/PublishingAllowServer1 -
    -
    - AppVirtualization/PublishingAllowServer2 -
    -
    - AppVirtualization/PublishingAllowServer3 -
    -
    - AppVirtualization/PublishingAllowServer4 -
    -
    - AppVirtualization/PublishingAllowServer5 -
    -
    - AppVirtualization/StreamingAllowCertificateFilterForClient_SSL -
    -
    - AppVirtualization/StreamingAllowHighCostLaunch -
    -
    - AppVirtualization/StreamingAllowLocationProvider -
    -
    - AppVirtualization/StreamingAllowPackageInstallationRoot -
    -
    - AppVirtualization/StreamingAllowPackageSourceRoot -
    -
    - AppVirtualization/StreamingAllowReestablishmentInterval -
    -
    - AppVirtualization/StreamingAllowReestablishmentRetries -
    -
    - AppVirtualization/StreamingSharedContentStoreMode -
    -
    - AppVirtualization/StreamingSupportBranchCache -
    -
    - AppVirtualization/StreamingVerifyCertificateRevocationList -
    -
    - AppVirtualization/VirtualComponentsAllowList -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient +``` + - -
    - - -**AppVirtualization/AllowAppVClient** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable App-V Client* -- GP name: *EnableAppV* -- GP path: *System/App-V* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**AppVirtualization/AllowDynamicVirtualization** +| Name | Value | +|:--|:--| +| Name | EnableAppV | +| Friendly Name | Enable App-V Client | +| Location | Computer Configuration | +| Path | System > App-V | +| Registry Key Name | Software\Policies\Microsoft\AppV\Client | +| Registry Value Name | Enabled | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowDynamicVirtualization - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowDynamicVirtualization +``` + -
    + + +Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. + - - -This policy enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Enable Dynamic Virtualization* -- GP name: *Virtualization_JITVEnable* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Virtualization_JITVEnable | +| Friendly Name | Enable Dynamic Virtualization | +| Location | Computer Configuration | +| Path | System > App-V > Virtualization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization | +| Registry Value Name | EnableDynamicVirtualization | +| ADMX File Name | appv.admx | + - -**AppVirtualization/AllowPackageCleanup** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowPackageCleanup - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageCleanup +``` + -> [!div class = "checklist"] -> * Device + + +Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. + -
    + + + - - -Enables automatic cleanup of App-v packages that were added after Windows 10 anniversary release. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Enable automatic cleanup of unused appv packages* -- GP name: *PackageManagement_AutoCleanupEnable* -- GP path: *System/App-V/PackageManagement* -- GP ADMX file name: *appv.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | PackageManagement_AutoCleanupEnable | +| Friendly Name | Enable automatic cleanup of unused appv packages | +| Location | Computer Configuration | +| Path | System > App-V > PackageManagement | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\PackageManagement | +| Registry Value Name | AutoCleanupEnabled | +| ADMX File Name | appv.admx | + -
    + + + - -**AppVirtualization/AllowPackageScripts** + - + +## AllowPackageScripts -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Enables scripts defined in the package manifest of configuration files that should run. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -This policy enables scripts defined in the package manifest of configuration files that should run. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Enable Package Scripts* -- GP name: *Scripting_Enable_Package_Scripts* -- GP path: *System/App-V/Scripting* -- GP ADMX file name: *appv.admx* +| Name | Value | +|:--|:--| +| Name | Scripting_Enable_Package_Scripts | +| Friendly Name | Enable Package Scripts | +| Location | Computer Configuration | +| Path | System > App-V > Scripting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Scripting | +| Registry Value Name | EnablePackageScripts | +| ADMX File Name | appv.admx | + - - + + + -
    + - -**AppVirtualization/AllowPublishingRefreshUX** + +## AllowPublishingRefreshUX - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPublishingRefreshUX +``` + - -
    + + +Enables a UX to display to the user when a publishing refresh is performed on the client. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy enables a UX to display to the user when a publishing refresh is performed on the client. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Enable Publishing Refresh UX* -- GP name: *Enable_Publishing_Refresh_UX* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Name | Value | +|:--|:--| +| Name | Enable_Publishing_Refresh_UX | +| Friendly Name | Enable Publishing Refresh UX | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing | +| Registry Value Name | EnablePublishingRefreshUI | +| ADMX File Name | appv.admx | + - - + + + -
    + - -**AppVirtualization/AllowReportingServer** + +## AllowReportingServer - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowReportingServer +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Reporting Server URL: Displays the URL of reporting server. -Reporting Time: When the client data should be reported to the server. Acceptable range is 0 ~ 23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, for example, 9AM. +Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9. AM. Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. Repeat reporting for every (days): The periodical interval in days for sending the reporting data. -Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this deletion occurs, and won't be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. - -Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When report data is being transmitted to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these components won't factor into the block size calculations; the potential exists for a large package list to result in transmission failures over low bandwidth or unreliable connections. - - - - - -ADMX Info: -- GP Friendly name: *Reporting Server* -- GP name: *Reporting_Server_Policy* -- GP path: *System/App-V/Reporting* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/AllowRoamingFileExclusions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. - - - - - -ADMX Info: -- GP Friendly name: *Roaming File Exclusions* -- GP name: *Integration_Roaming_File_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/AllowRoamingRegistryExclusions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. - - - - - -ADMX Info: -- GP Friendly name: *Roaming Registry Exclusions* -- GP name: *Integration_Roaming_Registry_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/AllowStreamingAutoload** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies how new packages should be loaded automatically by App-V on a specific computer. - - - - - -ADMX Info: -- GP Friendly name: *Specify what to load in background (also known as AutoLoad)* -- GP name: *Steaming_Autoload* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Migration mode allows the App-V client to modify shortcuts and FTAs for packages created using a previous version of App-V. - - - - - -ADMX Info: -- GP Friendly name: *Enable Migration Mode* -- GP name: *Client_Coexistence_Enable_Migration_mode* -- GP path: *System/App-V/Client Coexistence* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/IntegrationAllowRootGlobal** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. - - - - - - -ADMX Info: -- GP Friendly name: *Integration Root User* -- GP name: *Integration_Root_User* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/IntegrationAllowRootUser** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. - - - - - -ADMX Info: -- GP Friendly name: *Integration Root Global* -- GP name: *Integration_Root_Global* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/PublishingAllowServer1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. + +Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Reporting_Server_Policy | +| Friendly Name | Reporting Server | +| Location | Computer Configuration | +| Path | System > App-V > Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Reporting | +| Registry Value Name | ReportingEnabled | +| ADMX File Name | appv.admx | + + + + + + + + + +## AllowRoamingFileExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowRoamingFileExclusions +``` + + + + +Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Roaming_File_Exclusions | +| Friendly Name | Roaming File Exclusions | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## AllowRoamingRegistryExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowRoamingRegistryExclusions +``` + + + + +Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Roaming_Registry_Exclusions | +| Friendly Name | Roaming Registry Exclusions | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## AllowStreamingAutoload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowStreamingAutoload +``` + + + + +Specifies how new packages should be loaded automatically by App-V on a specific computer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Steaming_Autoload | +| Friendly Name | Specify what to load in background (aka AutoLoad) | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## ClientCoexistenceAllowMigrationmode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/ClientCoexistenceAllowMigrationmode +``` + + + + +Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Client_Coexistence_Enable_Migration_mode | +| Friendly Name | Enable Migration Mode | +| Location | Computer Configuration | +| Path | System > App-V > Client Coexistence | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Coexistence | +| Registry Value Name | MigrationMode | +| ADMX File Name | appv.admx | + + + + + + + + + +## IntegrationAllowRootGlobal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/IntegrationAllowRootGlobal +``` + + + + +Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Root_User | +| Friendly Name | Integration Root User | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## IntegrationAllowRootUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/IntegrationAllowRootUser +``` + + + + +Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Root_Global | +| Friendly Name | Integration Root Global | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## PublishingAllowServer1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer1 +``` + + + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in(Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -701,61 +733,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 1 Settings* -- GP name: *Publishing_Server1_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer2** +| Name | Value | +|:--|:--| +| Name | Publishing_Server1_Policy | +| Friendly Name | Publishing Server 1 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\1 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -763,61 +806,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on la sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 2 Settings* -- GP name: *Publishing_Server2_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer3** +| Name | Value | +|:--|:--| +| Name | Publishing_Server2_Policy | +| Friendly Name | Publishing Server 2 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer3 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer3 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -825,61 +879,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 3 Settings* -- GP name: *Publishing_Server3_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer4** +| Name | Value | +|:--|:--| +| Name | Publishing_Server3_Policy | +| Friendly Name | Publishing Server 3 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\3 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer4 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer4 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -887,61 +952,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 4 Settings* -- GP name: *Publishing_Server4_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer5** +| Name | Value | +|:--|:--| +| Name | Publishing_Server4_Policy | +| Friendly Name | Publishing Server 4 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\4 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer5 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer5 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -949,512 +1025,664 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - - - -ADMX Info: -- GP Friendly name: *Publishing Server 5 Settings* -- GP name: *Publishing_Server5_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the path to a valid certificate in the certificate store. - - - - - -ADMX Info: -- GP Friendly name: *Certificate Filter For Client SSL* -- GP name: *Streaming_Certificate_Filter_For_Client_SSL* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowHighCostLaunch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (for example, 4G). - - - - - -ADMX Info: -- GP Friendly name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* -- GP name: *Streaming_Allow_High_Cost_Launch* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowLocationProvider** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the CLSID for a compatible implementation of the AppvPackageLocationProvider interface. - - - - - -ADMX Info: -- GP Friendly name: *Location Provider* -- GP name: *Streaming_Location_Provider* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowPackageInstallationRoot** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies directory where all new applications and updates will be installed. - - - - - -ADMX Info: -- GP Friendly name: *Package Installation Root* -- GP name: *Streaming_Package_Installation_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowPackageSourceRoot** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy overrides source location for downloading package content. - - - - - -ADMX Info: -- GP Friendly name: *Package Source Root* -- GP name: *Streaming_Package_Source_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowReestablishmentInterval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the number of seconds between attempts to reestablish a dropped session. - - - - - -ADMX Info: -- GP Friendly name: *Reestablishment Interval* -- GP name: *Streaming_Reestablishment_Interval* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowReestablishmentRetries** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the number of times to retry a dropped session. - - - - - -ADMX Info: -- GP Friendly name: *Reestablishment Retries* -- GP name: *Streaming_Reestablishment_Retries* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingSharedContentStoreMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies that streamed package contents will be not be saved to the local hard disk. - - - - - -ADMX Info: -- GP Friendly name: *Shared Content Store (SCS) mode* -- GP name: *Streaming_Shared_Content_Store_Mode* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingSupportBranchCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support isn't desired, this setting should be disabled. The client can then apply HTTP optimizations that are incompatible with BranchCache. - - - - - -ADMX Info: -- GP Friendly name: *Enable Support for BranchCache* -- GP name: *Streaming_Support_Branch_Cache* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingVerifyCertificateRevocationList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Publishing_Server5_Policy | +| Friendly Name | Publishing Server 5 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\5 | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowCertificateFilterForClient_SSL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowCertificateFilterForClient_SSL +``` + + + + +Specifies the path to a valid certificate in the certificate store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Certificate_Filter_For_Client_SSL | +| Friendly Name | Certificate Filter For Client SSL | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowHighCostLaunch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowHighCostLaunch +``` + + + + +This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Allow_High_Cost_Launch | +| Friendly Name | Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | AllowHighCostLaunch | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowLocationProvider + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowLocationProvider +``` + + + + +Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Location_Provider | +| Friendly Name | Location Provider | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowPackageInstallationRoot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowPackageInstallationRoot +``` + + + + +Specifies directory where all new applications and updates will be installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Package_Installation_Root | +| Friendly Name | Package Installation Root | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowPackageSourceRoot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowPackageSourceRoot +``` + + + + +Overrides source location for downloading package content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Package_Source_Root | +| Friendly Name | Package Source Root | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowReestablishmentInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval +``` + + + + +Specifies the number of seconds between attempts to reestablish a dropped session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Reestablishment_Interval | +| Friendly Name | Reestablishment Interval | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowReestablishmentRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentRetries +``` + + + + +Specifies the number of times to retry a dropped session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Reestablishment_Retries | +| Friendly Name | Reestablishment Retries | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingSharedContentStoreMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingSharedContentStoreMode +``` + + + + +Specifies that streamed package contents will be not be saved to the local hard disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Shared_Content_Store_Mode | +| Friendly Name | Shared Content Store (SCS) mode | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | SharedContentStoreMode | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingSupportBranchCache + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingSupportBranchCache +``` + + + + +If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Support_Branch_Cache | +| Friendly Name | Enable Support for BranchCache | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | SupportBranchCache | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingVerifyCertificateRevocationList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingVerifyCertificateRevocationList +``` + + + + Verifies Server certificate revocation status before streaming using HTTPS. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Verify certificate revocation list* -- GP name: *Streaming_Verify_Certificate_Revocation_List* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**AppVirtualization/VirtualComponentsAllowList** +| Name | Value | +|:--|:--| +| Name | Streaming_Verify_Certificate_Revocation_List | +| Friendly Name | Verify certificate revocation list | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | VerifyCertificateRevocationList | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## VirtualComponentsAllowList - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList +``` + -
    + + +Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. + - - -This policy specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc.). Only processes whose full path matches one of these items can use virtual components. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Virtual Component Process Allow List* -- GP name: *Virtualization_JITVAllowList* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Virtualization_JITVAllowList | +| Friendly Name | Virtual Component Process Allow List | +| Location | Computer Configuration | +| Path | System > App-V > Virtualization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization | +| Registry Value Name | ProcessesUsingVirtualComponents | +| ADMX File Name | appv.admx | + + + + - + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 8b7af20909..c8e649f195 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,202 +1,222 @@ --- -title: Policy CSP - AttachmentManager -description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local. +title: AttachmentManager Policy CSP +description: Learn more about the AttachmentManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AttachmentManager ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + +## DoNotPreserveZoneInformation -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -## AttachmentManager policies + +```User +./User/Vendor/MSFT/Policy/Config/AttachmentManager/DoNotPreserveZoneInformation +``` + -
    -
    - AttachmentManager/DoNotPreserveZoneInformation -
    -
    - AttachmentManager/HideZoneInfoMechanism -
    -
    - AttachmentManager/NotifyAntivirusPrograms -
    -
    + + +This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. +- If you enable this policy setting, Windows does not mark file attachments with their zone information. -
    +- If you disable this policy setting, Windows marks file attachments with their zone information. - -**AttachmentManager/DoNotPreserveZoneInformation** +- If you do not configure this policy setting, Windows marks file attachments with their zone information. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | AM_MarkZoneOnSavedAtttachments | +| Friendly Name | Do not preserve zone information in file attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| Registry Value Name | SaveZoneInformation | +| ADMX File Name | AttachmentManager.admx | + -
    + + + - - + -This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This feature requires NTFS in order to function correctly, and will fail without notice on FAT32. If the zone information is not preserved, Windows can't make proper risk assessments. + +## HideZoneInfoMechanism -If you enable this policy setting, Windows doesn't mark file attachments with their zone information. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -If you disable this policy setting, Windows marks file attachments with their zone information. + +```User +./User/Vendor/MSFT/Policy/Config/AttachmentManager/HideZoneInfoMechanism +``` + -If you don't configure this policy setting, Windows marks file attachments with their zone information. - - - - - -ADMX Info: -- GP Friendly name: *Do not preserve zone information in file attachments* -- GP name: *AM_MarkZoneOnSavedAtttachments* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* - - - - -
    - - -**AttachmentManager/HideZoneInfoMechanism** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. -If you enable this policy setting, Windows hides the check box and Unblock button. +- If you enable this policy setting, Windows hides the check box and Unblock button. -If you disable this policy setting, Windows shows the check box and Unblock button. +- If you disable this policy setting, Windows shows the check box and Unblock button. -If you don't configure this policy setting, Windows hides the check box and Unblock button. +- If you do not configure this policy setting, Windows hides the check box and Unblock button. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide mechanisms to remove zone information* -- GP name: *AM_RemoveZoneInfo* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**AttachmentManager/NotifyAntivirusPrograms** +| Name | Value | +|:--|:--| +| Name | AM_RemoveZoneInfo | +| Friendly Name | Hide mechanisms to remove zone information | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| Registry Value Name | HideZoneInfoOnProperties | +| ADMX File Name | AttachmentManager.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## NotifyAntivirusPrograms - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/AttachmentManager/NotifyAntivirusPrograms +``` + -> [!div class = "checklist"] -> * User + + +This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. -
    +- If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. - - -This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, the subsequent calls would be redundant. +- If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. -If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. +- If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. + -If you disable this policy setting, Windows doesn't call the registered antivirus programs when file attachments are opened. + + + -If you don't configure this policy setting, Windows doesn't call the registered antivirus programs when file attachments are opened. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Notify antivirus programs when opening attachments* -- GP name: *AM_CallIOfficeAntiVirus* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | AM_CallIOfficeAntiVirus | +| Friendly Name | Notify antivirus programs when opening attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| Registry Value Name | ScanWithAntiVirus | +| ADMX File Name | AttachmentManager.admx | + + + + + - + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 4d053f554f..46796cc58d 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,3859 +1,3697 @@ --- -title: Policy CSP - Audit -description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out. +title: Audit Policy CSP +description: Learn more about the Audit Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/10/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.topic: reference --- + + + # Policy CSP - Audit -
    - - -## Audit policies - -
    -
    - Audit/AccountLogonLogoff_AuditAccountLockout -
    -
    - Audit/AccountLogonLogoff_AuditGroupMembership -
    -
    - Audit/AccountLogonLogoff_AuditIPsecExtendedMode -
    -
    - Audit/AccountLogonLogoff_AuditIPsecMainMode -
    -
    - Audit/AccountLogonLogoff_AuditIPsecQuickMode -
    -
    - Audit/AccountLogonLogoff_AuditLogoff -
    -
    - Audit/AccountLogonLogoff_AuditLogon -
    -
    - Audit/AccountLogonLogoff_AuditNetworkPolicyServer -
    -
    - Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents -
    -
    - Audit/AccountLogonLogoff_AuditSpecialLogon -
    -
    - Audit/AccountLogonLogoff_AuditUserDeviceClaims -
    -
    - Audit/AccountLogon_AuditCredentialValidation -
    -
    - Audit/AccountLogon_AuditKerberosAuthenticationService -
    -
    - Audit/AccountLogon_AuditKerberosServiceTicketOperations -
    -
    - Audit/AccountLogon_AuditOtherAccountLogonEvents -
    -
    - Audit/AccountManagement_AuditApplicationGroupManagement -
    -
    - Audit/AccountManagement_AuditComputerAccountManagement -
    -
    - Audit/AccountManagement_AuditDistributionGroupManagement -
    -
    - Audit/AccountManagement_AuditOtherAccountManagementEvents -
    -
    - Audit/AccountManagement_AuditSecurityGroupManagement -
    -
    - Audit/AccountManagement_AuditUserAccountManagement -
    -
    - Audit/DSAccess_AuditDetailedDirectoryServiceReplication -
    -
    - Audit/DSAccess_AuditDirectoryServiceAccess -
    -
    - Audit/DSAccess_AuditDirectoryServiceChanges -
    -
    - Audit/DSAccess_AuditDirectoryServiceReplication -
    -
    - Audit/DetailedTracking_AuditDPAPIActivity -
    -
    - Audit/DetailedTracking_AuditPNPActivity -
    -
    - Audit/DetailedTracking_AuditProcessCreation -
    -
    - Audit/DetailedTracking_AuditProcessTermination -
    -
    - Audit/DetailedTracking_AuditRPCEvents -
    -
    - Audit/DetailedTracking_AuditTokenRightAdjusted -
    -
    - Audit/ObjectAccess_AuditApplicationGenerated -
    -
    - Audit/ObjectAccess_AuditCentralAccessPolicyStaging -
    -
    - Audit/ObjectAccess_AuditCertificationServices -
    -
    - Audit/ObjectAccess_AuditDetailedFileShare -
    -
    - Audit/ObjectAccess_AuditFileShare -
    -
    - Audit/ObjectAccess_AuditFileSystem -
    -
    - Audit/ObjectAccess_AuditFilteringPlatformConnection -
    -
    - Audit/ObjectAccess_AuditFilteringPlatformPacketDrop -
    -
    - Audit/ObjectAccess_AuditHandleManipulation -
    -
    - Audit/ObjectAccess_AuditKernelObject -
    -
    - Audit/ObjectAccess_AuditOtherObjectAccessEvents -
    -
    - Audit/ObjectAccess_AuditRegistry -
    -
    - Audit/ObjectAccess_AuditRemovableStorage -
    -
    - Audit/ObjectAccess_AuditSAM -
    -
    - Audit/PolicyChange_AuditAuthenticationPolicyChange -
    -
    - Audit/PolicyChange_AuditAuthorizationPolicyChange -
    -
    - Audit/PolicyChange_AuditFilteringPlatformPolicyChange -
    -
    - Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange -
    -
    - Audit/PolicyChange_AuditOtherPolicyChangeEvents -
    -
    - Audit/PolicyChange_AuditPolicyChange -
    -
    - Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse -
    -
    - Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents -
    -
    - Audit/PrivilegeUse_AuditSensitivePrivilegeUse -
    -
    - Audit/System_AuditIPsecDriver -
    -
    - Audit/System_AuditOtherSystemEvents -
    -
    - Audit/System_AuditSecurityStateChange -
    -
    - Audit/System_AuditSecuritySystemExtension -
    -
    - Audit/System_AuditSystemIntegrity -
    -
    - - -
    - - -**Audit/AccountLogonLogoff_AuditAccountLockout** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by a failed attempt to sign in to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account can't sign in to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Sign-in events are essential for understanding user activity and to detect potential attacks. - -Volume: Low. - - - -GP Info: -- GP Friendly name: *Audit Account Lockout* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditGroupMembership** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows you to audit the group membership information in the user's sign-in token. Events in this subcategory are generated on the computer on which a sign-in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful sign in. Enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information can't fit in a single security audit event. - -Volume: Low on a client computer. Medium on a domain controller or a network server. - - - -GP Info: -- GP Friendly name: *Audit Group Membership* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditIPsecExtendedMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - -Volume: High. - - - -GP Info: -- GP Friendly name: *Audit IPsec Extended Mode* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditIPsecMainMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - -Volume: High. - - -GP Info: -- GP Friendly name: *Audit IPsec Main Mode* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditIPsecQuickMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you don't configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - -Volume: High. - - -GP Info: -- GP Friendly name: *Audit IPsec Quick Mode* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditLogoff** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by the closing of a sign-in session. These events occur on the computer that was accessed. For an interactive sign out the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a sign-in session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you don't configure this policy setting, no audit event is generated when a sign-in session is closed. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Logoff* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditLogon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by user account sign-in attempts on the computer. -Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -The following events are included: -- Successful sign in attempts. -- Failed sign in attempts. -- Sign-in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that account’s credentials. This process most commonly occurs in batch sign-in configurations, such as scheduled tasks or when using the RUNAS command. -- Security identifiers (SIDs) were filtered and not allowed to sign in. - -Volume: Low on a client computer. Medium on a domain controller or a network server. - - - -GP Info: -- GP Friendly name: *Audit Logon* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditNetworkPolicyServer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you don't configure this policy settings, IAS and NAP user access requests aren't audited. - -Volume: Medium or High on NPS and IAS server. No volume on other computers. - - - -GP Info: -- GP Friendly name: *Audit Network Policy Server* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3 (default)—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit other logon/logoff-related events that aren't covered in the “Logon/Logoff” policy setting, such as the following: -- Terminal Services session disconnections. -- New Terminal Services sessions. -- Locking and unlocking a workstation. -- Invoking a screen saver. -- Dismissal of a screen saver. -- Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. -- Access to a wireless network granted to a user or computer account. -- Access to a wired 802.1x network granted to a user or computer account. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Logon Logoff Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following values are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditSpecialLogon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by special sign ins, such as: -- The use of a special sign in, which is a sign in that has administrator-equivalent privileges and can be used to elevate a process to a higher level. -- A sign in by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during sign in and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Special Logon* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditUserDeviceClaims** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows you to audit user and device claims information in the user's sign-in token. Events in this subcategory are generated on the computer on which a sign-in session is created. For an interactive sign in, the security audit event is generated on the computer that the user signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a sign-in token when claims are included with a user's account attributes in Active Directory. Device claims are added to the sign-in token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful sign in. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information can't fit in a single security audit event. - -Volume: Low on a client computer. Medium on a domain controller or a network server. - - - -GP Info: -- GP Friendly name: *Audit User Device Claims* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogon_AuditCredentialValidation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by validation tests on user account sign-in credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - + + + + + +## AccountLogon_AuditCredentialValidation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation +``` + + + + +This policy setting allows you to audit events generated by validation tests on user account logon credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. + + + + Volume: High on domain controllers. + - - -GP Info: -- GP Friendly name: *Audit Credential Validation* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* + +**Description framework properties**: - -] -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Audit Credential Validation | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + - -**Audit/AccountLogon_AuditKerberosAuthenticationService** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AccountLogon_AuditKerberosAuthenticationService + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditKerberosAuthenticationService +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. + + +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. + + + Volume: High on Kerberos Key Distribution Center servers. + - - -GP Info: -- GP Friendly name: *Audit Kerberos Authentication Service* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* + +**Description framework properties**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Audit Kerberos Authentication Service | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + - -**Audit/AccountLogon_AuditKerberosServiceTicketOperations** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AccountLogon_AuditKerberosServiceTicketOperations + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditKerberosServiceTicketOperations +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. + + +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Kerberos Service Ticket Operations* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/AccountLogon_AuditOtherAccountLogonEvents** +| Name | Value | +|:--|:--| +| Name | Audit Kerberos Service Ticket Operations | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## AccountLogon_AuditOtherAccountLogonEvents - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditOtherAccountLogonEvents +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Currently, there are no events in this subcategory. + -
    + + + - - -This policy setting allows you to audit events generated by responses to credential requests submitted for a user account sign in that aren't credential validation or Kerberos tickets. + +**Description framework properties**: -Currently, there are no events in this subcategory. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -GP Info: -- GP Friendly name: *Audit Other Account Logon Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* + +**Allowed values**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | Audit Other Account Logon Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + - - + + + -
    + - -**Audit/AccountManagement_AuditApplicationGroupManagement** + +## AccountLogonLogoff_AuditAccountLockout - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout +``` + + + +This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. Logon events are essential for understanding user activity and to detect potential attacks. + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to application groups as follows: -- Application group is created, changed, or deleted. -- Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an application group changes. - + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Application Group Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditComputerAccountManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a computer account changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Computer Account Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditDistributionGroupManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to distribution groups as follows: -- Distribution group is created, changed, or deleted. -- Member is added or removed from a distribution group. -- Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a distribution group changes. - -> [!Note] -> Events in this subcategory are logged only on domain controllers. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Distribution Group Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditOtherAccountManagementEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by other user account changes that aren't covered in this category, such as: -- The password hash of a user account was accessed. This change happens during an Active Directory Management Tool password migration. -- The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. -- Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. - -> [!Note] -> The security audit event is logged when the policy setting is applied. It doesn't occur at the time when the settings are modified. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Account Management Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditSecurityGroupManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to security groups, such as: -- Security group is created, changed, or deleted. -- Member is added or removed from a security group. -- Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a security group changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Security Group Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditUserAccountManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit changes to user accounts. -The events included are as follows: -- A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. -- A user account’s password is set or changed. -- A security identifier (SID) is added to the SID History of a user account. -- The Directory Services Restore Mode password is configured. -- Permissions on administrative user accounts are changed. -- Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a user account changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit User Account Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/DSAccess_AuditDetailedDirectoryServiceReplication** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Account Lockout | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditGroupMembership + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership +``` + + + + +This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event. + + + + +Volume: Low on a client computer. Medium on a domain controller or a network server. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Group Membership | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditIPsecExtendedMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditIPsecExtendedMode +``` + + + + +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. + + + + Volume: High. + - - -GP Info: -- GP Friendly name: *Audit Detailed Directory Service Replication* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* + +**Description framework properties**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Audit IPsec Extended Mode | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + - -**Audit/DSAccess_AuditDirectoryServiceAccess** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AccountLogonLogoff_AuditIPsecMainMode + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditIPsecMainMode +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. + -> [!div class = "checklist"] -> * Device + + +Volume: High. + -
    + +**Description framework properties**: - - -This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Only AD DS objects with a matching system access control list (SACL) are logged. + +**Allowed values**: -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -Volume: High on domain controllers. None on client computers. - - -GP Info: -- GP Friendly name: *Audit Directory Service Access* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* + +**Group policy mapping**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure +| Name | Value | +|:--|:--| +| Name | Audit IPsec Main Mode | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + - - + + + - - + - - + +## AccountLogonLogoff_AuditIPsecQuickMode -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -**Audit/DSAccess_AuditDirectoryServiceChanges** + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditIPsecQuickMode +``` + - + + +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Volume: High. + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - - -This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. +| Name | Value | +|:--|:--| +| Name | Audit IPsec Quick Mode | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. + + + -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. + -> [!Note] -> Actions on some objects and properties don't cause audit events to be generated due to settings on the object class in the schema. + +## AccountLogonLogoff_AuditLogoff -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you don't configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -Volume: High on domain controllers only. - - -GP Info: -- GP Friendly name: *Audit Directory Service Changes* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogoff +``` + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + + +This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. +- If you do not configure this policy setting, no audit event is generated when a logon session is closed. + - - + + +Volume: Low. + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Audit/DSAccess_AuditDirectoryServiceReplication** +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Audit Logoff | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AccountLogonLogoff_AuditLogon -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogon +``` + - - -This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. + + +This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: Successful logon attempts. Failed logon attempts. Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. Security identifiers (SIDs) were filtered and not allowed to log on. + -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you don't configure this policy setting, no audit event is generated during AD DS replication. + + +Volume: Low on a client computer. Medium on a domain controller or a network server. + ->[!Note] + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Logon | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditNetworkPolicyServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditNetworkPolicyServer +``` + + + + +This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. +- If you do not configure this policy settings, IAS and NAP user access requests are not audited. + + + + +Volume: Medium or High on NPS and IAS server. No volume on other computers. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 (Default) | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Network Policy Server | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditOtherLogonLogoffEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents +``` + + + + +This policy setting allows you to audit other logon/logoff-related events that are not covered in the "Logon/Logoff" policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver. Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. Access to a wireless network granted to a user or computer account. Access to a wired 802.1x network granted to a user or computer account. + + + + +Volume: Low. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other Logon Logoff Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditSpecialLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon +``` + + + + +This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](). + + + + +Volume: Low. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Special Logon | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditUserDeviceClaims + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditUserDeviceClaims +``` + + + + +This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. + + + + +Volume: Low on a client computer. Medium on a domain controller or a network server. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit User Device Claims | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountManagement_AuditApplicationGroupManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditApplicationGroupManagement +``` + + + + +This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an application group changes. + + + + +Volume: Low. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Application Group Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditComputerAccountManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditComputerAccountManagement +``` + + + + +This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a computer account changes. + + + + +Volume: Low. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Computer Account Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditDistributionGroupManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditDistributionGroupManagement +``` + + + + +This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a distribution group changes. + +> [!NOTE] > Events in this subcategory are logged only on domain controllers. + -Volume: Medium on domain controllers. None on client computers. - - -GP Info: -- GP Friendly name: *Audit Directory Service Replication* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/DetailedTracking_AuditDPAPIActivity** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to use Data Protection](/dotnet/standard/security/how-to-use-data-protection). - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit DPAPI Activity* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/DetailedTracking_AuditPNPActivity** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Distribution Group Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## AccountManagement_AuditOtherAccountManagementEvents - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditOtherAccountManagementEvents +``` + -
    - - - -This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play. + + +This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. Changes to the Default Domain Group Policy under the following Group Policy paths: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit PNP Activity* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/DetailedTracking_AuditProcessCreation** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Other Account Management Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## AccountManagement_AuditSecurityGroupManagement - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagement +``` + -
    + + +This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a security group changes. + - - -This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. + + +Volume: Low. + -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a process is created. + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Security Group Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditUserAccountManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagement +``` + + + + +This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account's password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored. If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a user account changes. + + + + +Volume: Low. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit User Account Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## DetailedTracking_AuditDPAPIActivity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditDPAPIActivity +``` + + + + +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. + + + + +Volume: Low. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit DPAPI Activity | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DetailedTracking_AuditPNPActivity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivity +``` + + + + +This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. +- If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + + + + +Volume: Low. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit PNP Activity | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DetailedTracking_AuditProcessCreation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreation +``` + + + + +This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a process is created. + + + + Volume: Depends on how the computer is used. - - -GP Info: -- GP Friendly name: *Audit Process Creation* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/DetailedTracking_AuditProcessTermination** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Process Creation | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## DetailedTracking_AuditProcessTermination - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessTermination +``` + -
    - - - -This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a process ends. + + +This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a process ends. + + + Volume: Depends on how the computer is used. - - -GP Info: -- GP Friendly name: *Audit Process Termination* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* + - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/DetailedTracking_AuditRPCEvents** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Process Termination | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## DetailedTracking_AuditRPCEvents - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditRPCEvents +``` + -
    - - - -This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a remote RPC connection is attempted. + + +This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. + + + Volume: High on RPC servers. - - -GP Info: -- GP Friendly name: *Audit RPC Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/DetailedTracking_AuditTokenRightAdjusted** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit RPC Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## DetailedTracking_AuditTokenRightAdjusted - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditTokenRightAdjusted +``` + -
    - - - + + This policy setting allows you to audit events generated by adjusting the privileges of a token. + + + Volume: High. - - -GP Info: -- GP Friendly name: *Audit Token Right Adjusted* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/ObjectAccess_AuditApplicationGenerated** +| Name | Value | +|:--|:--| +| Name | Audit Token Right Adjusted | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DSAccess_AuditDetailedDirectoryServiceReplication - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDetailedDirectoryServiceReplication +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. + -
    + + +Volume: High. + - - -This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: -- Creation of an application client context. -- Deletion of an application client context. -- Initialization of an application client context. -- Other application operations using the Windows Auditing APIs. + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Detailed Directory Service Replication | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## DSAccess_AuditDirectoryServiceAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDirectoryServiceAccess +``` + + + + +This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Only AD DS objects with a matching system access control list (SACL) are logged. Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. + + + + +Volume: High on domain controllers. None on client computers. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Directory Service Access | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## DSAccess_AuditDirectoryServiceChanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDirectoryServiceChanges +``` + + + + +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. + +> [!NOTE] +> Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. +- If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. + + + + +Volume: High on domain controllers only. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Directory Service Changes | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## DSAccess_AuditDirectoryServiceReplication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDirectoryServiceReplication +``` + + + + +This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. +- If you do not configure this policy setting, no audit event is generated during AD DS replication. + + + + +Volume: Medium on domain controllers. None on client computers. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Directory Service Replication | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## ObjectAccess_AuditApplicationGenerated + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditApplicationGenerated +``` + + + + +This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. Events in this subcategory include: Creation of an application client context. Deletion of an application client context. Initialization of an application client context. Other application operations using the Windows Auditing APIs. + + + + Volume: Depends on the applications that are generating them. - - -GP Info: -- GP Friendly name: *Audit Application Generated* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditCentralAccessPolicyStaging** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Application Generated | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditCentralAccessPolicyStaging - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditCentralAccessPolicyStaging +``` + -
    - - - -This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that of the permission granted by the proposed policy. The resulting audit event will be generated as follows: -1. Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2. Failure audits when configured records access attempts when: - - The current central access policy doesn't grant access but the proposed policy grants access. - - A principal requests the maximum access rights they're allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. + + +This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: 1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. 2) Failure audits when configured records access attempts when: a) The current central access policy does not grant access but the proposed policy grants access. b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. + + + Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. + - - -GP Info: -- GP Friendly name: *Audit Central Access Policy Staging* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + +**Description framework properties**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Audit Central Access Policy Staging | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + - -**Audit/ObjectAccess_AuditCertificationServices** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ObjectAccess_AuditCertificationServices + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditCertificationServices +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include: - -- AD CS startup/shutdown/backup/restore. -- Changes to the certificate revocation list (CRL). -- New certificate requests. -- Issuing of a certificate. -- Revocation of a certificate. -- Changes to the Certificate Manager settings for AD CS. -- Changes in the configuration of AD CS. -- Changes to a Certificate Services template. -- Importing of a certificate. -- Publishing of a certification authority certificate is to Active Directory Domain Services. -- Changes to the security permissions for AD CS. -- Archival of a key. -- Importing of a key. -- Retrieval of a key. -- Starting of Online Certificate Status Protocol (OCSP) Responder Service. -- Stopping of Online Certificate Status Protocol (OCSP) Responder Service. + + +This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. AD CS operations include the following: AD CS startup/shutdown/backup/restore. Changes to the certificate revocation list (CRL). New certificate requests. Issuing of a certificate. Revocation of a certificate. Changes to the Certificate Manager settings for AD CS. Changes in the configuration of AD CS. Changes to a Certificate Services template. Importing of a certificate. Publishing of a certification authority certificate is to Active Directory Domain Services. Changes to the security permissions for AD CS. Archival of a key. Importing of a key. Retrieval of a key. Starting of Online Certificate Status Protocol (OCSP) Responder Service. Stopping of Online Certificate Status Protocol (OCSP) Responder Service. + + + Volume: Medium or Low on computers running Active Directory Certificate Services. - - -GP Info: -- GP Friendly name: *Audit Certification Services* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditDetailedFileShare** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Certification Services | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditDetailedFileShare - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShare +``` + -
    + + +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - - -This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -> [!Note] -> There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. +> [!NOTE] +> There are no system access control lists (SACLs) for shared folders. +- If this policy setting is enabled, access to all shared files and folders on the system is audited. + + + Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. - - -GP Info: -- GP Friendly name: *Audit Detailed File Share* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditFileShare** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Detailed File Share | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditFileShare - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShare +``` + -
    + + +This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. +- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - - -This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -> [!Note] -> There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. +> [!NOTE] +> There are no system access control lists (SACLs) for shared folders. +- If this policy setting is enabled, access to all shared folders on the system is audited. + + + Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. - - -GP Info: -- GP Friendly name: *Audit File Share* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditFileSystem** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit File Share | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditFileSystem - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileSystem +``` + -
    + + +This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see . If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - - -This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -> [!Note] +> [!NOTE] > You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. + + + Volume: Depends on how the file system SACLs are configured. - - -GP Info: -- GP Friendly name: *Audit File System* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditFilteringPlatformConnection** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit File System | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditFilteringPlatformConnection - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFilteringPlatformConnection +``` + -
    - - - -This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). -The following events are included: -- The Windows Firewall Service blocks an application from accepting incoming connections on the network. -- The WFP allows a connection. -- The WFP blocks a connection. -- The WFP permits a bind to a local port. -- The WFP blocks a bind to a local port. -- The WFP allows a connection. -- The WFP blocks a connection. -- The WFP permits an application or service to listen on a port for incoming connections. -- The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. - -If you don't configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. + + +This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections. If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. +- If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. + + + Volume: High. - - -GP Info: -- GP Friendly name: *Audit Filtering Platform Connection* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditFilteringPlatformPacketDrop** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Filtering Platform Connection | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditFilteringPlatformPacketDrop - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFilteringPlatformPacketDrop +``` + -
    - - - + + This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). + + + Volume: High. + - - -GP Info: -- GP Friendly name: *Audit Filtering Platform Packet Drop* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + +**Description framework properties**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/ObjectAccess_AuditHandleManipulation** +| Name | Value | +|:--|:--| +| Name | Audit Filtering Platform Packet Drop | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## ObjectAccess_AuditHandleManipulation - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditHandleManipulation +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a handle is manipulated. -
    - - - -This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a handle is manipulated. - -> [!Note] -> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access isn't enabled, handle manipulation security audit events will not be generated. +> [!NOTE] +> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. + + + Volume: Depends on how SACLs are configured. - - -GP Info: -- GP Friendly name: *Audit Handle Manipulation* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditKernelObject** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Handle Manipulation | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditKernelObject - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditKernelObject +``` + -
    + + +This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. - - -This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores. -Only kernel objects with a matching System Access Control List (SACL) generate security audit events. - -> [!Note] -> The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. +> [!NOTE] +> The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects. + + + Volume: High if auditing access of global system objects is enabled. - - -GP Info: -- GP Friendly name: *Audit Kernel Object* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditOtherObjectAccessEvents** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Kernel Object | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditOtherObjectAccessEvents - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents +``` + -
    - - - -This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: -- Job created. -- Job deleted. -- Job enabled. -- Job disabled. -- Job updated. - -For COM+ objects, the following are audited: -- Catalog object added. -- Catalog object updated. -- Catalog object deleted. + + +This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: Job created. Job deleted. Job enabled. Job disabled. Job updated. For COM+ objects, the following are audited: Catalog object added. Catalog object updated. Catalog object deleted. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Object Access Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditRegistry** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Other Object Access Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditRegistry - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRegistry +``` + -
    + + +This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - - -This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have SACLs specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -> [!Note] +> [!NOTE] > You can set a SACL on a registry object using the Permissions dialog box. + + + Volume: Depends on how registry SACLs are configured. - - -GP Info: -- GP Friendly name: *Audit Registry* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/ObjectAccess_AuditRemovableStorage** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Registry | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ObjectAccess_AuditRemovableStorage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorage +``` + -
    + + +This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. + - - -This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. + + + -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. + +**Description framework properties**: -If you don't configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -GP Info: -- GP Friendly name: *Audit Removable Storage* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + +**Allowed values**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | Audit Removable Storage | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + -
    + + + - -**Audit/ObjectAccess_AuditSAM** + - + +## ObjectAccess_AuditSAM -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditSAM +``` + - -
    + + +This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include: -- SAM_ALIAS -- A local group. -- SAM_GROUP -- A group that isn't a local group. -- SAM_USER – A user account. -- SAM_DOMAIN – A domain. -- SAM_SERVER – A computer account. - -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. - -> [!Note] -> Only the System Access Control List (SACL) for SAM_SERVER can be modified. +> [!NOTE] +> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about SACL, see [Access control lists](/windows/win32/secauthz/access-control-lists). + + + Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects). + - - -GP Info: -- GP Friendly name: *Audit SAM* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* + +**Description framework properties**: - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/PolicyChange_AuditAuthenticationPolicyChange** +| Name | Value | +|:--|:--| +| Name | Audit SAM | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## PolicyChange_AuditAuthenticationPolicyChange - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChange +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. -
    - - - -This policy setting allows you to audit events generated by changes to the authentication policy, such as: -- Creation of forest and domain trusts. -- Modification of forest and domain trusts. -- Removal of forest and domain trusts. -- Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. -- Granting of any of the following user rights to a user or group: - - Access This Computer From the Network. - - Allow Logon Locally. - - Allow Logon Through Terminal Services. - - Logon as a Batch Job. - - Logon a Service. -- Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when the authentication policy is changed. - -> [!Note] -> The security audit event is logged when the group policy is applied. It doesn't occur at the time when the settings are modified. +> [!NOTE] +> The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Authentication Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* + - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/PolicyChange_AuditAuthorizationPolicyChange** +| Name | Value | +|:--|:--| +| Name | Audit Authentication Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## PolicyChange_AuditAuthorizationPolicyChange - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthorizationPolicyChange +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to the authorization policy, such as: -- Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory. -- Removal of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory. -- Changes in the Encrypted File System (EFS) policy. -- Changes to the Resource attributes of an object. -- Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when the authorization policy changes. + + +This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object. If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when the authorization policy changes. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Authorization Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/PolicyChange_AuditFilteringPlatformPolicyChange** +| Name | Value | +|:--|:--| +| Name | Audit Authorization Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## PolicyChange_AuditFilteringPlatformPolicyChange - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditFilteringPlatformPolicyChange +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as: -- IPsec services status. -- Changes to IPsec policy settings. -- Changes to Windows Firewall policy settings. -- Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a change occurs to the WFP. + + +This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine. If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Filtering Platform Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange** +| Name | Value | +|:--|:--| +| Name | Audit Filtering Platform Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## PolicyChange_AuditMPSSVCRuleLevelPolicyChange - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. -Events include: -- Reporting of active policies when Windows Firewall service starts. -- Changes to Windows Firewall rules. -- Changes to Windows Firewall exception list. -- Changes to Windows Firewall settings. -- Rules ignored or not applied by Windows Firewall Service. -- Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. + + +This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings. If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit MPSSVC Rule Level Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/PolicyChange_AuditOtherPolicyChangeEvents** +| Name | Value | +|:--|:--| +| Name | Audit MPSSVC Rule Level Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## PolicyChange_AuditOtherPolicyChangeEvents - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by other security policy changes that aren't audited in the policy change category, such as: -- Trusted Platform Module (TPM) configuration changes. -- Kernel-mode cryptographic self tests. -- Cryptographic provider operations. -- Cryptographic context operations or modifications. -- Applied Central Access Policies (CAPs) changes. -- Boot Configuration Data (BCD) modifications. + + +This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: Trusted Platform Module (TPM) configuration changes. Kernel-mode cryptographic self tests. Cryptographic provider operations. Cryptographic context operations or modifications. Applied Central Access Policies (CAPs) changes. Boot Configuration Data (BCD) modifications. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Policy Change Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/PolicyChange_AuditPolicyChange** +| Name | Value | +|:--|:--| +| Name | Audit Other Policy Change Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## PolicyChange_AuditPolicyChange - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChange +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. -
    - - - -This policy setting allows you to audit changes in the security audit policy settings, such as: -- Settings permissions and audit settings on the Audit Policy object. -- Changes to the system audit policy. -- Registration of security event sources. -- De-registration of security event sources. -- Changes to the per-user audit settings. -- Changes to the value of CrashOnAuditFail. -- Changes to the system access control list on a file system or registry object. -- Changes to the Special Groups list. - -> [!Note] +> [!NOTE] > System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* + - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse** +| Name | Value | +|:--|:--| +| Name | Audit Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## PrivilegeUse_AuditNonSensitivePrivilegeUse - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: -- Access Credential Manager as a trusted caller. -- Access this computer from the network. -- Add workstations to domain. -- Adjust memory quotas for a process. -- Allow Logon Locally. -- Allow Logon Through Terminal Services. -- Bypass traverse checking. -- Change the system time. -- Create a pagefile. -- Create global objects. -- Create permanent shared objects. -- Create symbolic links. -- Deny access this computer from the network. -- Deny log on as a batch job. -- Deny log on as a service. -- Deny log on locally. -- Deny log on through Terminal Services. -- Force shutdown from a remote system. -- Increase a process working set. -- Increase scheduling priority. -- Lock pages in memory. -- Log on as a batch job. -- Log on as a service. -- Modify an object label. -- Perform volume maintenance tasks. -- Profile single process. -- Profile system performance. -- Remove computer from docking station. -- Shut down the system. -- Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you don't configure this policy setting, no audit event is generated when a non-sensitive privilege is called. + + +This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects. +Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data. If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. +- If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. + + + Volume: Very High. - - -GP Info: -- GP Friendly name: *Audit Non Sensitive Privilege Use* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Non Sensitive Privilege Use | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Privilege Use | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## PrivilegeUse_AuditOtherPrivilegeUseEvents - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents +``` + -
    - - - + + Not used. + - - -GP Info: -- GP Friendly name: *Audit Other Privilege Use Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use* + + + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/PrivilegeUse_AuditSensitivePrivilegeUse** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Other Privilege Use Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Privilege Use | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## PrivilegeUse_AuditSensitivePrivilegeUse - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse +``` + -
    - - - -This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as: -- A privileged service is called. -- One of the following privileges is called: - - Act as part of the operating system. - - Back up files and directories. - - Create a token object. - - Debug programs. - - Enable computer and user accounts to be trusted for delegation. - - Generate security audits. - - Impersonate a client after authentication. - - Load and unload device drivers. - - Manage auditing and security log. - - Modify firmware environment values. - - Replace a process-level token. - - Restore files and directories. - - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated when sensitive privilege requests are made. + + +This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects. If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. + + + Volume: High. - - -GP Info: -- GP Friendly name: *Audit Sensitive Privilege Use* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + - -**Audit/System_AuditIPsecDriver** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Audit Sensitive Privilege Use | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Privilege Use | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## System_AuditIPsecDriver - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditIPsecDriver +``` + -
    - - - -This policy setting allows you to audit events generated by the IPsec filter driver, such as: -- Startup and shutdown of the IPsec services. -- Network packets dropped due to integrity check failure. -- Network packets dropped due to replay check failure. -- Network packets dropped due to being in plaintext. -- Network packets received with incorrect Security Parameter Index (SPI). This incorrect value may indicate that either the network card isn't working correctly or the driver needs to be updated. -- Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated on an IPSec filter driver operation. + + +This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters. If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit IPsec Driver* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/System_AuditOtherSystemEvents** +| Name | Value | +|:--|:--| +| Name | Audit IPsec Driver | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## System_AuditOtherSystemEvents - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEvents +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit any of the following events: -- Startup and shutdown of the Windows Firewall service and driver. -- Security policy processing by the Windows Firewall Service. -- Cryptography key file and migration operations. + + +This policy setting allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other System Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* + - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3 (default)—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 (Default) | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/System_AuditSecurityStateChange** +| Name | Value | +|:--|:--| +| Name | Audit Other System Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## System_AuditSecurityStateChange - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChange +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events: -- Startup and shutdown of the computer. -- Change of system time. -- Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. + + +This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Security State Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* + - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/System_AuditSecuritySystemExtension** +| Name | Value | +|:--|:--| +| Name | Audit Security State Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## System_AuditSecuritySystemExtension - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtension +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events related to security system extensions or services, such as the following: -- A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It's used to authenticate sign-in attempts, submit sign-in requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. -- A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. - -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. + + +This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. + + + Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers. - - -GP Info: -- GP Friendly name: *Audit Security System Extension* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* + - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | + -
    + +**Group policy mapping**: - -**Audit/System_AuditSystemIntegrity** +| Name | Value | +|:--|:--| +| Name | Audit Security System Extension | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## System_AuditSystemIntegrity - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrity +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events that violate the integrity of the security subsystem, such as: -- Events that couldn't be written to the event log because of a problem with the auditing system. -- A process that uses a local procedure call (LPC) port that isn't valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. -- The detection of a Remote Procedure Call (RPC) that compromises system integrity. -- The detection of a hash value of an executable file that isn't valid as determined by Code Integrity. -- Cryptographic operations that compromise system integrity. + + +This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: Events that could not be written to the event log because of a problem with the auditing system. A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. The detection of a Remote Procedure Call (RPC) that compromises system integrity. The detection of a hash value of an executable file that is not valid as determined by Code Integrity. Cryptographic operations that compromise system integrity. + + + Volume: Low. - - -GP Info: -- GP Friendly name: *Audit System Integrity* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* + - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3 (default)—Success+Failure + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + - - + +**Allowed values**: - - -
    +| Value | Description | +|:--|:--| +| 0 | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 (Default) | Success+Failure. | + + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | Audit System Integrity | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + - \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index df32a610d3..019ddd4885 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,546 +1,510 @@ --- -title: Policy CSP - Authentication -description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen. +title: Authentication Policy CSP +description: Learn more about the Authentication Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.reviewer: bobgil -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - Authentication + + + + + +## AllowAadPasswordReset + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset +``` + + + + +Specifies whether password reset is enabled for AAD accounts. + + + + + +This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + + +## AllowEAPCertSSO + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO +``` + + + + +Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + + +## AllowFastReconnect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/AllowFastReconnect +``` + + + + +Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowSecondaryAuthenticationDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/AllowSecondaryAuthenticationDevice +``` + + + + +This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello. + +- If you enable or do not configure this policy setting, users can authenticate to Windows Hello using a companion device. + +- If you disable this policy, users cannot use a companion device to authenticate with Windows Hello. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice | +| Friendly Name | Allow companion device for secondary authentication | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Secondary Authentication Factor | +| Registry Key Name | SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor | +| Registry Value Name | AllowSecondaryAuthenticationDevice | +| ADMX File Name | DeviceCredential.admx | + + + + + + + + +## ConfigureWebcamAccessDomainNames -
    - - -## Authentication policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - Authentication/AllowAadPasswordReset -
    -
    - Authentication/AllowEAPCertSSO -
    -
    - Authentication/AllowFastReconnect -
    -
    - Authentication/AllowFidoDeviceSignon -
    -
    - Authentication/AllowSecondaryAuthenticationDevice -
    -
    - Authentication/ConfigureWebSignInAllowedUrls -
    -
    - Authentication/ConfigureWebcamAccessDomainNames -
    -
    - Authentication/EnableFastFirstSignIn -
    -
    - Authentication/EnableWebSignIn -
    -
    - Authentication/PreferredAadTenantDomainName -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebcamAccessDomainNames +``` + + + +Specifies a list of domains that are allowed to access the webcam in Web Sign-in based authentication scenarios. + -
    + + - -**Authentication/AllowAadPasswordReset** +> [!NOTE] +> Web sign-in is only supported on Azure AD joined PCs. + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + +**Example**: - -
    +Your organization federates to "Contoso IDP" and your web sign-in portal at `signinportal.contoso.com` requires webcam access. Then the value for this policy should be: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +`contoso.com` + -> [!div class = "checklist"] -> * Device + -
    + +## ConfigureWebSignInAllowedUrls - - -Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the Windows logon screen. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.2145] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls +``` + - - -The following list shows the supported values: + + +Specifies a list of URLs that are navigable in Web Sign-in based authentication scenarios. + -- 0 (default) – Not allowed. -- 1 – Allowed. + + - - +This policy specifies the list of domains that users can access in certain authentication scenarios. For example: -
    +- Azure Active Directory (Azure AD) PIN reset +- Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider - -**Authentication/AllowEAPCertSSO** +> [!NOTE] +> This policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + - -
    +**Example**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Your organization's PIN reset or web sign-in authentication flow is expected to navigate to the following two domains: `accounts.contoso.com` and `signin.contoso.com`. Then the value for this policy should be: -> [!div class = "checklist"] -> * User +`accounts.contoso.com;signin.contoso.com` + -
    + - - -Allows an EAP cert-based authentication for a Single Sign on (SSO) to access internal resources. + +## EnableFastFirstSignIn - - -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/EnableFastFirstSignIn +``` + - - + + +Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts + -
    - - -**Authentication/AllowFastReconnect** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows EAP Fast Reconnect from being attempted for EAP Method TLS. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Authentication/AllowFidoDeviceSignon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 - -Value type is integer. - -Here's an example scenario: At Contoso, there are many shared devices and kiosks that employees use throughout the day, for example, employees use as many as 20 different devices. To minimize the loss in productivity when employees have to sign in with username and password every time they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs. - - - -The following list shows the supported values: - -- 0 - Don't allow. The FIDO device credential provider disabled. -- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign in to Windows. - - - - -
    - - -**Authentication/AllowSecondaryAuthenticationDevice** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows secondary authentication devices to work with Windows. - -The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD). - -In the next major release of Windows 10, the default for this policy for consumer devices will be changed to off. This change will only affect users that have not already set up a secondary authentication device. - - - -ADMX Info: -- GP Friendly name: *Allow companion device for secondary authentication* -- GP name: *MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice* -- GP path: *Windows Components/Microsoft Secondary Authentication Factor* -- GP ADMX file name: *DeviceCredential.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 – Allowed. - - - - -
    - - -**Authentication/ConfigureWebSignInAllowedUrls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the list of domains that are allowed to be navigated to in Azure Active Directory PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). - -**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". - - - - - - - - - - - - - -
    - - -**Authentication/ConfigureWebcamAccessDomainNames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios. - -Web Sign-in is only supported on Azure AD Joined PCs. - -**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com". - - - - - - - - - - - - - - -
    - - -**Authentication/EnableFastFirstSignIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!Warning] -> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time. + + This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. -> [!Important] -> Pre-configured candidate local accounts are any local accounts (pre-configured or added) in your device. +> [!IMPORTANT] +> Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device. + -Value type is integer. Supported values: + +**Description framework properties**: -- 0 - (default) The feature defaults to the existing SKU and device capabilities. -- 1 - Enabled. Auto connect new non-admin Azure AD accounts to pre-configured candidate local accounts -- 2 - Disabled. Don't auto connect new non-admin Azure AD accounts to pre-configured local accounts +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | The feature defaults to the existing SKU and device capabilities. | +| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts. | +| 2 | Disabled. Do not auto-connect new non-admin Azure AD accounts to pre-configured local accounts. | + - - + + + - - + -
    + +## EnableWebSignIn - -**Authentication/EnableWebSignIn** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Specifies whether web-based sign-in is allowed for signing in to Windows + + + - -
    +> [!WARNING] +> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Azure Active Directory (Azure AD), unless it's used in a limited federated scope. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Azure AD credentials, like temporary access pass. -> [!div class = "checklist"] -> * Device +> [!NOTE] +> Web sign-in is only supported on Azure AD joined PCs. + -
    + +**Description framework properties**: - - -> [!Warning] -> The Web sign-in feature is intended for recovery purposes in the event a password is not available as an authentication method. Web sign-in only supports Temporary Access Pass as an authentication method for Azure Active Directory, unless it is being used in a limited federated scope. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -"Web sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. + +**Allowed values**: -> [!Note] -> Web sign-in is only supported on Azure AD Joined PCs. +| Value | Description | +|:--|:--| +| 0 (Default) | The feature defaults to the existing SKU and device capabilities. | +| 1 | Enabled. Web Sign-in will be enabled for signing in to Windows. | +| 2 | Disabled. Web Sign-in will not be enabled for signing in to Windows. | + -Value type is integer. Supported values: + + + -- 0 - (default) The feature defaults to the existing SKU and device capabilities. -- 1 - Enabled. Web Credential Provider will be enabled for a sign-in. -- 2 - Disabled. Web Credential Provider won't be enabled for a sign-in. + - - + +## PreferredAadTenantDomainName - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName +``` + - - + + +Specifies the preferred domain among available domains in the AAD tenant. + -
    + + + - -**Authentication/PreferredAadTenantDomainName** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +**Example**: - -
    +Your organization uses the `@contoso.com` tenant domain name. Then the value for this policy should be: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +`contoso.com` -> [!div class = "checklist"] -> * Device +For the user `abby@constoso.com`, a sign-in is done using `abby` in the username field instead of `abby@contoso.com`. + -
    + - - -Specifies the preferred domain among available domains in the Azure AD tenant. + + + -Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", a sign in is done using "abby" in the username field instead of "abby@contoso.com". + +## Related articles -Value type is string. - - - - - - - - - - - - -
    - - - - +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 4404ad9edb..2cd4bd68ad 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,218 +1,246 @@ --- -title: Policy CSP - Autoplay -description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones. +title: Autoplay Policy CSP +description: Learn more about the Autoplay Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Autoplay ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisallowAutoplayForNonVolumeDevices - -## Autoplay policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - Autoplay/DisallowAutoplayForNonVolumeDevices -
    -
    - Autoplay/SetDefaultAutoRunBehavior -
    -
    - Autoplay/TurnOffAutoPlay -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/Autoplay/DisallowAutoplayForNonVolumeDevices +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Autoplay/DisallowAutoplayForNonVolumeDevices +``` + -
    - - -**Autoplay/DisallowAutoplayForNonVolumeDevices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting disallows AutoPlay for MTP devices like cameras or phones. -If you enable this policy setting, AutoPlay isn't allowed for MTP devices like cameras or phones. +- If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. -If you disable or don't configure this policy setting, AutoPlay is enabled for non-volume devices. +- If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Disallow Autoplay for non-volume devices* -- GP name: *NoAutoplayfornonVolume* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | NoAutoplayfornonVolume | +| Friendly Name | Disallow Autoplay for non-volume devices | +| Location | Computer and User Configuration | +| Path | Windows Components > AutoPlay Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoAutoplayfornonVolume | +| ADMX File Name | AutoPlay.admx | + - -**Autoplay/SetDefaultAutoRunBehavior** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SetDefaultAutoRunBehavior + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior +``` + -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting sets the default behavior for Autorun commands. -Autorun commands are stored in autorun.inf files. They often launch the installation program or other routines. +Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. -This automatic execution creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. +This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. -If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: +- If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: a) Completely disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. -If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. +- If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the default behavior for AutoRun* -- GP name: *NoAutorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**Autoplay/TurnOffAutoPlay** +| Name | Value | +|:--|:--| +| Name | NoAutorun | +| Friendly Name | Set the default behavior for AutoRun | +| Location | Computer and User Configuration | +| Path | Windows Components > AutoPlay Policies | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | AutoPlay.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## TurnOffAutoPlay - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay +``` + -
    - - - + + This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. -With Windows XP SP2 onward, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. +Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. -If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. +- If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. -This policy setting disables Autoplay on other types of drives. You can't use this setting to enable Autoplay on drives on which it's disabled by default. +This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. -If you disable or don't configure this policy setting, AutoPlay is enabled. +- If you disable or do not configure this policy setting, AutoPlay is enabled. -> [!Note] +> [!NOTE] > This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Autoplay* -- GP name: *Autorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Autorun | +| Friendly Name | Turn off Autoplay | +| Location | Computer and User Configuration | +| Path | Windows Components > AutoPlay Policies | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | AutoPlay.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 5b9b63de9c..21bab7bc1e 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,84 +1,80 @@ --- -title: Policy CSP - BitLocker -description: Use the Policy configuration service provider (CSP) - BitLocker to manage encryption of PCs and devices. +title: Bitlocker Policy CSP +description: Learn more about the Bitlocker Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - BitLocker - + + +# Policy CSP - Bitlocker + + > [!NOTE] > To manage encryption of PCs and devices, use [BitLocker CSP](./bitlocker-csp.md). + -
    + +## EncryptionMethod - -## BitLocker policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    -
    - Bitlocker/EncryptionMethod -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Bitlocker/EncryptionMethod +``` + - -
    - - -**Bitlocker/EncryptionMethod** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy specifies the BitLocker Drive Encryption method and cipher strength. + -> [!NOTE] -> XTS-AES 128-bit and XTS-AES 256-bit values are supported only on Windows 10 for desktop. - - - + + The following list shows the supported values: -- 3 - AES-CBC 128-bit -- 4 - AES-CBC 256-bit -- 6 - XTS-AES 128-bit (Desktop only) -- 7 - XTS-AES 256-bit (Desktop only) +- 3 - AES-CBC 128-bit +- 4 - AES-CBC 256-bit +- 6 - XTS-AES 128-bit +- 7 - XTS-AES 256-bit + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 6 | + + + + - \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 500ed33aa8..332ce05cc6 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,449 +1,401 @@ --- -title: Policy CSP - BITS -description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. +title: BITS Policy CSP +description: Learn more about the BITS Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - BITS -The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. + + + -- BITS/BandwidthThrottlingEndTime -- BITS/BandwidthThrottlingStartTime -- BITS/BandwidthThrottlingTransferRate + +## BandwidthThrottlingEndTime -If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8 AM and 5 PM respectively). The time policies are based on the 24-hour clock. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/BandwidthThrottlingEndTime +``` + - -## BITS policies - -
    -
    - BITS/BandwidthThrottlingEndTime -
    -
    - BITS/BandwidthThrottlingStartTime -
    -
    - BITS/BandwidthThrottlingTransferRate -
    -
    - BITS/CostedNetworkBehaviorBackgroundPriority -
    -
    - BITS/CostedNetworkBehaviorForegroundPriority -
    -
    - BITS/JobInactivityTimeout -
    -
    - - -
    - - -**BITS/BandwidthThrottlingEndTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. This policy is based on the 24-hour clock. - -Value type is integer. Default value is 17 (5 PM). - -Supported value range: 0 - 23 - -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - -Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. - -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth. + + +This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth > [!NOTE] -> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting doesn't affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + -Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56 Kbs). + + + - - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers* -- GP name: *BITS_MaxBandwidth* -- GP element: *BITS_BandwidthLimitSchedTo* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 17 | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidth | +| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | +| Element Name | to | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - - + + + -
    + - -**BITS/BandwidthThrottlingStartTime** + +## BandwidthThrottlingStartTime - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/BandwidthThrottlingStartTime +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. This policy is based on the 24-hour clock. - -Value type is integer. Default value is 8 (8 am). - -Supported value range: 0 - 23 - -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - -BITS, by using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. - -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth. + + +This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth > [!NOTE] -> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting doesn't affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + -Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56 Kbs). + + + - - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers* -- GP name: *BITS_MaxBandwidth* -- GP element: *BITS_BandwidthLimitSchedFrom* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 8 | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidth | +| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | +| Element Name | From | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - - + + + -
    + - -**BITS/BandwidthThrottlingTransferRate** + +## BandwidthThrottlingTransferRate - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/BandwidthThrottlingTransferRate +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. - -Value type is integer. Default value is 1000. - -Supported value range: 0 - 4294967200 - -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - -BITS, by using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. - -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth. + + +This policy specifies the bandwidth throttling transfer rate in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. Value type is integer. Default value is 1000. Supported value range 0 - 4294967200. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth > [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + -> You should base the limit on the speed of the network link, not the computer's Network Interface Card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + + + -Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers* -- GP name: *BITS_MaxBandwidth* -- GP element: *BITS_MaxTransferRateText* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967200]` | +| Default Value | 1000 | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidth | +| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | +| Element Name | Limit background transfer rate (Kbps) to | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - - + + + - - + -
    + +## CostedNetworkBehaviorBackgroundPriority - -**BITS/CostedNetworkBehaviorBackgroundPriority** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/CostedNetworkBehaviorBackgroundPriority +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of background transfers. +- If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers. +| Value | Description | +|:--|:--| +| 1 (Default) | Always transfer. | +| 2 | Transfer unless roaming. | +| 3 | Transfer unless surcharge applies (when not roaming or over cap). | +| 4 | Transfer unless nearing limit (when not roaming or nearing cap). | +| 5 | Transfer only if unconstrained. | + -If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting doesn't override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + +**Group policy mapping**: -For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: -- 1 - Always transfer -- 2 - Transfer unless roaming -- 3 - Transfer unless surcharge applies (when not roaming or overcap) -- 4 - Transfer unless nearing limit (when not roaming or nearing cap) -- 5 - Transfer only if unconstrained +| Name | Value | +|:--|:--| +| Name | BITS_SetTransferPolicyOnCostedNetwork | +| Friendly Name | Set default download behavior for BITS jobs on costed networks | +| Element Name | Normal | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy | +| ADMX File Name | Bits.admx | + - - -ADMX Info: -- GP Friendly name: *Set default download behavior for BITS jobs on costed networks* -- GP name: *BITS_SetTransferPolicyOnCostedNetwork* -- GP element: *BITS_TransferPolicyNormalPriorityValue* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + + + - - + - - + +## CostedNetworkBehaviorForegroundPriority - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/CostedNetworkBehaviorForegroundPriority +``` + -
    + + +This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of foreground transfers. +- If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained + - -**BITS/CostedNetworkBehaviorForegroundPriority** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 1 (Default) | Always transfer. | +| 2 | Transfer unless roaming. | +| 3 | Transfer unless surcharge applies (when not roaming or over cap). | +| 4 | Transfer unless nearing limit (when not roaming or nearing cap). | +| 5 | Transfer only if unconstrained. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | BITS_SetTransferPolicyOnCostedNetwork | +| Friendly Name | Set default download behavior for BITS jobs on costed networks | +| Element Name | Foreground | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy | +| ADMX File Name | Bits.admx | + - - -This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers. + + + -If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting doesn't override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + -For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: -- 1 - Always transfer -- 2 - Transfer unless roaming -- 3 - Transfer unless surcharge applies (when not roaming or overcap) -- 4 - Transfer unless nearing limit (when not roaming or nearing cap) -- 5 - Transfer only if unconstrained + +## JobInactivityTimeout - - -ADMX Info: -- GP Friendly name: *Set default download behavior for BITS jobs on costed networks* -- GP name: *BITS_SetTransferPolicyOnCostedNetwork* -- GP element: *BITS_TransferPolicyForegroundPriorityValue* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/JobInactivityTimeout +``` + - - - - - - - - - -
    - - -**BITS/JobInactivityTimeout** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk. + + +This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk > [!NOTE] -> Any property changes to the job or any successful download action will reset this timeout. +> Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range 0 - 999. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. +- If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. + -Value type is integer. Default is 90 days. + + + -Supported values range: 0 - 999 + +**Description framework properties**: -Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. -Consider decreasing this value if you're concerned about orphaned jobs occupying disk space. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-999]` | +| Default Value | 90 | + -If you disable or don't configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Timeout for inactive BITS jobs* -- GP name: *BITS_Job_Timeout* -- GP element: *BITS_Job_Timeout_Time* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Name | Value | +|:--|:--| +| Name | BITS_Job_Timeout | +| Friendly Name | Timeout for inactive BITS jobs | +| Element Name | Inactive Job Timeout in Days | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - - -Value type is integer. Default is 90 days. + + + -Supported values range: 0 - 999 + + + + - - + - - - - - -
    - - - - +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 80872eeb7d..e2910d975d 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,356 +1,343 @@ --- -title: Policy CSP - Bluetooth -description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements. +title: Bluetooth Policy CSP +description: Learn more about the Bluetooth Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Bluetooth -
    + + + - -## Bluetooth policies + +## AllowAdvertising -
    -
    - Bluetooth/AllowAdvertising -
    -
    - Bluetooth/AllowDiscoverableMode -
    -
    - Bluetooth/AllowPrepairing -
    -
    - Bluetooth/AllowPromptedProximalConnections -
    -
    - Bluetooth/LocalDeviceName -
    -
    - Bluetooth/ServicesAllowedList -
    -
    - Bluetooth/SetMinimumEncryptionKeySize -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowAdvertising +``` + -
    + + +Specifies whether the device can send out Bluetooth advertisements. If this is not set or it is deleted, the default value of 1 (Allow) is used. Most restricted value is 0. + - -**Bluetooth/AllowAdvertising** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral. | +| 1 (Default) | Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowDiscoverableMode - - -This policy specifies whether the device can send out Bluetooth advertisements. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -If this policy isn't set or is deleted, the default value of 1 (Allow) is used. + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowDiscoverableMode +``` + -Most restricted value is 0. + + +Specifies whether other Bluetooth-enabled devices can discover the device. If this is not set or it is deleted, the default value of 1 (Allow) is used. Most restricted value is 0. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. When set to 0, the device won't send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement isn't received by the peripheral. -- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Bluetooth/AllowDiscoverableMode** +| Value | Description | +|:--|:--| +| 0 | Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device. | +| 1 (Default) | Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## AllowPrepairing - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowPrepairing +``` + -> [!div class = "checklist"] -> * Device + + +Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. + -
    + + + - - -This policy specifies whether other Bluetooth-enabled devices can discover the device. + +**Description framework properties**: -If this policy isn't set or is deleted, the default value of 1 (Allow) is used. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -Most restricted value is 0. + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -- 0 – Not allowed. When set to 0, other devices won't be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you can't see the name of the device. -- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. + + + - - + -
    + +## AllowPromptedProximalConnections - -**Bluetooth/AllowPrepairing** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowPromptedProximalConnections +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default)– Allowed. - - - - -
    - - -**Bluetooth/AllowPromptedProximalConnections** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios. + - - -The following list shows the supported values: + + + -- 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios -- 1 - Allow (default). Allow users on these managed devices to use Swift Pair and other proximity based scenarios + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Bluetooth/LocalDeviceName** +| Value | Description | +|:--|:--| +| 0 | Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios. | +| 1 (Default) | Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## LocalDeviceName - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/LocalDeviceName +``` + -> [!div class = "checklist"] -> * Device + + +Sets the local Bluetooth device name. If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. If this policy is not set or it is deleted, the default local radio name is used. + -
    + + + - - -Sets the local Bluetooth device name. + +**Description framework properties**: -If this name is set, the value that it's set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If this policy isn't set or is deleted, the default local radio name is used. + + + - - + -
    + +## ServicesAllowedList - -**Bluetooth/ServicesAllowedList** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/ServicesAllowedList +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7. CAA-436. C-8. BF0-78. CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. + +## SetMinimumEncryptionKeySize -The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide) + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/SetMinimumEncryptionKeySize +``` + -
    - - -**Bluetooth/SetMinimumEncryptionKeySize** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. + - - -The following list shows the supported values: -- 0 (default) - All Bluetooth traffic is allowed. -- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N. + + + -For more information on allowed key sizes, see Bluetooth Core Specification v5.1. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-16]` | +| Default Value | 0 | + - - + + + - - -
    - - - - -
    + + + ## ServicesAllowedList usage guide When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It's an allowed list, enabling admins to still allow custom Bluetooth profiles that aren't defined by the Bluetooth Special Interests Group (SIG). @@ -367,30 +354,28 @@ These UUIDs all use the same base UUID with the profile identifiers added to the Here are some examples: -**Example of how to enable Hands Free Profile (HFP)** +**Example of how to enable Hands Free Profile (HFP)**: BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB -|UUID name |Protocol specification |UUID | -|---------|---------|---------| -|HFP(Hands Free Profile) |Hands-Free Profile (HFP) * |0x111E | +| UUID name | Protocol specification | UUID | +|-------------------------|----------------------------|--------| +| HFP(Hands Free Profile) | Hands-Free Profile (HFP) * | 0x111E | Footnote: * Used as both Service Class Identifier and Profile Identifier. Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB -**Allow Audio Headsets (Voice)** +**Allow Audio Headsets (Voice)**: -|Profile|Reasoning|UUID| -|-|-|-| -|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E| -|Generic Audio Service|Generic audio service|0x1203| -|Headset Service Class|For older voice-enabled headsets|0x1108| -|PnP Information|Used to identify devices occasionally|0x1200| +| Profile | Reasoning | UUID | +|--------------------------|---------------------------------------|--------| +| HFP (Hands Free Profile) | For voice-enabled headsets | 0x111E | +| Generic Audio Service | Generic audio service | 0x1203 | +| Headset Service Class | For older voice-enabled headsets | 0x1108 | +| PnP Information | Used to identify devices occasionally | 0x1200 | -If you only want Bluetooth headsets, the UUIDs to include are: - -{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} +If you only want Bluetooth headsets, the UUIDs to include are: `{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}`. -**Allow Audio Headsets and Speakers (Voice & Music)** +**Allow Audio Headsets and Speakers (Voice & Music)**: |Profile |Reasoning |UUID | |---------|---------|---------| @@ -424,7 +409,7 @@ This means that if you only want Bluetooth headsets, the UUIDs are: {0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; -**Classic Keyboards and Mice** +**Classic Keyboards and Mice**: |Profile |Reasoning |UUID | |---------|---------|---------| @@ -433,8 +418,7 @@ This means that if you only want Bluetooth headsets, the UUIDs are: {00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; - -**LE Keyboards and Mice** +**LE Keyboards and Mice**: |Profile |Reasoning |UUID | |---------|---------|---------| @@ -448,7 +432,7 @@ Footnote: * The Surface pen uses the HID over GATT profile {00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} -**Allow File Transfer** +**Allow File Transfer**: |Profile |Reasoning |UUID | |---------|---------|---------| @@ -458,9 +442,16 @@ Footnote: * The Surface pen uses the HID over GATT profile {00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} -Disabling file transfer shall have the following effects +Disabling file transfer shall have the following effects: + - Fsquirt shall not allow sending of files - Fsquirt shall not allow receiving of files - Fsquirt shall display error message informing user of policy preventing file transfer - 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index f408ee3d3b..8f7766c3a5 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,3327 +1,3816 @@ --- -title: Policy CSP - Browser -description: Learn how to use the Policy CSP - Browser settings so you can configure Microsoft Edge browser, version 45 and earlier. -ms.topic: article +title: Browser Policy CSP +description: Learn more about the Browser Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz -ms.localizationpriority: medium +ms.topic: reference --- + + + # Policy CSP - Browser + + > [!NOTE] > These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm). + + +## AllowAddressBarDropdown - -## Browser policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - Browser/AllowAddressBarDropdown -
    -
    - Browser/AllowAutofill -
    -
    - Browser/AllowConfigurationUpdateForBooksLibrary -
    -
    - Browser/AllowCookies -
    -
    - Browser/AllowDeveloperTools -
    -
    - Browser/AllowDoNotTrack -
    -
    - Browser/AllowExtensions -
    -
    - Browser/AllowFlash -
    -
    - Browser/AllowFlashClickToRun -
    -
    - Browser/AllowFullScreenMode -
    -
    - Browser/AllowInPrivate -
    -
    - Browser/AllowMicrosoftCompatibilityList -
    -
    - Browser/AllowPasswordManager -
    -
    - Browser/AllowPopups -
    -
    - Browser/AllowPrelaunch -
    -
    - Browser/AllowPrinting -
    -
    - Browser/AllowSavingHistory -
    -
    - Browser/AllowSearchEngineCustomization -
    -
    - Browser/AllowSearchSuggestionsinAddressBar -
    -
    - Browser/AllowSideloadingOfExtensions -
    -
    - Browser/AllowSmartScreen -
    -
    - Browser/AllowTabPreloading -
    -
    - Browser/AllowWebContentOnNewTabPage -
    -
    - Browser/AlwaysEnableBooksLibrary -
    -
    - Browser/ClearBrowsingDataOnExit -
    -
    - Browser/ConfigureAdditionalSearchEngines -
    -
    - Browser/ConfigureFavoritesBar -
    -
    - Browser/ConfigureHomeButton -
    -
    - Browser/ConfigureKioskMode -
    -
    - Browser/ConfigureKioskResetAfterIdleTimeout -
    -
    - Browser/ConfigureOpenMicrosoftEdgeWith -
    -
    - Browser/ConfigureTelemetryForMicrosoft365Analytics -
    -
    - Browser/DisableLockdownOfStartPages -
    -
    - Browser/EnableExtendedBooksTelemetry -
    -
    - Browser/EnterpriseModeSiteList -
    -
    - Browser/EnterpriseSiteListServiceUrl -
    -
    - Browser/HomePages -
    -
    - Browser/LockdownFavorites -
    -
    - Browser/PreventAccessToAboutFlagsInMicrosoftEdge -
    -
    - Browser/PreventCertErrorOverrides -
    -
    - Browser/PreventFirstRunPage -
    -
    - Browser/PreventLiveTileDataCollection -
    -
    - Browser/PreventSmartScreenPromptOverride -
    -
    - Browser/PreventSmartScreenPromptOverrideForFiles -
    -
    - Browser/PreventTurningOffRequiredExtensions -
    -
    - Browser/PreventUsingLocalHostIPAddressForWebRTC -
    -
    - Browser/ProvisionFavorites -
    -
    - Browser/SendIntranetTraffictoInternetExplorer -
    -
    - Browser/SetDefaultSearchEngine -
    -
    - Browser/SetHomeButtonURL -
    -
    - Browser/SetNewTabPageURL -
    -
    - Browser/ShowMessageWhenOpeningSitesInInternetExplorer -
    + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +``` -
    - Browser/SuppressEdgeDeprecationNotification -
    -
    - Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -
    -
    - Browser/UnlockHomeButton -
    -
    - Browser/UseSharedFolderForBooks -
    -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +``` + + + +This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. -
    +> [!NOTE] +> Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. - -**Browser/AllowAddressBarDropdown** +- If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge. - +- If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type". + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User -> * Device +| Value | Description | +|:--|:--| +| 0 | Prevented/not allowed. Hide the Address bar drop-down functionality and disable the Show search and site suggestions as I type toggle in Settings. | +| 1 (Default) | Allowed. Show the Address bar drop-down list and make it available. | + -
    + +**Group policy mapping**: - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +| Name | Value | +|:--|:--| +| Name | AllowAddressBarDropdown | +| Friendly Name | Allow Address bar drop-down list suggestions | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\ServiceUI | +| Registry Value Name | ShowOneBox | +| ADMX File Name | MicrosoftEdge.admx | + -[!INCLUDE [allow-address-bar-drop-down-shortdesc](../includes/allow-address-bar-drop-down-shortdesc.md)] + + + + - - -ADMX Info: -- GP Friendly name: *Allow Address bar drop-down list suggestions* -- GP name: *AllowAddressBarDropdown* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +## AllowAutofill - - -Supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -- 0 – Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings.  -- 1 (default) – Allowed. Show the Address bar drop-down list and make it available. + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowAutofill +``` -Most restricted value: 0 - - +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowAutofill +``` + -
    + + +This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. - -**Browser/AllowAutofill** +- If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. - +- If you disable this setting, employees can't use Autofill to automatically fill in forms while using Microsoft Edge. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +- If you don't configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * User -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/Not allowed. | +| 1 | Allowed. | + - - + +**Group policy mapping**: -[!INCLUDE [configure-autofill-shortdesc](../includes/configure-autofill-shortdesc.md)] +| Name | Value | +|:--|:--| +| Name | AllowAutofill | +| Friendly Name | Configure Autofill | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | Use FormSuggest | +| ADMX File Name | MicrosoftEdge.admx | + - - -ADMX Info: -- GP Friendly name: *Configure Autofill* -- GP name: *AllowAutofill* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose to use AutoFill. -- 0 – Prevented/not allowed. -- 1 (default) – Allowed. - -Most restricted value: 0 - - + + +**Verify**: To verify AllowAutofill is set to 0 (not allowed): -1. Open Microsoft Edge. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. -4. Verify the setting **Save form entries** is grayed out. +1. Open Microsoft Edge. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. +4. Verify the setting **Save form entries** is grayed out. + - - + -
    + +## AllowBrowser - -**Browser/AllowConfigurationUpdateForBooksLibrary** +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowBrowser +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowBrowser +``` + - -
    + + +This policy is deprecated + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../includes/allow-configuration-updates-for-books-library-shortdesc.md)] +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + - - -ADMX Info: -- GP Friendly name: *Allow configuration updates for the Books Library* -- GP name: *AllowConfigurationUpdateForBooksLibrary* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + - - -Supported values: + +## AllowConfigurationUpdateForBooksLibrary -- 0 - Prevented/not allowed. -- 1 (default). Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +``` + - -**Browser/AllowCookies** + + +This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + - - -[!INCLUDE [configure-cookies-shortdesc](../includes/configure-cookies-shortdesc.md)] + +## AllowCookies - - -ADMX Info: -- GP Friendly name: *Configure cookies* -- GP name: *Cookies* -- GP element: *CookiesListBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -Supported values: + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowCookies +``` -- 0 – Block all cookies from all sites -- 1 – Block only cookies from third party websites -- 2 - Allow all cookies from all sites +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowCookies +``` + -Most restricted value: 0 - - + + +This setting lets you configure how your company deals with cookies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Block all cookies from all sites. | +| 1 | Block only cookies from third party websites. | +| 2 (Default) | Allow all cookies from all sites. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Cookies | +| Friendly Name | Configure cookies | +| Element Name | Configure Cookies | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowCookies is set to 0 (not allowed): 1. Open Microsoft Edge. 2. In the upper-right corner of the browser, click **…**. 3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. 4. Verify the setting **Cookies** is disabled. + - - + -
    + +## AllowDeveloperTools - -**Browser/AllowDeveloperTools** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +``` + + + +This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. - -
    +- If you enable or don't configure this setting, the F12 Developer Tools are available in Microsoft Edge. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable this setting, the F12 Developer Tools aren't available in Microsoft Edge. + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -[!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)] + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Allow Developer Tools* -- GP name: *AllowDeveloperTools* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + - - -Supported values: + +**Group policy mapping**: -- 0 – Prevented/not allowed. -- 1 (default) – Allowed. +| Name | Value | +|:--|:--| +| Name | AllowDeveloperTools | +| Friendly Name | Allow Developer Tools | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\F12 | +| Registry Value Name | AllowDeveloperTools | +| ADMX File Name | MicrosoftEdge.admx | + -Most restricted value: 0 - - + + + -
    + - -**Browser/AllowDoNotTrack** + +## AllowDoNotTrack - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +``` + - -
    + + +This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren't sent, but employees can choose to turn on and send requests. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this setting, Do Not Tracker requests are always sent to websites asking for tracking info. -> [!div class = "checklist"] -> * User -> * Device +- If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. -
    +- If you don't configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. + - - -[!INCLUDE [configure-do-not-track-shortdesc](../includes/configure-do-not-track-shortdesc.md)] + + + - - -ADMX Info: -- GP Friendly name: *Configure Do Not Track* -- GP name: *AllowDoNotTrack* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Description framework properties**: - - -Supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- Blank (default) - Don't send tracking information but let users choose to send tracking information to sites they visit. -- 0 - Never send tracking information. -- 1 - Send tracking information. + +**Allowed values**: -Most restricted value: 1 - - +| Value | Description | +|:--|:--| +| 0 (Default) | Never send tracking information. | +| 1 | Send tracking information. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowDoNotTrack | +| Friendly Name | Configure Do Not Track | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | DoNotTrack | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowDoNotTrack is set to 0 (not allowed): 1. Open Microsoft Edge. 2. In the upper-right corner of the browser, click **…**. 3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. 4. Verify the setting **Send Do Not Track requests** is grayed out. + + + + + +## AllowExtensions - - - -
    - - -**Browser/AllowExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607* - -[!INCLUDE [allow-extensions-shortdesc](../includes/allow-extensions-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Extensions* -- GP name: *AllowExtensions* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - - - - -
    - - -**Browser/AllowFlash** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-adobe-flash-shortdesc](../includes/allow-adobe-flash-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Adobe Flash* -- GP name: *AllowFlash* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - - - - -
    - - -**Browser/AllowFlashClickToRun** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../includes/configure-adobe-flash-click-to-run-setting-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure the Adobe Flash Click-to-Run setting* -- GP name: *AllowFlashClickToRun* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Load and run Adobe Flash content automatically. -- 1 (default) – Doesn't load or run Adobe Flash content automatically. Requires action from the user. - -Most restricted value: 1 - - - - -
    - - -**Browser/AllowFullScreenMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-fullscreen-mode-shortdesc](../includes/allow-fullscreen-mode-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow FullScreen Mode* -- GP name: *AllowFullScreenMode* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowInPrivate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [allow-inprivate-browsing-shortdesc](../includes/allow-inprivate-browsing-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow InPrivate browsing* -- GP name: *AllowInPrivate* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowMicrosoftCompatibilityList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../includes/allow-microsoft-compatibility-list-shortdesc.md)] - - - - -ADMX Info: -- GP Friendly name: *Allow Microsoft Compatibility List* -- GP name: *AllowCVList* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowPasswordManager** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [configure-password-manager-shortdesc](../includes/configure-password-manager-shortdesc.md)] - - - - -ADMX Info: -- GP Friendly name: *Configure Password Manager* -- GP name: *AllowPasswordManager* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose to save and manage passwords locally. -- 0 – Not allowed. -- 1 (default) – Allowed. - -Most restricted value: 0 - - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowExtensions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowExtensions +``` + + + + +This setting lets you decide whether employees can load extensions in Microsoft Edge. + +- If you enable or don't configure this setting, employees can use Microsoft Edge Extensions. + +- If you disable this setting, employees can't use Microsoft Edge Extensions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowExtensions | +| Friendly Name | Allow Extensions | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Extensions | +| Registry Value Name | ExtensionsEnabled | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowFlash + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowFlash +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowFlash +``` + + + + +This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + +- If you enable or don't configure this setting, employees can use Adobe Flash. + +- If you disable this setting, employees can't use Adobe Flash. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFlash | +| Friendly Name | Allow Adobe Flash | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Addons | +| Registry Value Name | FlashPlayerEnabled | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowFlashClickToRun + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +``` + + + + +If you enable or don't configure the Adobe Flash Click-to-Run setting, Microsoft Edge will require a user to click the Click-to-Run button, to click the content, or for the site to appear on the auto-allowed list, before loading and running the content. + +Sites get onto the auto-allowed list based on user feedback, specifically by how often the content is allowed to load and run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Load and run Adobe Flash content automatically. | +| 1 (Default) | Does not load or run Adobe Flash content automatically. Requires action from the user. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFlashClickToRun | +| Friendly Name | Configure the Adobe Flash Click-to-Run setting | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Security | +| Registry Value Name | FlashClickToRunMode | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowFullScreenMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowFullScreenMode +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowFullScreenMode +``` + + + + +With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFullScreenMode | +| Friendly Name | Allow FullScreen Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowFullScreenMode | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowInPrivate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +``` + + + + +This policy setting lets you decide whether employees can browse using InPrivate website browsing. + +- If you enable or don't configure this setting, employees can use InPrivate website browsing. + +- If you disable this setting, employees can't use InPrivate website browsing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowInPrivate | +| Friendly Name | Allow InPrivate browsing | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowInPrivate | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowMicrosoftCompatibilityList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +``` + + + + +This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. + +- If you enable or don't configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it's in whatever version of IE is necessary for it to appear properly. + +- If you disable this setting, the Microsoft Compatibility List isn't used during browser navigation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCVList | +| Friendly Name | Allow Microsoft Compatibility List | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\BrowserEmulation | +| Registry Value Name | MSCompatibilityMode | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowPasswordManager + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +``` + + + + +This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. + +- If you enable this setting, employees can use Password Manager to save their passwords locally. + +- If you disable this setting, employees can't use Password Manager to save their passwords locally. + +- If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowPasswordManager | +| Friendly Name | Configure Password Manager | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | FormSuggest Passwords | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowPasswordManager is set to 0 (not allowed): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. 2. Verify the settings **Save Password** is disabled. + - - + -
    + +## AllowPopups - -**Browser/AllowPopups** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPopups +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPopups +``` + + + +This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.. - -
    +- If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. -> [!div class = "checklist"] -> * User -> * Device +- If you don't configure this setting, employees can choose whether to use Pop-up Blocker. + -
    + + + - - + +**Description framework properties**: -[!INCLUDE [configure-pop-up-blocker-shortdesc](../includes/configure-pop-up-blocker-shortdesc.md)] +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Configure Pop-up Blocker* -- GP name: *AllowPopups* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Allowed values**: - - -Supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | Turn off Pop-up Blocker letting pop-up windows open. | +| 1 | Turn on Pop-up Blocker stopping pop-up windows from opening. | + -- Blank - Users can choose to use Pop-up Blocker. -- 0 (default) – Turn off Pop-up Blocker letting pop-up windows open. -- 1 – Turn on Pop-up Blocker stopping pop-up windows from opening. + +**Group policy mapping**: -Most restricted value: 1 +| Name | Value | +|:--|:--| +| Name | AllowPopups | +| Friendly Name | Configure Pop-up Blocker | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowPopups | +| ADMX File Name | MicrosoftEdge.admx | + - - + + +**Verify**: To verify AllowPopups is set to 0 (not allowed): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. 2. Verify whether the setting **Block pop-ups** is disabled. + - - + + + +## AllowPrelaunch -
    - - -**Browser/AllowPrelaunch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - - -[!INCLUDE [allow-prelaunch-shortdesc](../includes/allow-prelaunch-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed* -- GP name: *AllowPrelaunch* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowPrinting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-printing-shortdesc](../includes/allow-printing-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow printing* -- GP name: *AllowPrinting* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowSavingHistory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-saving-history-shortdesc](../includes/allow-saving-history-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Saving History* -- GP name: *AllowSavingHistory* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowSearchEngineCustomization** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [allow-search-engine-customization-shortdesc](../includes/allow-search-engine-customization-shortdesc.md)] - - - - - -ADMX Info: -- GP Friendly name: *Allow search engine customization* -- GP name: *AllowSearchEngineCustomization* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowSearchSuggestionsinAddressBar** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../includes/configure-search-suggestions-in-address-bar-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure search suggestions in Address bar* -- GP name: *AllowSearchSuggestionsinAddressBar* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Users can choose to see search suggestions. -- 0 – Prevented/not allowed. Hide the search suggestions. -- 1 – Allowed. Show the search suggestions. - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowSideloadingOfExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../includes/allow-sideloading-of-extensions-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow sideloading of Extensions* -- GP name: *AllowSideloadingOfExtensions* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed. Disabling doesn't prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this sideloading, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). -- 1 (default) - Allowed. - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowSmartScreen** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../includes/configure-windows-defender-smartscreen-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *AllowSmartScreen* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose to use Windows Defender SmartScreen. -- 0 – Turned off. Don't protect users from potential threats and prevent users from turning it on. -- 1 (default) – Turned on. Protect users from potential threats and prevent users from turning it off. - -Most restricted value: 1 - - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +``` + + + + +This policy setting lets you decide whether Microsoft Edge can pre-launch during Windows sign in, when the system is idle, and each time Microsoft Edge is closed. By default this setting is to allow pre-launch. + +If you allow pre-launch, disable, or don't configure this policy setting, Microsoft Edge pre-launches during Windows sign in, when the system is idle, and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge. + +If you prevent pre-launch, Microsoft Edge won't pre-launch during Windows sign in, when the system is idle, or each time Microsoft Edge is closed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowPrelaunch | +| Friendly Name | Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowPrinting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPrinting +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPrinting +``` + + + + +With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowPrinting | +| Friendly Name | Allow printing | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowPrinting | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSavingHistory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +``` + + + + +Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSavingHistory | +| Friendly Name | Allow Saving History | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowSavingHistory | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSearchEngineCustomization + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +``` + + + + +This policy setting lets you decide whether users can change their search engine. +- If you disable this setting, users can't add new search engines or change the default used in the address bar. + +**Important** +This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + +- If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. + +- If you disable this setting, users can't add search engines or change the default used in the address bar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchEngineCustomization | +| Friendly Name | Allow search engine customization | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | +| Registry Value Name | AllowSearchEngineCustomization | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSearchSuggestionsinAddressBar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +``` + + + + +This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + +- If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. + +- If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. + +- If you don't configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. Hide the search suggestions. | +| 1 (Default) | Allowed. Show the search suggestions. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchSuggestionsinAddressBar | +| Friendly Name | Configure search suggestions in Address bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\SearchScopes | +| Registry Value Name | ShowSearchSuggestionsGlobal | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSideloadingOfExtensions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSideloadingOfExtensions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSideloadingOfExtensions +``` + + + + +Sideloading installs and runs unverified extensions in Microsoft Edge. With this policy, you can specify whether unverified extensions can be sideloaded in Microsoft Edge. + +If enabled or not configured, sideloading of unverified extensions in Microsoft Edge is allowed. + +If disabled, sideloading of unverified extensions in Microsoft Edge is not allowed. Extensions can be installed only through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). When disabled, this policy does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, in Group Policy Editor, enable Allows development of Windows Store apps and installing them from an integrated development environment (IDE), which is located at: + +Computer Configuration > Administrative Templates > Windows Components > App Package Deployment + +Supported versions: Microsoft Edge on Windows 10, version 1809 +Default setting: Disabled or not configured +Related policies: +- Allows development of Windows Store apps and installing them from an integrated development environment (IDE) +- Allow all trusted apps to install + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via Powershell. To prevent this, set the ApplicationManagement/AllowDeveloperUnlock policy to 1 (enabled). | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSideloadingOfExtensions | +| Friendly Name | Allow Sideloading of extension | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Extensions | +| Registry Value Name | AllowSideloadingOfExtensions | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSmartScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +``` + + + + +This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. + +- If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. + +- If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. + +- If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | +| 1 (Default) | Turned on. Protect users from potential threats and prevent users from turning it off. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter | +| Registry Value Name | EnabledV9 | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowSmartScreen is set to 0 (not allowed): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. 2. Verify that the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled. + - - + -
    + +## AllowTabPreloading - -**Browser/AllowTabPreloading** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +``` + + + +This policy setting lets you decide whether Microsoft Edge can load the Start and New Tab page during Windows sign in and each time Microsoft Edge is closed. By default this setting is to allow preloading. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-tab-preloading-shortdesc](../includes/allow-tab-preloading-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Microsoft Edge to start and load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed* -- GP name: *AllowTabPreloading* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed. -- 1 (default) - Allowed. Preload Start and New tab pages. - -Most restricted value: 1 - - - - - - - - - -
    - - -**Browser/AllowWebContentOnNewTabPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../includes/allow-web-content-on-new-tab-page-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow web content on New Tab page* -- GP name: *AllowWebContentOnNewTabPage* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose what loads on the New tab page. -- 0 - Load a blank page instead of the default New tab page and prevent users from changing it. -- 1 (default) - Load the default New tab page. - - - - - - - - - - -
    - - -**Browser/AlwaysEnableBooksLibrary** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [always-show-books-library-shortdesc](../includes/always-show-books-library-shortdesc.md)] - - - - - -ADMX Info: -- GP Friendly name: *Always show the Books Library in Microsoft Edge* -- GP name: *AlwaysEnableBooksLibrary* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Show the Books Library only in countries or regions where supported. -- 1 - Show the Books Library, regardless of the device’s country or region. - -Most restricted value: 0 - - - - -
    - - -**Browser/ClearBrowsingDataOnExit** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - -[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../includes/allow-clearing-browsing-data-on-exit-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow clearing browsing data on exit* -- GP name: *AllowClearingBrowsingDataOnExit* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – (default) Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. -- 1 – Allowed. Clear the browsing data upon exit automatically. - -Most restricted value: 1 - - - +If you allow preloading, disable, or don't configure this policy setting, Microsoft Edge loads the Start and New Tab page during Windows sign in and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge and to start a new tab. + +If you prevent preloading, Microsoft Edge won't load the Start or New Tab page during Windows sign in and each time Microsoft Edge is closed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. Preload Start and New tab pages. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowTabPreloading | +| Friendly Name | Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\TabPreloader | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowWebContentOnNewTabPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +``` + + + + +This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +- If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +- If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +- If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Load a blank page instead of the default New tab page and prevent users from changing it. | +| 1 (Default) | Load the default New tab page. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowWebContentOnNewTabPage | +| Friendly Name | Allow web content on New Tab page | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\ServiceUI | +| Registry Value Name | AllowWebContentOnNewTabPage | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AlwaysEnableBooksLibrary + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +``` + + + + +This policy setting helps you to decide whether to make the Books tab visible, regardless of a device's country or region setting, as configured in the Country or region area of Windows settings. + +- If you enable this setting, Microsoft Edge shows the Books Library, regardless of the device's country or region. + +- If you disable or don't configure this setting, Microsoft Edge shows the Books Library only in countries or regions where it's supported. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Show the Books Library only in countries or regions where supported. | +| 1 | Show the Books Library, regardless of the device's country or region. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AlwaysEnableBooksLibrary | +| Friendly Name | Always show the Books Library in Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AlwaysEnableBooksLibrary | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## ClearBrowsingDataOnExit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +``` + + + + +This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. + +- If you enable this policy setting, clearing browsing history on exit is turned on. + +- If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options under Settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/not allowed. Users can configure the 'Clear browsing data' option in Settings. | +| 1 | Allowed. Clear the browsing data upon exit automatically. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowClearingBrowsingDataOnExit | +| Friendly Name | Allow clearing browsing data on exit | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Privacy | +| Registry Value Name | ClearBrowsingHistoryOnExit | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): 1. Open Microsoft Edge and browse to websites. 2. Close the Microsoft Edge window. 3. Open Microsoft Edge and start typing the same URL in address bar. 4. Verify that it doesn't auto-complete from history. + - - + -
    + +## ConfigureAdditionalSearchEngines - -**Browser/ConfigureAdditionalSearchEngines** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +``` + + + +Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. +- If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +**Group policy mapping**: - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* +| Name | Value | +|:--|:--| +| Name | ConfigureAdditionalSearchEngines | +| Friendly Name | Configure additional search engines | +| Element Name | Use this format to specify the link(s) you wish to add: `<>` `<>` | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch | +| ADMX File Name | MicrosoftEdge.admx | + -[!INCLUDE [configure-additional-search-engines-shortdesc](../includes/configure-additional-search-engines-shortdesc.md)] + + + -> [!IMPORTANT] -> Due to Protected Settings (aka.ms/browserpolicy), this setting applies only on domain-joined machines or when the device is MDM-enrolled.  + + +## ConfigureFavoritesBar - - -ADMX Info: -- GP Friendly name: *Configure additional search engines* -- GP name: *ConfigureAdditionalSearchEngines* -- GP element: *ConfigureAdditionalSearchEngines_Prompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - -Supported values: + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +``` -- 0 (default) – Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

    If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. -- 1 – Allowed. Add up to five more search engines and set any one of them as the default.

    For each search engine added, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +``` + -Most restricted value: 0 - - + + +The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. -

    +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -**Browser/ConfigureFavoritesBar** +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +| 1 | Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | + -
    + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigureFavoritesBar | +| Friendly Name | Configure Favorites Bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | ConfigureFavoritesBar | +| ADMX File Name | MicrosoftEdge.admx | + + + + -[!INCLUDE [configure-favorites-bar-shortdesc](../includes/configure-favorites-bar-shortdesc.md)] + - - -ADMX Info: -- GP Friendly name: *Configure Favorites Bar* -- GP name: *ConfigureFavoritesBar* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +## ConfigureHomeButton - - -Supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -- Blank (default) - Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. -- 0 - Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. -- 1 - Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +``` + - - + + +The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. By default, this policy is disabled or not configured and clicking the home button loads the default Start page. When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. If Enabled AND: - Show home button & set to Start page is selected, clicking the home button loads the Start page. - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - Hide home button is selected, the home button is hidden in Microsoft Edge. Default setting: Disabled or not configured Related policies: - Set Home Button URL - Unlock Home Button + - - + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Browser/ConfigureHomeButton** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Show home button and load the Start page. | +| 1 | Show home button and load the New tab page. | +| 2 | Show home button and load the custom URL defined in the Set Home Button URL policy. | +| 3 | Hide home button. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | ConfigureHomeButton | +| Friendly Name | Configure Home Button | +| Element Name | Configure the Home Button | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [configure-home-button-shortdesc](../includes/configure-home-button-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure Home Button* -- GP name: *ConfigureHomeButton* -- GP element: *ConfigureHomeButtonDropdown* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Show home button and load the Start page. -- 1 - Show home button and load the New tab page. -- 2 - Show home button and load the custom URL defined in the Set Home Button URL policy. -- 3 - Hide home button. - + + >[!TIP] >If you want to make changes to this policy:
    1. Set **UnlockHomeButton** to 1 (enabled).
    2. Make changes to **ConfigureHomeButton** or **SetHomeButtonURL** policy.
    3. Set **UnlockHomeButton** 0 (disabled).
    + + - - + +## ConfigureKioskMode - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +``` + - -**Browser/ConfigureKioskMode** + + +Configure how Microsoft Edge behaves when it's running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see "Configure kiosk and shared devices running Windows desktop editions" (. If enabled and set to 0 (Default or not configured): - If it's a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it's one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it's a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can't minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking "End session." You can configure Microsoft Edge to restart after a period of inactivity by using the "Configure kiosk reset after idle timeout" policy. - If it's one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can't customize Microsoft Edge. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -> [!div class = "checklist"] -> * User -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | ConfigureKioskMode | +| Friendly Name | Configure kiosk mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\KioskMode | +| ADMX File Name | MicrosoftEdge.admx | + - - + + + -[!INCLUDE [configure-kiosk-mode-shortdesc](../includes/configure-kiosk-mode-shortdesc.md)] + -For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). + +## ConfigureKioskResetAfterIdleTimeout + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +``` - - -ADMX Info: -- GP Friendly name: *Configure kiosk mode* -- GP name: *ConfigureKioskMode* -- GP element: *ConfigureKioskMode_TextBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +``` + - - -Supported values: + + +You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user's browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + -**0 (Default or not configured)**: -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. + + + -**1**: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you don't configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1440]` | +| Default Value | 5 | +| Dependency [Browser_ConfigureKioskResetAfterIdleTimeout_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigureKioskResetAfterIdleTimeout | +| Friendly Name | Configure kiosk reset after idle timeout | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\KioskMode | +| ADMX File Name | MicrosoftEdge.admx | + -
    + + + - -**Browser/ConfigureKioskResetAfterIdleTimeout** + - + +## ConfigureOpenMicrosoftEdgeWith -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureOpenMicrosoftEdgeWith +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureOpenMicrosoftEdgeWith +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. If enabled, you can choose one of the following options: - Start page: the Start page loads ignoring the Configure Start Pages policy. - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. Default setting: A specific page or pages (default) Related policies: -Disable Lockdown of Start Pages -Configure Start Pages + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + +**Allowed values**: -[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] +| Value | Description | +|:--|:--| +| 0 | Load the Start page. | +| 1 | Load the New tab page. | +| 2 | Load the previous pages. | +| 3 (Default) | Load a specific page or pages. | + -You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Configure kiosk reset after idle timeout* -- GP name: *ConfigureKioskResetAfterIdleTimeout* -- GP element: *ConfigureKioskResetAfterIdleTimeout_TextBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. - -- **0** – No idle timer. - - - - - - - - - - -
    - - -**Browser/ConfigureOpenMicrosoftEdgeWith** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../includes/configure-open-microsoft-edge-with-shortdesc.md)] - -**Version 1703 or later**:
    -If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. - - -**version 1809**:
    -When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages. - - - -ADMX Info: -- GP Friendly name: *Configure Open Microsoft Edge With* -- GP name: *ConfigureOpenEdgeWith* -- GP element: *ConfigureOpenEdgeWithListBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - If you don't configure this policy and you set DisableLockdownOfStartPages to 1 (enabled), users can change or customize the Start page. -- 0 - Load the Start page. -- 1 - Load the New tab page. -- 2 - Load the previous pages. -- 3 (default) - Load a specific page or pages. +| Name | Value | +|:--|:--| +| Name | ConfigureOpenEdgeWith | +| Friendly Name | Configure Open Microsoft Edge With | +| Element Name | Configure Open Microsoft Edge With | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + >[!TIP] >If you want to make changes to this policy:
    1. Set DisableLockdownOfStartPages to 0 (not configured).
    2. Make changes to ConfigureOpenEdgeWith.
    3. Set DisableLockdownOfStartPages to 1 (enabled).
    + + - - + +## ConfigureTelemetryForMicrosoft365Analytics - - +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +``` - -**Browser/ConfigureTelemetryForMicrosoft365Analytics** +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +``` + - + + +Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | No data collected or sent. | +| 1 | Send intranet history only. | +| 2 | Send Internet history only. | +| 3 | Send both intranet and Internet history. | + -
    + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigureTelemetryForMicrosoft365Analytics | +| Friendly Name | Configure collection of browsing data for Desktop Analytics | +| Element Name | Configure telemetry collection | +| Location | Computer and User Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection | +| ADMX File Name | MicrosoftEdge.admx | + -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + + - - -ADMX Info: -- GP Friendly name: *Configure collection of browsing data for Microsoft 365 Analytics* -- GP name: *ConfigureTelemetryForMicrosoft365Analytics* -- GP element: *ZonesListBox* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *MicrosoftEdge.admx* + - - -Supported values: + +## DisableLockdownOfStartPages -- 0 (default) - No data collected or sent -- 1 - Send intranet history only -- 2 - Send Internet history only -- 3 - Send both intranet and Internet history + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Most restricted value: 0 - - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +``` + - - + + +You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Start Pages - Configure Open Microsoft Edge With + -
    - - -**Browser/DisableLockdownOfStartPages** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10* - -[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../includes/disable-lockdown-of-start-pages-shortdesc.md)] -   + + > [!NOTE] > This policy has no effect when the Browser/HomePages policy isn't configured.  > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). + - - -ADMX Info: -- GP Friendly name: *Disable lockdown of Start pages* -- GP name: *DisableLockdownOfStartPages* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Description framework properties**: - - -Supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) – Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy. -- 1 – Unlocked. Users can make changes to all configured start pages.

    When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy. + +**Allowed values**: -Most restricted value: 0 - - +| Value | Description | +|:--|:--| +| 0 (Default) | Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy. | +| 1 | Unlocked. Users can make changes to all configured start pages. | + -

    + +**Group policy mapping**: - -**Browser/EnableExtendedBooksTelemetry** +| Name | Value | +|:--|:--| +| Name | DisableLockdownOfStartPages | +| Friendly Name | Disable lockdown of Start pages | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + +## EnableExtendedBooksTelemetry - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +``` + -
    + + +This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge. - - +- If you enable this setting, Microsoft Edge sends additional telemetry data, on top of the basic telemetry data, from the Books tab. -[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../includes/allow-extended-telemetry-for-books-tab-shortdesc.md)] +- If you disable or don't configure this setting, Microsoft Edge only sends basic telemetry data, depending on your device configuration. + - - -ADMX Info: -- GP Friendly name: *Allow extended telemetry for the Books tab* -- GP name: *EnableExtendedBooksTelemetry* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + + + - - -Supported values: + +**Description framework properties**: -- 0 (default) - Gather and send only basic diagnostic data, depending on the device configuration. -- 1 - Gather all diagnostic data. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Most restricted value: 0 - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Gather and send only basic diagnostic data, depending on the device configuration. | +| 1 | Gather all diagnostic data. | + - -**Browser/EnterpriseModeSiteList** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableExtendedBooksTelemetry | +| Friendly Name | Allow extended telemetry for the Books tab | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary | +| Registry Value Name | EnableExtendedBooksTelemetry | +| ADMX File Name | MicrosoftEdge.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + - -
    + +## EnterpriseModeSiteList - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * User -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList +``` + - - + + +This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. + -[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)] + + + - - -ADMX Info: -- GP Friendly name: *Configure the Enterprise Mode Site List* -- GP name: *EnterpriseModeSiteList* -- GP element: *EnterSiteListPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Description framework properties**: - - -Supported values: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- 0 (default) - Turned off. Microsoft Edge doesn't check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. -- 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.

    For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | EnterpriseModeSiteList | +| Friendly Name | Configure the Enterprise Mode Site List | +| Element Name | Type the location (URL) of your Enterprise Mode IE website list | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode | +| ADMX File Name | MicrosoftEdge.admx | + - - + + + -

    + - -**Browser/EnterpriseSiteListServiceUrl** + +## EnterpriseSiteListServiceUrl - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +```User +./User/Vendor/MSFT/Policy/Config/Browser/EnterpriseSiteListServiceUrl +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/EnterpriseSiteListServiceUrl +``` + - -
    + + +Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## FirstRunURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/FirstRunURL +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/FirstRunURL +``` + + + + +Configure first run URL. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [Browser_FirstRunURL_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +## HomePages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/HomePages +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/HomePages +``` + + + + +When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HomePages | +| Friendly Name | Configure Start pages | +| Element Name | Use this format: `` `<>` | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## LockdownFavorites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +``` + + + + +This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. + +- If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. + +**Important** +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +- If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/not locked down. Users can add, import, and make changes to the favorites. | +| 1 | Prevented/locked down. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LockdownFavorites | +| Friendly Name | Prevent changes to Favorites on Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites | +| Registry Value Name | LockdownFavorites | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventAccessToAboutFlagsInMicrosoftEdge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +``` + + + + +This policy settings lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. + +- If you enable this policy setting, employees can't access the about:flags page. + +- If you disable or don't configure this setting, employees can access the about:flags page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. | +| 1 | Prevents users from accessing the about:flags page. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventAccessToAboutFlagsInMicrosoftEdge | +| Friendly Name | Prevent access to the about:flags page in Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | PreventAccessToAboutFlagsInMicrosoftEdge | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventCertErrorOverrides + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +``` + + + + +Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/turned on. Override the security warning to sites that have SSL errors. | +| 1 | Prevented/turned on. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventCertErrorOverrides | +| Friendly Name | Prevent certificate error overrides | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| Registry Value Name | PreventCertErrorOverrides | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventFirstRunPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +``` + + + + +This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. + +- If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. + +- If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. Load the First Run webpage. | +| 1 | Prevented/Not allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFirstRunPage | +| Friendly Name | Prevent the First Run webpage from opening on Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | PreventFirstRunPage | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventLiveTileDataCollection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +``` + + + + +This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + +- If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. + +- If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Collect and send Live Tile metadata. | +| 1 | No data collected. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLiveTileDataCollection | +| Friendly Name | Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | PreventLiveTileDataCollection | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventSmartScreenPromptOverride + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverride +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverride +``` + + + + +This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. + +- If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from continuing to the site. + +- If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/turned off. Users can ignore the warning and continue to the site. | +| 1 | Prevented/turned on. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventSmartScreenPromptOverride | +| Friendly Name | Prevent bypassing Windows Defender SmartScreen prompts for sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter | +| Registry Value Name | PreventOverride | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventSmartScreenPromptOverrideForFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +``` + + + + +This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. + +- If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files. + +- If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | +| 1 | Prevented/turned on. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventSmartScreenPromptOverrideForFiles | +| Friendly Name | Prevent bypassing Windows Defender SmartScreen prompts for files | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter | +| Registry Value Name | PreventOverrideAppRepUnknown | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventTurningOffRequiredExtensions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +``` + + + + + + + + +You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +- When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding `Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe` prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user's computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. +- If disabled or not configured, extensions defined as part of this policy get ignored. +- Default setting: Disabled or not configured + +Related Documents: + +- [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) +- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy) +- [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventTurningOffRequiredExtensions | +| Friendly Name | Prevent turning off required extensions | +| Element Name | In the space below, enter extension package family names (PFNs) separated by semi-colons. | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Extensions | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventUsingLocalHostIPAddressForWebRTC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +``` + + + + +This policy setting lets you decide whether an employee's LocalHost IP address shows while making calls using the WebRTC protocol. + +- If you enable this setting, LocalHost IP addresses are hidden while making calls using the WebRTC protocol. + +- If you disable or don't configure this setting, LocalHost IP addresses are shown while making calls using the WebRTC protocol. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. Show localhost IP addresses. | +| 1 | Prevented/Not allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideLocalHostIPAddress | +| Friendly Name | Prevent using Localhost IP address for WebRTC | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | HideLocalHostIP | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## ProvisionFavorites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +``` + + + + +This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. +- If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites - - > [!IMPORTANT] -> Discontinued in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. - - - - -
    - - -**Browser/HomePages** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)] - -**Version 1607**
    -From this version, the HomePages policy enforces that users can't change the Start pages settings. - -**Version 1703**
    -If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL. - -**Version 1809**
    -When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages you want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. - - -> [!NOTE] -> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. - - - -ADMX Info: -- GP Friendly name: *Configure Start pages* -- GP name: *HomePages* -- GP element: *HomePagesPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Load the pages specified in App settings as the default Start pages. -- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets and comma:

          \,\ - - - - -

    - - -**Browser/LockdownFavorites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709* - -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../includes/prevent-changes-to-favorites-shortdesc.md)] - - - - -ADMX Info: -- GP Friendly name: *Prevent changes to Favorites on Microsoft Edge* -- GP name: *LockdownFavorites* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Allowed/not locked down. Users can add, import, and make changes to the favorites. -- 1 - Prevented/locked down. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../includes/prevent-access-to-about-flags-page-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent access to the about:flags page in Microsoft Edge* -- GP name: *PreventAccessToAboutFlagsInMicrosoftEdge* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. -- 1 – Prevents users from accessing the about:flags page. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventCertErrorOverrides** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../includes/prevent-certificate-error-overrides-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent certificate error overrides* -- GP name: *PreventCertErrorOverrides* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Allowed/turned on. Override the security warning to sites that have SSL errors. -- 1 - Prevented/turned on. - -Most restricted value: 1 - - - - - - - - - -
    - - -**Browser/PreventFirstRunPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703* - -[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../includes/prevent-first-run-webpage-from-opening-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent the First Run webpage from opening on Microsoft Edge* -- GP name: *PreventFirstRunPage* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. Load the First Run webpage. -- 1 – Prevented/not allowed. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventLiveTileDataCollection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - -[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start* -- GP name: *PreventLiveTileDataCollection* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Collect and send Live Tile metadata. -- 1 – No data collected. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventSmartScreenPromptOverride** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for sites* -- GP name: *PreventSmartScreenPromptOverride* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to the site. -- 1 – Prevented/turned on. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventSmartScreenPromptOverrideForFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for files* -- GP name: *PreventSmartScreenPromptOverrideForFiles* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). -- 1 – Prevented/turned on. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventTurningOffRequiredExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../includes/prevent-turning-off-required-extensions-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent turning off required extensions* -- GP name: *PreventTurningOffRequiredExtensions* -- GP element: *PreventTurningOffRequiredExtensions_Prompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. - -- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off:

          _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_

    After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

    Removing extensions from the list doesn't uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy doesn't prevent users from debugging and altering the logic on an extension. - - - - - - - - - - -

    - - -**Browser/PreventUsingLocalHostIPAddressForWebRTC** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent using Localhost IP address for WebRTC* -- GP name: *HideLocalHostIPAddress* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. Show localhost IP addresses. -- 1 – Prevented/not allowed. - -Most restricted value: 1 - - - -
    - - -**Browser/ProvisionFavorites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later* - -[!INCLUDE [provision-favorites-shortdesc](../includes/provision-favorites-shortdesc.md)] - - +> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +- If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfiguredFavorites | +| Friendly Name | Provision Favorites | +| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.

    URL can be specified as

    1. HTTP location: https://localhost:8080/URLs.html
    2. Local network: \\network\shares\URLs.html
    3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Example**: Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. To define a default list of favorites: 1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**. 2. Click **Import from another browser**, click **Export to file** and save the file. 3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

    Specify the URL as:

    • HTTP location: "SiteList"=``
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
    - - ->[!IMPORTANT] ->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - - - - - - -ADMX Info: -- GP Friendly name: *Provision Favorites* -- GP name: *ConfiguredFavorites* -- GP element: *ConfiguredFavoritesPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - - -
    - - -**Browser/SendIntranetTraffictoInternetExplorer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Send all intranet sites to Internet Explorer 11* -- GP name: *SendIntranetTraffictoInternetExplorer* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically. -- 1 - Only intranet sites open in Internet Explorer 11 automatically.

    Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

    1. In Group Policy Editor, navigate to:

      **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.

    2. Refresh the policy and then view the affected sites in Microsoft Edge.

      A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it isn't yet running, or in a new tab.

    - -Most restricted value: 0 - - - - -
    - - -**Browser/SetDefaultSearchEngine** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703* - -[!INCLUDE [set-default-search-engine-shortdesc](../includes/set-default-search-engine-shortdesc.md)] - -> [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). - - -Most restricted value: 0 - - - -ADMX Info: -- GP Friendly name: *Set default search engine* -- GP name: *SetDefaultSearchEngine* -- GP element: *SetDefaultSearchEngine_Prompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](#browser-allowsearchenginecustomization) policy, users can't make changes. -- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. -- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users can't change the default search engine.

    Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

    If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

    If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. - -Most restricted value: 1 - - - -

    - - -**Browser/SetHomeButtonURL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [set-home-button-url-shortdesc](../includes/set-home-button-url-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Set Home Button URL* -- GP name: *SetHomeButtonURL* -- GP element: *SetHomeButtonURLPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. -- String - Load a custom URL for the home button. You must also enable the Configure Home Button policy and select the _Show home button & set a specific page_ option.

    Enter a URL in string format, for example, https://www.msn.com. - - - - - - - - - - -

    - - -**Browser/SetNewTabPageURL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [set-new-tab-url-shortdesc](../includes/set-new-tab-url-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Set New Tab page URL* -- GP name: *SetNewTabPageURL* -- GP element: *SetNewTabPageURLPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Load the default New tab page. -- String - Prevent users from changing the New tab page.

    Enter a URL in string format, for example, https://www.msn.com. - - - - - - - - - -

    - - -**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../includes/show-message-when-opening-sites-in-ie-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Show message when opening sites in Internet Explorer* -- GP name: *ShowMessageWhenOpeningSitesInInternetExplorer* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – No other message displays. -- 1 – Show another message stating that a site has opened in IE11. -- 2 - Show another message with a "Keep going in Microsoft Edge" link. - -Most restricted value: 0 - - - -
    - - -**Browser/SuppressEdgeDeprecationNotification** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after March 9, 2021, to avoid confusion for their enterprise users and reduce help desk calls. -By default, a notification will be presented to the user informing them of this update upon application startup. -With this policy, you can either allow (default) or suppress this notification. - - - -ADMX Info: -- GP Friendly name: *Suppress Edge Deprecation Notification* -- GP name: *SuppressEdgeDeprecationNotification* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. Notification will be shown at application startup. -- 1 – Prevented/not allowed. - -
    - -Browser/SyncFavoritesBetweenIEAndMicrosoftEdge - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Keep favorites in sync between Internet Explorer and Microsoft Edge* -- GP name: *SyncFavoritesBetweenIEAndMicrosoftEdge* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Turned off/not syncing -- 1 – Turned on/syncing - - - + + + + + +## SendIntranetTraffictoInternetExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +``` + + + + +This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. + +- If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. + +- If you disable or don't configure this setting, all intranet sites are automatically opened using Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | All sites, including intranet sites, open in Microsoft Edge automatically. | +| 1 | Only intranet sites open in Internet Explorer 11 automatically. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SendIntranetTraffictoInternetExplorer | +| Friendly Name | Send all intranet sites to Internet Explorer 11 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | SendIntranetTraffictoInternetExplorer | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SetDefaultSearchEngine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +``` + + + + +Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. +- If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetDefaultSearchEngine | +| Friendly Name | Set default search engine | +| Element Name | Use this format to specify the link you wish to add: `<>` | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SetHomeButtonURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +``` + + + + +The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetHomeButtonURL | +| Friendly Name | Set Home Button URL | +| Element Name | Enter a URL in string format. For example: | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SetNewTabPageURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +``` + + + + +You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetNewTabPageURL | +| Friendly Name | Set New Tab page URL | +| Element Name | Enter a URL in string format. For example: | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## ShowMessageWhenOpeningSitesInInternetExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +``` + + + + +You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No additional message displays. | +| 1 | Show an additional message stating that a site has opened in IE11. | +| 2 | Show an additional message with a "Keep going in Microsoft Edge" link. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowMessageWhenOpeningSitesInInternetExplorer | +| Friendly Name | Show message when opening sites in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | ShowMessageWhenOpeningSitesInInternetExplorer | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SyncFavoritesBetweenIEAndMicrosoftEdge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +``` + + + + +This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge. + +- If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. + +- If you disable or don't configure this setting, employees can't sync their favorites between Internet Explorer and Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Turned off/not syncing. | +| 1 | Turned on/syncing. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SyncFavoritesBetweenIEAndMicrosoftEdge | +| Friendly Name | Keep favorites in sync between Internet Explorer and Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | SyncFavoritesBetweenIEAndMicrosoftEdge | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
      @@ -3329,123 +3818,163 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
    1. Open Microsoft Edge, then select Hub > Favorites.
    2. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
    + - - + -
    + +## UnlockHomeButton - -**Browser/UnlockHomeButton** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +``` + + + +By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -
    +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. -> [!div class = "checklist"] -> * User -> * Device +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + -
    + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -[!INCLUDE [unlock-home-button-shortdesc](../includes/unlock-home-button-shortdesc.md)] + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Unlock Home Button* -- GP name: *UnlockHomeButton* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* +| Value | Description | +|:--|:--| +| 0 (Default) | Lock down and prevent users from making changes to the settings. | +| 1 | Let users make changes. | + - - -Supported values: + +**Group policy mapping**: -- 0 (default) - Lock down and prevent users from making changes to the settings. -- 1 - Let users make changes. +| Name | Value | +|:--|:--| +| Name | UnlockHomeButton | +| Friendly Name | Unlock Home Button | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| Registry Value Name | UnlockHomeButton | +| ADMX File Name | MicrosoftEdge.admx | + - - + + + - - + - - + +## UseSharedFolderForBooks -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -**Browser/UseSharedFolderForBooks** + +```User +./User/Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + +This policy setting lets you decide whether Microsoft Edge stores books from the Books tab to a default, shared folder for Windows. +- If you enable this setting, Microsoft Edge automatically downloads book files to a common, shared folder and prevents students and teachers from removing the book from the Books tab. For this to work properly, your students and teachers must be signed in using a school account. - -
    +- If you disable or don't configure this setting, Microsoft Edge downloads book files to a per-user folder for each student or teacher. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -[!INCLUDE [allow-a-shared-books-folder-shortdesc](../includes/allow-a-shared-books-folder-shortdesc.md)] +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. | +| 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. | + - - -ADMX Info: -- GP Friendly name: *Allow a shared Books folder* -- GP name: *UseSharedFolderForBooks* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Group policy mapping**: - - -Supported values: +| Name | Value | +|:--|:--| +| Name | UseSharedFolderForBooks | +| Friendly Name | Allow a shared Books folder | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary | +| Registry Value Name | UseSharedFolderForBooks | +| ADMX File Name | MicrosoftEdge.admx | + -- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. -- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. + + + -Most restricted value: 0 - - -
    + + + + + - +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 8c04fb2ffd..6b88a97e01 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,86 +1,98 @@ --- -title: Policy CSP - Camera -description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera. +title: Camera Policy CSP +description: Learn more about the Camera Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Camera + + + + +## AllowCamera -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -## Camera policies + +```Device +./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera +``` + -
    -
    - Camera/AllowCamera -
    -
    + + +This policy setting allow the use of Camera devices on the machine. +- If you enable or do not configure this policy setting, Camera devices will be enabled. -
    +- If you disable this property setting, Camera devices will be disabled. + - -**Camera/AllowCamera** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | L_AllowCamera | +| Friendly Name | Allow Use of Camera | +| Location | Computer Configuration | +| Path | Windows Components > Camera | +| Registry Key Name | software\Policies\Microsoft\Camera | +| Registry Value Name | AllowCamera | +| ADMX File Name | Camera.admx | + - - -Disables or enables the camera. + + + -Most restricted value is 0. + - - -ADMX Info: -- GP Friendly name: *Allow Use of Camera* -- GP name: *L_AllowCamera* -- GP path: *Windows Components/Camera* -- GP ADMX file name: *Camera.admx* + + + - - -The following list shows the supported values: + -- 0 – Not allowed. -- 1 (default) – Allowed. - - - -
    - - - - +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index fc801d1859..6931233c08 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,84 +1,52 @@ --- -title: Policy CSP - Cellular -description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data. +title: Cellular Policy CSP +description: Learn more about the Cellular Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Cellular > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## LetAppsAccessCellularData - -## Cellular policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    -
    - Cellular/LetAppsAccessCellularData -
    -
    - Cellular/LetAppsAccessCellularData_ForceAllowTheseApps -
    -
    - Cellular/LetAppsAccessCellularData_ForceDenyTheseApps -
    -
    - Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps -
    -
    - Cellular/ShowAppCellularAccessUI -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData +``` + - -
    - - -**Cellular/LetAppsAccessCellularData** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether Windows apps can access cellular data. + + + You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. @@ -89,210 +57,272 @@ If you choose the "Force Deny" option, Windows apps aren't allowed to access cel If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. -If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.” +If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_Enum* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 - User is in control -- 1 - Force Allow -- 2 - Force Deny + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | User is in control. | +| 1 | Force Allow. | +| 2 | Force Deny. | + -
    + +**Group policy mapping**: - -**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps** +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## LetAppsAccessCellularData_ForceAllowTheseApps - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +``` + -> [!div class = "checklist"] -> * Device + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + -
    + + + - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_ForceAllowTheseApps_List* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + - -**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## LetAppsAccessCellularData_ForceDenyTheseApps + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_ForceDenyTheseApps_List* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + -
    + + + - -**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps** + - + +## LetAppsAccessCellularData_UserInControlOfTheseApps -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +``` + - -
    + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - -List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_UserInControlOfTheseApps_List* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + - - + + + -
    + - -**Cellular/ShowAppCellularAccessUI** + +## ShowAppCellularAccessUI - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/ShowAppCellularAccessUI +``` + - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. -If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. -If this policy setting is disabled or isn't configured, the link to the per-application cellular access control page is shown by default. +- If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. +- If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Per-App Cellular Access UI Visibility* -- GP name: *ShowAppCellularAccessUI* -- GP path: *Network/WWAN Service/WWAN UI Settings* -- GP ADMX file name: *wwansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | ShowAppCellularAccessUI | +| Friendly Name | Set Per-App Cellular Access UI Visibility | +| Location | Computer Configuration | +| Path | Network > WWAN Service > WWAN UI Settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\UISettings | +| ADMX File Name | wwansvc.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md index f8bcc48c1b..e614be7f73 100644 --- a/windows/client-management/mdm/policy-csp-clouddesktop.md +++ b/windows/client-management/mdm/policy-csp-clouddesktop.md @@ -1,10 +1,10 @@ --- title: CloudDesktop Policy CSP -description: Learn more about the CloudDesktop Area in Policy CSP +description: Learn more about the CloudDesktop Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,7 +42,7 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m This policy supports the below options: 1. Not Configured: Machine will not trigger the Cloud PC connection automatically. -2. Enable Boot to Cloud Desktop: The user will see that configured Cloud PC Provider application launches automatically. Once the sign-in operation finishes, the user is seamlessly connected to a provisioned Cloud PC. +2. Enable Boot to Cloud Desktop: Users who have a Cloud PC provisioned will get connected seamlessly to the Cloud PC as they finish sign-in operation. @@ -64,8 +64,8 @@ This policy supports the below options: | Value | Description | |:--|:--| -| 0 (Default) | Not Configured | -| 1 | Enable Boot to Cloud Desktop | +| 0 (Default) | Not Configured. | +| 1 | Enable Boot to Cloud Desktop. | diff --git a/windows/client-management/mdm/policy-csp-cloudpc.md b/windows/client-management/mdm/policy-csp-cloudpc.md index 0c497a0c4e..dd52780e9a 100644 --- a/windows/client-management/mdm/policy-csp-cloudpc.md +++ b/windows/client-management/mdm/policy-csp-cloudpc.md @@ -4,7 +4,7 @@ description: Learn more about the CloudPC Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 12/27/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -26,7 +26,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | @@ -36,6 +36,7 @@ ms.topic: reference + This policy is used by IT admin to set the configuration mode of cloud PC. diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index e9849f6706..0254386450 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,786 +1,924 @@ --- -title: Policy CSP - Connectivity -description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access. +title: Connectivity Policy CSP +description: Learn more about the Connectivity Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Connectivity ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowBluetooth - -## Connectivity policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    -
    - Connectivity/AllowBluetooth -
    -
    - Connectivity/AllowCellularData -
    -
    - Connectivity/AllowCellularDataRoaming -
    -
    - Connectivity/AllowConnectedDevices -
    -
    - Connectivity/AllowPhonePCLinking -
    -
    - Connectivity/AllowUSBConnection -
    -
    - Connectivity/AllowVPNOverCellular -
    -
    - Connectivity/AllowVPNRoamingOverCellular -
    -
    - Connectivity/DisablePrintingOverHTTP -
    -
    - Connectivity/DisableDownloadingOfPrintDriversOverHTTP -
    -
    - Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards -
    -
    - Connectivity/DisallowNetworkConnectivityActiveTests -
    -
    - Connectivity/HardenedUNCPaths -
    -
    - Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth +``` + - -
    - - -**Connectivity/AllowBluetooth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the user to enable Bluetooth or restrict access. + + +Allows the user to enable Bluetooth or restrict access > [!NOTE] ->  This value isn't supported in Windows 10. +> This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. + -If this policy isn't set or is deleted, the default value of 2 (Allow) is used. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + -- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user won't be able to turn on Bluetooth. -- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth. -- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on. | +| 1 | Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | +| 2 (Default) | Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | + -
    + + + - -**Connectivity/AllowCellularData** + - + +## AllowCellularData -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularData +``` + - -
    + + +Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -This policy allows the cellular data channel on the device. Device reboot isn't required to enforce the policy. +| Value | Description | +|:--|:--| +| 0 | Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511. | +| 1 (Default) | Allow the cellular data channel. The user can turn it off. | +| 2 | Allow the cellular data channel. The user cannot turn it off. | + - - -The following list shows the supported values: + + + -- 0 – Don't allow the cellular data channel. The user can't turn it on. This value isn't supported in Windows 10, version 1511. -- 1 (default) – Allow the cellular data channel. The user can turn it off. -- 2 - Allow the cellular data channel. The user can't turn it off. + - - + +## AllowCellularDataRoaming -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -**Connectivity/AllowCellularDataRoaming** + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularDataRoaming +``` + - + + +This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider network. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If this policy setting is enabled, all automatic and manual connection attempts to roaming provider networks are blocked until the client registers with the home provider network. +- If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provider Mobile Broadband networks. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -Allows or disallows cellular data roaming on the device. Device reboot isn't required to enforce the policy. +| Value | Description | +|:--|:--| +| 0 | Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. | +| 1 (Default) | Allow cellular data roaming. | +| 2 | Allow cellular data roaming on. The user cannot turn it off. | + -Most restricted value is 0. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Prohibit connection to roaming Mobile Broadband networks* -- GP name: *WCM_DisableRoaming* -- GP path: *Network/Windows Connection Manager* -- GP ADMX file name: *WCM.admx* +| Name | Value | +|:--|:--| +| Name | WCM_DisableRoaming | +| Friendly Name | Prohibit connection to roaming Mobile Broadband networks | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fBlockRoaming | +| ADMX File Name | WCM.admx | + - - -The following list shows the supported values: + + +**Validate**: -- 0 – Don't allow cellular data roaming. The user can't turn it on. This value isn't supported in Windows 10, version 1511. -- 1 (default) – Allow cellular data roaming. -- 2 - Allow cellular data roaming on. The user can't turn it off. +To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. To validate on a device, perform the following steps: - - -To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. +1. Go to Cellular & SIM. +2. Click on the SIM (next to the signal strength icon) and select **Properties**. +3. On the Properties page, select **Data roaming options**. + -To validate on devices, perform the following steps: + -1. Go to Cellular & SIM. -2. Click on the SIM (next to the signal strength icon) and select **Properties**. -3. On the Properties page, select **Data roaming options**. + +## AllowConnectedDevices - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowConnectedDevices +``` + - -**Connectivity/AllowConnectedDevices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. + -This policy allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 1 (default) - Allow (CDP service available). -- 0 - Disable (CDP service not available). +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disable (CDP service not available). | +| 1 (Default) | Allow (CDP service available). | + - -**Connectivity/AllowPhonePCLinking** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowNFC +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowNFC +``` + -> [!div class = "checklist"] -> * Device + + +This policy is deprecated. + -
    + + + - - -This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. + +**Description framework properties**: -If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -If you disable this policy setting, the Windows device isn't allowed to be linked to phones, will remove itself from the device list of any linked Phones, and can't participate in 'Continue on PC experiences'. + +**Allowed values**: -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - - -ADMX Info: -- GP name: *enableMMX* -- GP ADMX file name: *grouppolicy.admx* + + + - - -This setting supports a range of values between 0 and 1. + -- 0 - Don't link -- 1 (default) - Allow phone-PC linking + +## AllowPhonePCLinking - - -Validation: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowPhonePCLinking +``` + + + + +This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. + +- If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. + +- If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. + +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Do not link. | +| 1 (Default) | Allow phone-PC linking. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableMMX | +| Friendly Name | Phone-PC linking on this device | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableMmx | +| ADMX File Name | GroupPolicy.admx | + + + + +**Validate**: If the Connectivity/AllowPhonePCLinking policy is configured to value 0, add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number. Device that has previously opt-in to MMX will also stop showing on the device list. + - - + -
    + +## AllowUSBConnection - -**Connectivity/AllowUSBConnection** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowUSBConnection +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. +> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0. + -Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy doesn't affect USB charging. + + + -Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. + +**Description framework properties**: -Most restricted value is 0. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -The following list shows the supported values: + +**Allowed values**: -- 0 – Not allowed. -- 1 (default) – Allowed. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - + + + -
    + - -**Connectivity/AllowVPNOverCellular** + +## AllowVPNOverCellular - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowVPNOverCellular +``` + + + +Specifies what type of underlying connections VPN is allowed to use. Most restricted value is 0. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -Specifies what type of underlying connections VPN is allowed to use. +| Value | Description | +|:--|:--| +| 0 | VPN is not allowed over cellular. | +| 1 (Default) | VPN can use any connection, including cellular. | + -Most restricted value is 0. + + + - - -The following list shows the supported values: + -- 0 – VPN isn't allowed over cellular. -- 1 (default) – VPN can use any connection, including cellular. + +## AllowVPNRoamingOverCellular - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowVPNRoamingOverCellular +``` + - -**Connectivity/AllowVPNRoamingOverCellular** + + +Prevents the device from connecting to VPN when the device roams over cellular networks. Most restricted value is 0. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy prevents the device from connecting to VPN when the device roams over cellular networks. + +## DiablePrintingOverHTTP -Most restricted value is 0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DiablePrintingOverHTTP +``` + -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Connectivity/DisablePrintingOverHTTP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether to allow printing over HTTP from this client. -Printing over HTTP allows a client to print to printers on the intranet and the Internet. +Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. -Note: This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. +> [!NOTE] +> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. -If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. +- If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. -If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP. +- If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off printing over HTTP* -- GP name: *DisableHTTPPrinting_2* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**Connectivity/DisableDownloadingOfPrintDriversOverHTTP** +| Name | Value | +|:--|:--| +| Name | DisableHTTPPrinting_2 | +| Friendly Name | Turn off printing over HTTP | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableHTTPPrinting | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisableDownloadingOfPrintDriversOverHTTP - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableDownloadingOfPrintDriversOverHTTP +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. -Note: This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that aren't already installed locally. +> [!NOTE] +> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. -If you enable this policy setting, print drivers can't be downloaded over HTTP. +- If you enable this policy setting, print drivers cannot be downloaded over HTTP. -If you disable or don't configure this policy setting, users can download print drivers over HTTP. +- If you disable or do not configure this policy setting, users can download print drivers over HTTP. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off downloading of print drivers over HTTP* -- GP name: *DisableWebPnPDownload_2* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards** +| Name | Value | +|:--|:--| +| Name | DisableWebPnPDownload_2 | +| Friendly Name | Turn off downloading of print drivers over HTTP | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableWebPnPDownload | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. -If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed. +- If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. -If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards. +- If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. -For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards. +See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards* -- GP name: *ShellPreventWPWDownload_2* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**Connectivity/DisallowNetworkConnectivityActiveTests** +| Name | Value | +|:--|:--| +| Name | ShellPreventWPWDownload_2 | +| Friendly Name | Turn off Internet download for Web publishing and online ordering wizards | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWebServices | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisallowNetworkConnectivityActiveTests - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DisallowNetworkConnectivityActiveTests +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determine whether your computer is connected to the Internet or to a more limited network. -
    +As part of determining the connectivity level, NCSI performs one of two active tests: downloading a page from a dedicated Web server or making a DNS request for a dedicated address. - - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to `` to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to `www.msftconnecttest.com`. +- If you enable this policy setting, NCSI does not run either of the two active tests. This may reduce the ability of NCSI, and of other components that use NCSI, to determine Internet access. -Value type is integer. +- If you disable or do not configure this policy setting, NCSI runs one of the two active tests. + - - -ADMX Info: -- GP Friendly name: *Turn off Windows Network Connectivity Status Indicator active tests* -- GP name: *NoActiveProbe* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Connectivity/HardenedUNCPaths** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Allow. | +| 0 (Default) | Block. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | NoActiveProbe | +| Friendly Name | Turn off Windows Network Connectivity Status Indicator active tests | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator | +| Registry Value Name | NoActiveProbe | +| ADMX File Name | ICM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## HardenedUNCPaths -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/HardenedUNCPaths +``` + + + + This policy setting configures secure access to UNC paths. -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling other security requirements. +- If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. + - + + +For more information, see [MS15-011: Vulnerability in Group Policy could allow remote code execution](https://support.microsoft.com/kb/3000483). + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hardened UNC Paths* -- GP name: *Pol_HardenedPaths* -- GP path: *Network/Network Provider* -- GP ADMX file name: *networkprovider.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge** +| Name | Value | +|:--|:--| +| Name | Pol_HardenedPaths | +| Friendly Name | Hardened UNC Paths | +| Location | Computer Configuration | +| Path | Network > Network Provider | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths | +| ADMX File Name | NetworkProvider.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## ProhibitInstallationAndConfigurationOfNetworkBridge - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge +``` + -> [!div class = "checklist"] -> * Device + + +Determines whether a user can install and configure the Network Bridge. -
    +> [!IMPORTANT] +> This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. - - -This policy determines whether a user can install and configure the Network Bridge. +The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder. -Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply. +- If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. + -The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together. This connection appears in the Network Connections folder. + + + -If you disable this setting or don't configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting doesn't remove an existing Network Bridge from the user's computer. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Prohibit installation and configuration of Network Bridge on your DNS domain network* -- GP name: *NC_AllowNetBridge_NLA* -- GP path: *Network/Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NC_AllowNetBridge_NLA | +| Friendly Name | Prohibit installation and configuration of Network Bridge on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AllowNetBridge_NLA | +| ADMX File Name | NetworkConnections.admx | + -
    + + + + + + + - + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index e8769b8986..b6865f7b07 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,78 +1,56 @@ --- -title: Policy CSP - ControlPolicyConflict -description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device. +title: ControlPolicyConflict Policy CSP +description: Learn more about the ControlPolicyConflict Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.reviewer: -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - ControlPolicyConflict + + + + +## MDMWinsOverGP -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -## ControlPolicyConflict policies + +```Device +./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP +``` + - -**ControlPolicyConflict/MDMWinsOverGP** + + +If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. + -> [!NOTE] -> This setting doesn't apply to the following types of group policies: -> -> - If they don't map to an MDM policy. For example, Windows Settings > Security Settings > Public Key Policies. -> - If they are group policies that aren't defined by an ADMX template. For example, Windows Settings > Scripts. -> - If they have list entries. For example, Administrative Templates > Windows Components > ActiveX Installer Service > Approved Installation Sites for ActiveX Controls. -> - If they are in the Windows Update category. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. + + > [!NOTE] > MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. - This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. > [!NOTE] > This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. -The following list shows the supported values: - -- 0 (default) -- 1 - The MDM policy is used and the GP policy is blocked. - The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: @@ -80,7 +58,7 @@ This ensures that: - The current Policy Manager policies are refreshed from what MDM has set - Any values set by scripts/user outside of GP that conflict with MDM are removed -The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP: +The [Policy DDF](configuration-service-provider-ddf.md) contains the following tags to identify the policies with equivalent GP: - \ - \ @@ -91,18 +69,39 @@ For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group ](./policies-in-policy-csp-supported-by-group-policy.md). The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) -- 1 - The MDM policy is used and the GP policy is blocked. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -
    + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | . | +| 1 | The MDM policy is used and the GP policy is blocked. | + + + + - + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 6b8fff0b9e..395755ed2e 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,200 +1,212 @@ --- -title: Policy CSP - CredentialProviders -description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN. +title: CredentialProviders Policy CSP +description: Learn more about the CredentialProviders Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - CredentialProviders > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowPINLogon - -## CredentialProviders policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - CredentialProviders/AllowPINLogon -
    -
    - CredentialProviders/BlockPicturePassword -
    -
    - CredentialProviders/DisableAutomaticReDeploymentCredentials -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialProviders/AllowPINLogon +``` + - -
    - - -**CredentialProviders/AllowPINLogon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control whether a domain user can sign in using a convenience PIN. -If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. +- If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. -If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. +- If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. > [!NOTE] > The user's domain password will be cached in the system vault when using this feature. To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on convenience PIN sign-in* -- GP name: *AllowDomainPINLogon* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**CredentialProviders/BlockPicturePassword** +| Name | Value | +|:--|:--| +| Name | AllowDomainPINLogon | +| Friendly Name | Turn on convenience PIN sign-in | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowDomainPINLogon | +| ADMX File Name | CredentialProviders.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## BlockPicturePassword - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialProviders/BlockPicturePassword +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control whether a domain user can sign in using a picture password. -If you enable this policy setting, a domain user can't set up or sign in with a picture password. +- If you enable this policy setting, a domain user can't set up or sign in with a picture password. -If you disable or don't configure this policy setting, a domain user can set up and use a picture password. +- If you disable or don't configure this policy setting, a domain user can set up and use a picture password. -> [!NOTE] -> The user's domain password will be cached in the system vault when using this feature. +**Note** that the user's domain password will be cached in the system vault when using this feature. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off picture password sign-in* -- GP name: *BlockDomainPicturePassword* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**CredentialProviders/DisableAutomaticReDeploymentCredentials** +| Name | Value | +|:--|:--| +| Name | BlockDomainPicturePassword | +| Friendly Name | Turn off picture password sign-in | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | BlockDomainPicturePassword | +| ADMX File Name | CredentialProviders.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisableAutomaticReDeploymentCredentials - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials +``` + -> [!div class = "checklist"] -> * Device + + +Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. + -
    + + + - - -Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. + +**Description framework properties**: -The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -The following list shows the supported values: + +**Allowed values**: -0 - Enable the visibility of the credentials for Autopilot Reset -1 - Disable visibility of the credentials for Autopilot Reset +| Value | Description | +|:--|:--| +| 0 | Enable the visibility of the credentials for Autopilot Reset. | +| 1 (Default) | Disable visibility of the credentials for Autopilot Reset. | + - - -
    + + + + + + + - + -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index 1a40f20b82..36ad871eab 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,95 +1,98 @@ --- -title: Policy CSP - CredentialsDelegation -description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials. +title: CredentialsDelegation Policy CSP +description: Learn more about the CredentialsDelegation Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - CredentialsDelegation > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## RemoteHostAllowsDelegationOfNonExportableCredentials - -## CredentialsDelegation policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    -
    - CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials +``` + + + +Remote host allows delegation of non-exportable credentials -
    +When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. - -**CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials** +- If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. - +- If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | AllowProtectedCreds | +| Friendly Name | Remote host allows delegation of non-exportable credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowProtectedCreds | +| ADMX File Name | CredSsp.admx | + - - -Remote host allows delegation of non-exportable credentials. + + + -When credential delegation is being used, devices provide an exportable version of credentials to the remote host. This version exposes users to the risk of credential theft from attackers on the remote host. + -If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. + + + -If you disable or don't configure this policy setting, Restricted Administration and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host. + - - - - -ADMX Info: -- GP Friendly name: *Remote host allows delegation of non-exportable credentials* -- GP name: *AllowProtectedCreds* -- GP path: *System/Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* - - - -
    - - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index cc614a22ef..060389719e 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,149 +1,164 @@ --- -title: Policy CSP - CredentialsUI -description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences. +title: CredentialsUI Policy CSP +description: Learn more about the CredentialsUI Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - CredentialsUI > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## CredentialsUI policies + +## DisablePasswordReveal -
    -
    - CredentialsUI/DisablePasswordReveal -
    -
    - CredentialsUI/EnumerateAdministrators -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal +``` + - -**CredentialsUI/DisablePasswordReveal** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to configure the display of the password reveal button in password entry user experiences. -If you enable this policy setting, the password reveal button won't be displayed after a user types a password in the password entry text box. +- If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. -If you disable or don't configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. +- If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. -This policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. +The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display the password reveal button* -- GP name: *DisablePasswordReveal* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**CredentialsUI/EnumerateAdministrators** +| Name | Value | +|:--|:--| +| Name | DisablePasswordReveal | +| Friendly Name | Do not display the password reveal button | +| Location | Computer and User Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredUI | +| Registry Value Name | DisablePasswordReveal | +| ADMX File Name | CredUI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## EnumerateAdministrators - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialsUI/EnumerateAdministrators +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. -
    +- If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. - - -This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts aren't displayed when the user attempts to elevate a running application. +- If you disable this policy setting, users will always be required to type a user name and password to elevate. + -If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. + + + -If you disable this policy setting, users will always be required to type a user name and password to elevate. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Enumerate administrator accounts on elevation* -- GP name: *EnumerateAdministrators* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | EnumerateAdministrators | +| Friendly Name | Enumerate administrator accounts on elevation | +| Location | Computer Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\CredUI | +| Registry Value Name | EnumerateAdministrators | +| ADMX File Name | CredUI.admx | + + + + + - + + + -## Related topics + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 709df7bf13..53aabcf9bf 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,141 +1,129 @@ --- -title: Policy CSP - Cryptography -description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy. +title: Cryptography Policy CSP +description: Learn more about the Cryptography Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Cryptography + + + + +## AllowFipsAlgorithmPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -## Cryptography policies + +```Device +./Device/Vendor/MSFT/Policy/Config/Cryptography/AllowFipsAlgorithmPolicy +``` + -
    -
    - Cryptography/AllowFipsAlgorithmPolicy -
    -
    - Cryptography/TLSCipherSuites -
    -
    + + +Allows or disallows the Federal Information Processing Standard (FIPS) policy. + + + + -
    + +**Description framework properties**: - -**Cryptography/AllowFipsAlgorithmPolicy** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 1 | Allow. | +| 0 (Default) | Block. | + + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TLSCipherSuites - - -This policy setting allows or disallows the Federal Information Processing Standard (FIPS) policy. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -ADMX Info: -- GP Friendly name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + +```Device +./Device/Vendor/MSFT/Policy/Config/Cryptography/TLSCipherSuites +``` + - - -The following list shows the supported values: + + +Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. + -0 (default) – Not allowed. -1– Allowed. - - + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + -
    + + + - -**Cryptography/TLSCipherSuites** + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. - - - - - - - - - - - - - - - -
    - - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 5e5484db98..6c2609c4c7 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,129 +1,122 @@ --- -title: Policy CSP - DataProtection -description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. +title: DataProtection Policy CSP +description: Learn more about the DataProtection Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DataProtection + + + + +## AllowDirectMemoryAccess -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -## DataProtection policies + +```Device +./Device/Vendor/MSFT/Policy/Config/DataProtection/AllowDirectMemoryAccess +``` + -
    -
    - DataProtection/AllowDirectMemoryAccess -
    -
    - DataProtection/LegacySelectiveWipeID -
    -
    + + +This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. Most restricted value is 0. + + + + -
    + +**Description framework properties**: - -**DataProtection/AllowDirectMemoryAccess** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LegacySelectiveWipeID -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DataProtection/LegacySelectiveWipeID +``` + - - -This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. - -Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**DataProtection/LegacySelectiveWipeID** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!IMPORTANT] -> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. - - -Setting used by Windows 8.1 Selective Wipe. + + +Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe > [!NOTE] -> This policy is not recommended for use in Windows 10. +> This policy is not recommended for use in Windows 10. + - - -
    + + + + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + + + -## Related topics + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index da61efc35d..f01d83375c 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,112 +1,168 @@ --- -title: Policy CSP - DataUsage -description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. +title: DataUsage Policy CSP +description: Learn more about the DataUsage Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DataUsage > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## DataUsage policies + +## SetCost3G -
    -
    - DataUsage/SetCost3G -
    -
    - DataUsage/SetCost4G -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DataUsage/SetCost3G +``` + -
    + + +This policy setting configures the cost of 3G connections on the local machine. - -**DataUsage/SetCost3G** - -
    - - -This policy is deprecated in Windows 10, version 1809. - - - - -
    - - -**DataUsage/SetCost4G** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures the cost of 4G connections on the local machine. - -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: +- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. + - Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. + - Variable: This connection is costed on a per byte basis. -If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. +- If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. + - + + +> [!NOTE] +> This policy is deprecated. + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set 4G Cost* -- GP name: *SetCost4G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SetCost3G | +| Friendly Name | Set 3G Cost | +| Location | Computer Configuration | +| Path | Network > WWAN Service > WWAN Media Cost | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\NetCost | +| ADMX File Name | wwansvc.admx | + - + + + -## Related topics + + + +## SetCost4G + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DataUsage/SetCost4G +``` + + + + +This policy setting configures the cost of 4G connections on the local machine. + +- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: + +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. + +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. + +- Variable: This connection is costed on a per byte basis. + +- If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SetCost4G | +| Friendly Name | Set 4G Cost | +| Location | Computer Configuration | +| Path | Network > WWAN Service > WWAN Media Cost | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\NetCost | +| ADMX File Name | wwansvc.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index efc7a8a312..298d67d708 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,10 +1,10 @@ --- title: Defender Policy CSP -description: Learn more about the Defender Area in Policy CSP +description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,11 +36,12 @@ ms.topic: reference -This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. + +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files. -If you enable or do not configure this setting, archive files will be scanned. +- If you enable or do not configure this setting, archive files will be scanned. -If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. +- If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. @@ -102,11 +103,12 @@ If you disable this setting, archive files will not be scanned. However, archive + This policy setting allows you to configure behavior monitoring. -If you enable or do not configure this setting, behavior monitoring will be enabled. +- If you enable or do not configure this setting, behavior monitoring will be enabled. -If you disable this setting, behavior monitoring will be disabled. +- If you disable this setting, behavior monitoring will be disabled. @@ -168,6 +170,7 @@ If you disable this setting, behavior monitoring will be disabled. + This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. @@ -181,9 +184,9 @@ Basic membership will send basic information to Microsoft about software that ha Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. -If you enable this setting, you will join Microsoft MAPS with the membership specified. +- If you enable this setting, you will join Microsoft MAPS with the membership specified. -If you disable or do not configure this setting, you will not join Microsoft MAPS. +- If you disable or do not configure this setting, you will not join Microsoft MAPS. In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. @@ -222,7 +225,6 @@ In Windows 10, Basic membership is no longer available, so setting the value to | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MAPS | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | -| Registry Value Name | SpynetReporting | | ADMX File Name | WindowsDefender.admx | @@ -248,11 +250,12 @@ In Windows 10, Basic membership is no longer available, so setting the value to + This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients. -If you enable this setting, e-mail scanning will be enabled. +- If you enable this setting, e-mail scanning will be enabled. -If you disable or do not configure this setting, e-mail scanning will be disabled. +- If you disable or do not configure this setting, e-mail scanning will be disabled. @@ -314,11 +317,12 @@ If you disable or do not configure this setting, e-mail scanning will be disable + This policy setting allows you to configure scanning mapped network drives. -If you enable this setting, mapped network drives will be scanned. +- If you enable this setting, mapped network drives will be scanned. -If you disable or do not configure this setting, mapped network drives will not be scanned. +- If you disable or do not configure this setting, mapped network drives will not be scanned. @@ -380,11 +384,12 @@ If you disable or do not configure this setting, mapped network drives will not + This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. -If you enable this setting, removable drives will be scanned during any type of scan. +- If you enable this setting, removable drives will be scanned during any type of scan. -If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. +- If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. @@ -446,6 +451,7 @@ If you disable or do not configure this setting, removable drives will not be sc + Allows or disallows Windows Defender Intrusion Prevention functionality. @@ -494,11 +500,12 @@ Allows or disallows Windows Defender Intrusion Prevention functionality. + This policy setting allows you to configure scanning for all downloaded files and attachments. -If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. +- If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. -If you disable this setting, scanning for all downloaded files and attachments will be disabled. +- If you disable this setting, scanning for all downloaded files and attachments will be disabled. @@ -560,11 +567,12 @@ If you disable this setting, scanning for all downloaded files and attachments w + This policy setting allows you to configure monitoring for file and program activity. -If you enable or do not configure this setting, monitoring for file and program activity will be enabled. +- If you enable or do not configure this setting, monitoring for file and program activity will be enabled. -If you disable this setting, monitoring for file and program activity will be disabled. +- If you disable this setting, monitoring for file and program activity will be disabled. @@ -626,13 +634,8 @@ If you disable this setting, monitoring for file and program activity will be di -This policy turns off real-time protection in Microsoft Defender Antivirus. - -Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections. - -If you enable this policy setting, real-time protection is turned off. - -If you either disable or do not configure this policy setting, real-time protection is turned on. + +Allows or disallows Windows Defender Realtime Monitoring functionality. @@ -694,11 +697,12 @@ If you either disable or do not configure this policy setting, real-time protect + This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. -If you enable this setting, network files will be scanned. +- If you enable this setting, network files will be scanned. -If you disable or do not configure this setting, network files will not be scanned. +- If you disable or do not configure this setting, network files will not be scanned. @@ -760,6 +764,7 @@ If you disable or do not configure this setting, network files will not be scann + Allows or disallows Windows Defender Script Scanning functionality. @@ -808,8 +813,9 @@ Allows or disallows Windows Defender Script Scanning functionality. + This policy setting allows you to configure whether or not to display AM UI to the users. -If you enable this setting AM UI won't be available to users. +- If you enable this setting AM UI won't be available to users. @@ -871,13 +877,14 @@ If you enable this setting AM UI won't be available to users. + Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: -- Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder -- Value column: Enter ""0"" for each item +- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder +- Value column: Enter "0" for each item Disabled: No exclusions will be applied to the ASR rules. @@ -913,7 +920,6 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | -| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions | | ADMX File Name | WindowsDefender.admx | @@ -939,6 +945,7 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s + Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: @@ -963,11 +970,13 @@ The following status IDs are permitted under the value column: - 5 (Not Configured) - 6 (Warn) - Example: -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +2 Disabled: No ASR rules will be configured. @@ -975,7 +984,7 @@ No ASR rules will be configured. Not configured: Same as Disabled. -You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting. +You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. @@ -1002,7 +1011,6 @@ You can exclude folders or files in the ""Exclude files and paths from Attack Su | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | -| Registry Value Name | ExploitGuard_ASR_Rules | | ADMX File Name | WindowsDefender.admx | @@ -1028,11 +1036,12 @@ You can exclude folders or files in the ""Exclude files and paths from Attack Su + This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. -If you enable this setting, CPU utilization will not exceed the percentage specified. +- If you enable this setting, CPU utilization will not exceed the percentage specified. -If you disable or do not configure this setting, CPU utilization will not exceed the default value. +- If you disable or do not configure this setting, CPU utilization will not exceed the default value. @@ -1061,7 +1070,6 @@ If you disable or do not configure this setting, CPU utilization will not exceed | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | AvgCPULoadFactor | | ADMX File Name | WindowsDefender.admx | @@ -1087,13 +1095,14 @@ If you disable or do not configure this setting, CPU utilization will not exceed + This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan. This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan". -If you enable this setting, a check for new security intelligence will occur before running a scan. +- If you enable this setting, a check for new security intelligence will occur before running a scan. -If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence. +- If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence. @@ -1115,8 +1124,8 @@ If you disable this setting or do not configure this setting, the scan will star | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -1129,7 +1138,6 @@ If you disable this setting or do not configure this setting, the scan will star | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | CheckForSignaturesBeforeRunningScan | | ADMX File Name | WindowsDefender.admx | @@ -1155,7 +1163,11 @@ If you disable this setting or do not configure this setting, the scan will star -This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. NoteThis feature requires the Join Microsoft MAPS setting enabled in order to function. + +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see [Specify the cloud protection level](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus). + +> [!NOTE] +> This feature requires the Join Microsoft MAPS setting enabled in order to function. @@ -1177,10 +1189,10 @@ This policy setting determines how aggressive Windows Defender Antivirus will be | Value | Description | |:--|:--| -| 0 (Default) | NotConfigured | -| 2 | High | -| 4 | HighPlus | -| 6 | ZeroTolerance | +| 0 (Default) | NotConfigured. | +| 2 | High. | +| 4 | HighPlus. | +| 6 | ZeroTolerance. | @@ -1188,13 +1200,12 @@ This policy setting determines how aggressive Windows Defender Antivirus will be | Name | Value | |:--|:--| -| Name | MpCloudBlockLevel | +| Name | MpEngine_MpCloudBlockLevel | | Friendly Name | Select cloud protection level | | Element Name | Select cloud blocking level | | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MpEngine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | -| Registry Value Name | MpCloudBlockLevel | | ADMX File Name | WindowsDefender.admx | @@ -1220,7 +1231,11 @@ This policy setting determines how aggressive Windows Defender Antivirus will be -This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. NoteThis feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. + +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. + +> [!NOTE] +> This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. @@ -1243,13 +1258,12 @@ This feature allows Windows Defender Antivirus to block a suspicious file for up | Name | Value | |:--|:--| -| Name | MpBafsExtendedTimeout | +| Name | MpEngine_MpBafsExtendedTimeout | | Friendly Name | Configure extended cloud check | | Element Name | Specify the extended cloud check time in seconds | | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MpEngine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | -| Registry Value Name | MpBafsExtendedTimeout | | ADMX File Name | WindowsDefender.admx | @@ -1275,6 +1289,7 @@ This feature allows Windows Defender Antivirus to block a suspicious file for up + Add additional applications that should be considered "trusted" by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. @@ -1320,7 +1335,6 @@ Default system folders are automatically guarded, but you can add folders in the | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | -| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | | ADMX File Name | WindowsDefender.admx | @@ -1346,6 +1360,7 @@ Default system folders are automatically guarded, but you can add folders in the + Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or deleted by untrusted applications. @@ -1392,7 +1407,6 @@ Microsoft Defender Antivirus automatically determines which applications can be | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | -| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | | ADMX File Name | WindowsDefender.admx | @@ -1418,11 +1432,12 @@ Microsoft Defender Antivirus automatically determines which applications can be + This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. -If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. +- If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. -If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. +- If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. @@ -1451,7 +1466,6 @@ If you disable or do not configure this setting, items will be kept in the quara | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Quarantine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | -| Registry Value Name | PurgeItemsAfterDelay | | ADMX File Name | WindowsDefender.admx | @@ -1477,11 +1491,12 @@ If you disable or do not configure this setting, items will be kept in the quara -This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +- If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. -If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. +- If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. @@ -1503,8 +1518,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu | Value | Description | |:--|:--| -| 0 | Enabled | -| 1 (Default) | Disabled | +| 0 | Enabled. | +| 1 (Default) | Disabled. | @@ -1517,7 +1532,6 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | DisableCatchupFullScan | | ADMX File Name | WindowsDefender.admx | @@ -1543,11 +1557,12 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu -This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +- If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. -If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. +- If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. @@ -1569,8 +1584,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu | Value | Description | |:--|:--| -| 0 | Enabled | -| 1 (Default) | Disabled | +| 0 | Enabled. | +| 1 (Default) | Disabled. | @@ -1583,7 +1598,6 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | DisableCatchupQuickScan | | ADMX File Name | WindowsDefender.admx | @@ -1609,6 +1623,7 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu + Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: - Modify or delete files in protected folders, such as the Documents folder - Write to disk sectors @@ -1624,21 +1639,18 @@ The following will be blocked: - Attempts by untrusted apps to write to disk sectors The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. - Disabled: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors These attempts will not be recorded in the Windows event log. - Audit Mode: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. - Block disk modification only: The following will be blocked: - Attempts by untrusted apps to write to disk sectors @@ -1648,7 +1660,6 @@ The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders These attempts will not be recorded in the Windows event log. - Audit disk modification only: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to write to disk sectors @@ -1679,9 +1690,9 @@ Same as Disabled. | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | -| 2 | Audit Mode | +| 0 (Default) | Disabled. | +| 1 | Enabled. | +| 2 | Audit Mode. | @@ -1695,7 +1706,6 @@ Same as Disabled. | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | -| Registry Value Name | EnableControlledFolderAccess | | ADMX File Name | WindowsDefender.admx | @@ -1721,11 +1731,12 @@ Same as Disabled. + This policy setting allows you to enable or disable low CPU priority for scheduled scans. -If you enable this setting, low CPU priority will be used during scheduled scans. +- If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. +- If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. @@ -1747,8 +1758,8 @@ If you disable or do not configure this setting, not changes will be made to CPU | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -1761,7 +1772,6 @@ If you disable or do not configure this setting, not changes will be made to CPU | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | LowCpuPriority | | ADMX File Name | WindowsDefender.admx | @@ -1787,6 +1797,7 @@ If you disable or do not configure this setting, not changes will be made to CPU + Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: @@ -1820,9 +1831,9 @@ Same as Disabled. | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled (block mode) | -| 2 | Enabled (audit mode) | +| 0 (Default) | Disabled. | +| 1 | Enabled (block mode). | +| 2 | Enabled (audit mode). | @@ -1835,7 +1846,6 @@ Same as Disabled. | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection | -| Registry Value Name | EnableNetworkProtection | | ADMX File Name | WindowsDefender.admx | @@ -1861,6 +1871,7 @@ Same as Disabled. + Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. @@ -1889,7 +1900,6 @@ Allows an administrator to specify a list of file type extensions to ignore duri | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | -| Registry Value Name | Exclusions_Extensions | | ADMX File Name | WindowsDefender.admx | @@ -1915,6 +1925,7 @@ Allows an administrator to specify a list of file type extensions to ignore duri + Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. @@ -1943,7 +1954,6 @@ Allows an administrator to specify a list of directory paths to ignore during a | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | -| Registry Value Name | Exclusions_Paths | | ADMX File Name | WindowsDefender.admx | @@ -1969,7 +1979,11 @@ Allows an administrator to specify a list of directory paths to ignore during a -Allows an administrator to specify a list of files opened by processes to ignore during a scan. ImportantThe process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe. @@ -1997,7 +2011,6 @@ Allows an administrator to specify a list of files opened by processes to ignore | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | -| Registry Value Name | Exclusions_Processes | | ADMX File Name | WindowsDefender.admx | @@ -2023,6 +2036,7 @@ Allows an administrator to specify a list of files opened by processes to ignore + Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: @@ -2071,7 +2085,6 @@ Same as Disabled. | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus | | Registry Key Name | Software\Policies\Microsoft\Windows Defender | -| Registry Value Name | PUAProtection | | ADMX File Name | WindowsDefender.admx | @@ -2097,20 +2110,21 @@ Same as Disabled. + This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. -Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. +**Note** that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. -The options for this setting are mutually exclusive: +The options for this setting are mutually exclusive 0 = Scan incoming and outgoing files (default) 1 = Scan incoming files only 2 = Scan outgoing files only Any other value, or if the value does not exist, resolves to the default (0). -If you enable this setting, the specified type of monitoring will be enabled. +- If you enable this setting, the specified type of monitoring will be enabled. -If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. +- If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. @@ -2148,7 +2162,6 @@ If you disable or do not configure this setting, monitoring for incoming and out | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | -| Registry Value Name | RealtimeScanDirection | | ADMX File Name | WindowsDefender.admx | @@ -2174,13 +2187,14 @@ If you disable or do not configure this setting, monitoring for incoming and out + This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (default) 2 = Full Scan -If you enable this setting, the scan type will be set to the specified value. +- If you enable this setting, the scan type will be set to the specified value. -If you disable or do not configure this setting, the default scan type will used. +- If you disable or do not configure this setting, the default scan type will used. @@ -2202,8 +2216,8 @@ If you disable or do not configure this setting, the default scan type will used | Value | Description | |:--|:--| -| 1 (Default) | Quick scan | -| 2 | Full scan | +| 1 (Default) | Quick scan. | +| 2 | Full scan. | @@ -2217,7 +2231,6 @@ If you disable or do not configure this setting, the default scan type will used | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScanParameters | | ADMX File Name | WindowsDefender.admx | @@ -2243,11 +2256,12 @@ If you disable or do not configure this setting, the default scan type will used -This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. + +This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. -If you enable this setting, a daily quick scan will run at the time of day specified. +- If you enable this setting, a daily quick scan will run at the time of day specified. -If you disable or do not configure this setting, daily quick scan controlled by this config will not be run. +- If you disable or do not configure this setting, daily quick scan controlled by this config will not be run. @@ -2276,7 +2290,6 @@ If you disable or do not configure this setting, daily quick scan controlled by | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScheduleQuickScanTime | | ADMX File Name | WindowsDefender.admx | @@ -2302,6 +2315,7 @@ If you disable or do not configure this setting, daily quick scan controlled by + This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: @@ -2315,9 +2329,9 @@ This setting can be configured with the following ordinal number values: (0x7) Saturday (0x8) Never (default) -If you enable this setting, a scheduled scan will run at the frequency specified. +- If you enable this setting, a scheduled scan will run at the frequency specified. -If you disable or do not configure this setting, a scheduled scan will run at a default frequency. +- If you disable or do not configure this setting, a scheduled scan will run at a default frequency. @@ -2339,15 +2353,15 @@ If you disable or do not configure this setting, a scheduled scan will run at a | Value | Description | |:--|:--| -| 0 (Default) | Every day | -| 1 | Sunday | -| 2 | Monday | -| 3 | Tuesday | -| 4 | Wednesday | -| 5 | Thursday | -| 6 | Friday | -| 7 | Saturday | -| 8 | No scheduled scan | +| 0 (Default) | Every day. | +| 1 | Sunday. | +| 2 | Monday. | +| 3 | Tuesday. | +| 4 | Wednesday. | +| 5 | Thursday. | +| 6 | Friday. | +| 7 | Saturday. | +| 8 | No scheduled scan. | @@ -2361,7 +2375,6 @@ If you disable or do not configure this setting, a scheduled scan will run at a | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScheduleDay | | ADMX File Name | WindowsDefender.admx | @@ -2387,11 +2400,12 @@ If you disable or do not configure this setting, a scheduled scan will run at a -This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. + +This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. -If you enable this setting, a scheduled scan will run at the time of day specified. +- If you enable this setting, a scheduled scan will run at the time of day specified. -If you disable or do not configure this setting, a scheduled scan will run at a default time. +- If you disable or do not configure this setting, a scheduled scan will run at a default time. @@ -2420,7 +2434,6 @@ If you disable or do not configure this setting, a scheduled scan will run at a | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScheduleTime | | ADMX File Name | WindowsDefender.admx | @@ -2446,9 +2459,10 @@ If you disable or do not configure this setting, a scheduled scan will run at a + This policy setting allows you to define the security intelligence location for VDI-configured computers. -If you disable or do not configure this setting, security intelligence will be referred from the default local source. +- If you disable or do not configure this setting, security intelligence will be referred from the default local source. @@ -2500,13 +2514,14 @@ If you disable or do not configure this setting, security intelligence will be r -This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares” + +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } -If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. +- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. -If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. +- If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. @@ -2559,11 +2574,12 @@ If you disable or do not configure this setting, security intelligence update so + This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. -If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. +- If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. -If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. +- If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. @@ -2616,11 +2632,12 @@ If you disable or do not configure this setting, the list will remain empty by d + This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). -If you enable this setting, checks for security intelligence updates will occur at the interval specified. +- If you enable this setting, checks for security intelligence updates will occur at the interval specified. -If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval. +- If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval. @@ -2649,7 +2666,6 @@ If you disable or do not configure this setting, checks for security intelligenc | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | -| Registry Value Name | SignatureUpdateInterval | | ADMX File Name | WindowsDefender.admx | @@ -2675,6 +2691,7 @@ If you disable or do not configure this setting, checks for security intelligenc + This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set. Possible options are: @@ -2720,7 +2737,6 @@ Possible options are: | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MAPS | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | -| Registry Value Name | SubmitSamplesConsent | | ADMX File Name | WindowsDefender.admx | @@ -2746,7 +2762,8 @@ Possible options are: -Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:1 – Clean. Service tries to recover files and try to disinfect. 2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution. + +Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 - Low severity threats2 - Moderate severity threats4 - High severity threats5 - Severe threatsThe following list shows the supported values for possible actions:2 - Quarantine. Moves files to quarantine. 3 - Remove. Removes files from system. 6 - Allow. Allows file/does none of the above actions. 8 - User defined. Requires user to make a decision on which action to take. 10 - Block. Blocks file execution. @@ -2773,7 +2790,6 @@ Allows an administrator to specify any valid threat severity levels and the corr | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Threats | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats | -| Registry Value Name | Threats_ThreatSeverityDefaultAction | | ADMX File Name | WindowsDefender.admx | diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 95f4178efd..fe04df23d4 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,1595 +1,1744 @@ --- -title: Policy CSP - DeliveryOptimization -description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. +title: DeliveryOptimization Policy CSP +description: Learn more about the DeliveryOptimization Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 06/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeliveryOptimization ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## DeliveryOptimization policies + +## DOAbsoluteMaxCacheSize -
    -
    - DeliveryOptimization/DOAbsoluteMaxCacheSize -
    -
    - DeliveryOptimization/DOAllowVPNPeerCaching -
    -
    - DeliveryOptimization/DOCacheHost -
    -
    - DeliveryOptimization/DOCacheHostSource -
    -
    - DeliveryOptimization/DODelayBackgroundDownloadFromHttp -
    -
    - DeliveryOptimization/DODelayCacheServerFallbackBackground -
    -
    - DeliveryOptimization/DODelayCacheServerFallbackForeground -
    -
    - DeliveryOptimization/DODelayForegroundDownloadFromHttp -
    -
    - DeliveryOptimization/DODownloadMode -
    -
    - DeliveryOptimization/DOGroupId -
    -
    - DeliveryOptimization/DOGroupIdSource -
    -
    - DeliveryOptimization/DOMaxBackgroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxCacheAge -
    -
    - DeliveryOptimization/DOMaxCacheSize -
    -
    - DeliveryOptimization/DOMaxDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxForegroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxUploadBandwidth -
    -
    - DeliveryOptimization/DOMinBackgroundQos -
    -
    - DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload -
    -
    - DeliveryOptimization/DOMinDiskSizeAllowedToPeer -
    -
    - DeliveryOptimization/DOMinFileSizeToCache -
    -
    - DeliveryOptimization/DOMinRAMAllowedToPeer -
    -
    - DeliveryOptimization/DOModifyCacheDrive -
    -
    - DeliveryOptimization/DOMonthlyUploadDataCap -
    -
    - DeliveryOptimization/DOPercentageMaxBackgroundBandwidth -
    -
    - DeliveryOptimization/DOPercentageMaxDownloadBandwidth -
    -
    - DeliveryOptimization/DOPercentageMaxForegroundBandwidth -
    -
    - DeliveryOptimization/DORestrictPeerSelectionBy -
    -
    - DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOAbsoluteMaxCacheSize +``` + -
    + + +Specifies the maximum size in GB of Delivery Optimization cache. - -**DeliveryOptimization/DOAbsoluteMaxCacheSize** +This policy overrides the DOMaxCacheSize policy. - +The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | AbsoluteMaxCacheSize | +| Friendly Name | Absolute Max Cache Size (in GB) | +| Element Name | Absolute Max Cache Size (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -
    + + + - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + + +## DOAllowVPNPeerCaching -Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -The default value is 10. + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOAllowVPNPeerCaching +``` + - - -ADMX Info: -- GP Friendly name: *Absolute Max Cache Size (in GB)* -- GP name: *AbsoluteMaxCacheSize* -- GP element: *AbsoluteMaxCacheSize* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + +Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. + - - + + + -
    + +**Description framework properties**: - -**DeliveryOptimization/DOAllowVPNPeerCaching** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowVPNPeerCaching | +| Friendly Name | Enable Peer Caching while the device connects via VPN | +| Element Name | Enable Peer Caching while the device connects via VPN | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DOCacheHost - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost +``` + -Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This policy means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. - - - -ADMX Info: -- GP Friendly name: *Enable Peer Caching while the device connects via VPN* -- GP name: *AllowVPNPeerCaching* -- GP element: *AllowVPNPeerCaching* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - -The following list shows the supported values: - -- 0 (default) - Not allowed. -- 1 - Allowed. - - - - -
    - - -**DeliveryOptimization/DOCacheHost** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy allows you to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. + + +This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. + - - -ADMX Info: -- GP Friendly name: *Cache Server Hostname* -- GP name: *CacheHost* -- GP element: *CacheHost* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - - - - - - - - - - -
    - - -**DeliveryOptimization/DOCacheHostSource** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy allows you to configure one or more Delivery Optimizations in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. - - - -ADMX Info: -- GP Friendly name: *Cache Server Hostname Source* -- GP name: *CacheHostSource* -- GP element: *CacheHostSource* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - -The following are the supported values: -- 1 = DHCP Option ID. -- 2 = DHCP Option ID Force. - -When DHCP Option ID (1) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value. This policy will be overridden when the [Cache Server Hostname](#deliveryoptimization-docachehost) policy has been set. - -When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value, and will override the Cache Server Hostname policy if it has been set. - -> [!Note] -> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#deliveryoptimization-docachehost) policy value if that value has been set. - - - - - - - - - - -
    - - -**DeliveryOptimization/DODelayBackgroundDownloadFromHttp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. - -After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from peers. A download that is waiting for peer sources will appear to be stuck for the end user. The recommended value is 1 hour (3600). - - - -ADMX Info: -- GP Friendly name: *Delay background download from http (in secs)* -- GP name: *DelayBackgroundDownloadFromHttp* -- GP element: *DelayBackgroundDownloadFromHttp* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DODelayCacheServerFallbackBackground** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. - + + > [!NOTE] -> The [DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first. +> Clients don't talk to multiple Microsoft Connected Cache (MCC) servers at the same time. If you configure a list of MCC servers in this policy, the clients will round robin until they successfully connect to an MCC server. The clients have no way to determine if the MCC server has the content or not. If the MCC server doesn't have the content, it caches the content as it is handing the content back to the client. + - - -ADMX Info: -- GP Friendly name: *Delay Background download Cache Server fallback (in seconds)* -- GP name: *DelayCacheServerFallbackBackground* -- GP element: *DelayCacheServerFallbackBackground* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Description framework properties**: - - -This policy is specified in seconds. -Supported values: 0 - one month (in seconds) - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | CacheHost | +| Friendly Name | Cache Server Hostname | +| Element Name | Cache Server | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -
    + + + - -**DeliveryOptimization/DODelayCacheServerFallbackForeground** + - + +## DOCacheHostSource -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHostSource +``` + - -
    + + +This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Options available are: -> [!div class = "checklist"] -> * Device +0 = Disable DNS-SD. -
    +1 = DHCP Option 235. - - -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. +2 = DHCP Option 235 Force. +If this policy is not configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client will not use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured. + + + + > [!NOTE] -> The [DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first. +> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#docachehost) policy value if that value has been set. + - - -ADMX Info: -- GP Friendly name: *Delay Foreground download Cache Server fallback (in seconds)* -- GP name: *DelayCacheServerFallbackForeground* -- GP element: *DelayCacheServerFallbackForeground* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Description framework properties**: - - -This policy is specified in seconds. -Supported values: 0 - one month (in seconds) - - - - - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + -
    + +**Group policy mapping**: - -**DeliveryOptimization/DODelayForegroundDownloadFromHttp** +| Name | Value | +|:--|:--| +| Name | CacheHostSource | +| Friendly Name | Cache Server Hostname Source | +| Element Name | Cache Server Hostname Source | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DODelayBackgroundDownloadFromHttp - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayBackgroundDownloadFromHttp +``` + -> [!div class = "checklist"] -> * Device + + +This policy allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. -
    +After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. - - -This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. +**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user. -After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. +The recommended value is 1 hour (3600). + -A download that is waiting for peer sources, will appear to be stuck for the end user. + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DelayBackgroundDownloadFromHttp | +| Friendly Name | Delay background download from http (in secs) | +| Element Name | Delay background download from http (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DODelayCacheServerFallbackBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayCacheServerFallbackBackground +``` + + + + +Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. **Note** that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2592000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DelayCacheServerFallbackBackground | +| Friendly Name | Delay Background download Cache Server fallback (in seconds) | +| Element Name | Delay Background download Cache Server fallback (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DODelayCacheServerFallbackForeground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayCacheServerFallbackForeground +``` + + + + +Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. **Note** that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2592000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DelayCacheServerFallbackForeground | +| Friendly Name | Delay Foreground download Cache Server fallback (in seconds) | +| Element Name | Delay Foreground download Cache Server fallback (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DODelayForegroundDownloadFromHttp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayForegroundDownloadFromHttp +``` + + + + +This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. + +After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. + +**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 minute (60). + - - -ADMX Info: -- GP Friendly name: *Delay Foreground download from http (in secs)* -- GP name: *DelayForegroundDownloadFromHttp* -- GP element: *DelayForegroundDownloadFromHttp* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + + - - -The following list shows the supported values as number of seconds: + +**Description framework properties**: -- 0 to 86400 (1 day) -- 0 - managed by the cloud service -- Default isn't configured. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DelayForegroundDownloadFromHttp | +| Friendly Name | Delay Foreground download from http (in secs) | +| Element Name | Delay Foreground download from http (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - -**DeliveryOptimization/DODownloadMode** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DODisallowCacheServerDownloadsOnVPN + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODisallowCacheServerDownloadsOnVPN +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. | +| 1 | Not allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCacheHostWithVPN | +| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat | +| Element Name | DisallowCacheServerDownloadsOnVPN | + + + + + + + + + +## DODownloadMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode +``` + + + + +Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1. + + + + > [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. +> The Delivery Optimization service on the clients checks to see if there are peers and/or an MCC server which contains the content and determines the best source for the content. + + +**Description framework properties**: -Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Download Mode* -- GP name: *DownloadMode* -- GP element: *DownloadMode* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | HTTP only, no peering. | +| 1 | HTTP blended with peering behind the same NAT. | +| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. | +| 3 | HTTP blended with Internet peering. | +| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. | +| 100 | Bypass mode. Windows 10: Do not use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. | + -- 0 – HTTP only, no peering. -- 1 (default) – HTTP blended with peering behind the same NAT. -- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. -- 3 – HTTP blended with Internet peering. -- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Don't use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. This value is deprecated and will be removed in a future release. - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DownloadMode | +| Friendly Name | Download Mode | +| Element Name | Download Mode | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - -**DeliveryOptimization/DOGroupId** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DOGroupId + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupId +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to. -> [!div class = "checklist"] -> * Device +Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. -
    +**Note** this is a best effort optimization and should not be relied on for an authentication of identity. + - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | GroupId | +| Friendly Name | Group ID | +| Element Name | Group ID | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOGroupIdSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupIdSource +``` + + + + +Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. + + + + > [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. +> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. + + +**Description framework properties**: -This policy specifies an arbitrary group ID that the device belongs to. Use this ID if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. This approach is a best effort optimization and shouldn't be relied on for an authentication of identity. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!NOTE] -> You must use a GUID as the group ID. + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Group ID* -- GP name: *GroupId* -- GP element: *GroupId* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* +| Value | Description | +|:--|:--| +| 0 (Default) | Unset. | +| 1 | AD site. | +| 2 | Authenticated domain SID. | +| 3 | DHCP user option. | +| 4 | DNS suffix. | +| 5 | AAD. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | GroupIdSource | +| Friendly Name | Select the source of Group IDs | +| Element Name | Source of Group IDs | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - -**DeliveryOptimization/DOGroupIdSource** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DOMaxBackgroundDownloadBandwidth + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxBackgroundDownloadBandwidth +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory. - -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. - -For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. - -Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this task, set the value of DOGroupIdSource to 5. - - - -ADMX Info: -- GP Friendly name: *Select the source of Group IDs* -- GP name: *GroupIdSource* -- GP element: *GroupIdSource* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - -The following list shows the supported values: - -- 1 - Active Directory site -- 2 - Authenticated domain SID -- 3 - DHCP user option -- 4 - DNS suffix -- 5 - Azure Active Directory - - - - -
    - - -**DeliveryOptimization/DOMaxBackgroundDownloadBandwidth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + + +Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + - - -ADMX Info: -- GP Friendly name: *Maximum Background Download Bandwidth (in KB/s)* -- GP name: *MaxBackgroundDownloadBandwidth* -- GP element: *MaxBackgroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - -**DeliveryOptimization/DOMaxCacheAge** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxBackgroundDownloadBandwidth | +| Friendly Name | Maximum Background Download Bandwidth (in KB/s) | +| Element Name | Maximum Background Download Bandwidth (in KB/s) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DOMaxCacheAge -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxCacheAge +``` + - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + + +Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days). + + + + -Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. + +**Description framework properties**: -The default value is 259200 seconds (three days). +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Max Cache Age (in seconds)* -- GP name: *MaxCacheAge* -- GP element: *MaxCacheAge* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | MaxCacheAge | +| Friendly Name | Max Cache Age (in seconds) | +| Element Name | Max Cache Age (in seconds) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -
    + + + - -**DeliveryOptimization/DOMaxCacheSize** + - + +## DOMaxCacheSize -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxCacheSize +``` + - -
    + + +Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100]` | +| Default Value | 0 | + - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | MaxCacheSize | +| Friendly Name | Max Cache Size (percentage) | +| Element Name | Max Cache Size (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). + + + -The default value is 20. + - - -ADMX Info: -- GP Friendly name: *Max Cache Size (percentage)* -- GP name: *MaxCacheSize* -- GP element: *MaxCacheSize* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +## DOMaxForegroundDownloadBandwidth - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxForegroundDownloadBandwidth +``` + - -**DeliveryOptimization/DOMaxDownloadBandwidth** - - - - - -
    - - -
    - - - -This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptimization-domaxforegrounddownloadbandwidth) and [DOMaxBackgroundDownloadBandwidth](#deliveryoptimization-domaxbackgrounddownloadbandwidth) policies instead. - - - - - - -
    - - -**DeliveryOptimization/DOMaxForegroundDownloadBandwidth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + + +Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + - - -ADMX Info: -- GP Friendly name: *Maximum Foreground Download Bandwidth (in KB/s)* -- GP name: *MaxForegroundDownloadBandwidth* -- GP element: *MaxForegroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - -**DeliveryOptimization/DOMaxUploadBandwidth** + +**Group policy mapping**: - - - +| Name | Value | +|:--|:--| +| Name | MaxForegroundDownloadBandwidth | +| Friendly Name | Maximum Foreground Download Bandwidth (in KB/s) | +| Element Name | Maximum Foreground Download Bandwidth (in KB/s) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - - + + + -This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which isn't used in commercial deployments. There's no alternate policy to use. + - - - - + +## DOMinBackgroundQos -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -**DeliveryOptimization/DOMinBackgroundQos** + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinBackgroundQos +``` + - + + +Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s). + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-4294967295]` | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | MinBackgroundQos | +| Friendly Name | Minimum Background QoS (in KB/s) | +| Element Name | Minimum Background QoS (in KB/s) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -
    + + + - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + + +## DOMinBatteryPercentageAllowedToUpload -Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -The default value is 500. + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload +``` + - - -ADMX Info: -- GP Friendly name: *Minimum Background QoS (in KB/s)* -- GP name: *MinBackgroundQos* -- GP element: *MinBackgroundQos* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + +Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). - - +The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy. -
    +The value 0 means "not-limited"; The cloud service set default value will be used. + - -**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | MinBatteryPercentageAllowedToUpload | +| Friendly Name | Allow uploads while the device is on battery while under set Battery level (percentage) | +| Element Name | Minimum battery level (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DOMinDiskSizeAllowedToPeer - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinDiskSizeAllowedToPeer +``` + -The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. + + +Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used. - - -ADMX Info: -- GP Friendly name: *Allow uploads while the device is on battery while under set Battery level (percentage)* -- GP name: *MinBatteryPercentageAllowedToUpload* -- GP element: *MinBatteryPercentageAllowedToUpload* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. - - -Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. +Recommended values: 64 GB to 256 GB. > [!NOTE] -> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. - -The default value is 32 GB. - - - -ADMX Info: -- GP Friendly name: *Minimum disk size allowed to use Peer Caching (in GB)* -- GP name: *MinDiskSizeAllowedToPeer* -- GP element: *MinDiskSizeAllowedToPeer* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMinFileSizeToCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. - - -Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. - -The default value is 100 MB. - - - -ADMX Info: -- GP Friendly name: *Minimum Peer Caching Content File Size (in MB)* -- GP name: *MinFileSizeToCache* -- GP element: *MinFileSizeToCache* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMinRAMAllowedToPeer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. - - -Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. - -The default value is 4 GB. - - - -ADMX Info: -- GP Friendly name: *Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)* -- GP name: *MinRAMAllowedToPeer* -- GP element: *MinRAMAllowedToPeer* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOModifyCacheDrive** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. - - -Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. - -By default, %SystemDrive% is used to store the cache. - - - -ADMX Info: -- GP Friendly name: *Modify Cache Drive* -- GP name: *ModifyCacheDrive* -- GP element: *ModifyCacheDrive* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMonthlyUploadDataCap** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. - - -Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. - -The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. - -The default value is 20. - - - -ADMX Info: -- GP Friendly name: *Monthly Upload Data Cap (in GB)* -- GP name: *MonthlyUploadDataCap* -- GP element: *MonthlyUploadDataCap* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOPercentageMaxBackgroundBandwidth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. +> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinDiskSizeAllowedToPeer | +| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) | +| Element Name | Minimum disk size allowed to use Peer Caching (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMinFileSizeToCache + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinFileSizeToCache +``` + + + + +Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinFileSizeToCache | +| Friendly Name | Minimum Peer Caching Content File Size (in MB) | +| Element Name | Minimum Peer Caching Content File Size (in MB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMinRAMAllowedToPeer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinRAMAllowedToPeer +``` + + + + +Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinRAMAllowedToPeer | +| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | +| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOModifyCacheDrive + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOModifyCacheDrive +``` + + + + +Specifies the drive Delivery Optimization shall use for its cache. + +By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ModifyCacheDrive | +| Friendly Name | Modify Cache Drive | +| Element Name | Modify Cache Drive | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMonthlyUploadDataCap + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMonthlyUploadDataCap +``` + + + + +Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit is applied if 0 is set. The default value is 5120 (5 TB). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MonthlyUploadDataCap | +| Friendly Name | Monthly Upload Data Cap (in GB) | +| Element Name | Monthly Upload Data Cap (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOPercentageMaxBackgroundBandwidth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxBackgroundBandwidth +``` + + + + +Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. + +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. + + + + Downloads from LAN peers won't be throttled even when this policy is set. + - - -ADMX Info: -- GP Friendly name: *Maximum Background Download Bandwidth (percentage)* -- GP name: *PercentageMaxBackgroundBandwidth* -- GP element: *PercentageMaxBackgroundBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + -
    + +**Group policy mapping**: - -**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** +| Name | Value | +|:--|:--| +| Name | PercentageMaxBackgroundBandwidth | +| Friendly Name | Maximum Background Download Bandwidth (percentage) | +| Element Name | Maximum Background Download Bandwidth (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -
    + + + - -This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth) and [DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth) policies instead. + - - + +## DOPercentageMaxForegroundBandwidth -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -**DeliveryOptimization/DOPercentageMaxForegroundBandwidth** + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxForegroundBandwidth +``` + - + + +Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | PercentageMaxForegroundBandwidth | +| Friendly Name | Maximum Foreground Download Bandwidth (percentage) | +| Element Name | Maximum Foreground Download Bandwidth (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - - -Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. + + + -Downloads from LAN peers won't be throttled even when this policy is set. + - - -ADMX Info: -- GP Friendly name: *Maximum Foreground Download Bandwidth (percentage)* -- GP name: *PercentageMaxForegroundBandwidth* -- GP element: *PercentageMaxForegroundBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +## DORestrictPeerSelectionBy - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DORestrictPeerSelectionBy +``` + - -**DeliveryOptimization/DORestrictPeerSelectionBy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Set this policy to restrict peer selection via selected option. -In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery". +Options available are: +0 = NAT. +1 = Subnet mask. +2 = Local discovery (DNS-SD). + +The default value has changed from 0 (no restriction) to 1 (restrict to the subnet). + +These options apply to both Download Mode LAN (1) and Group (2). + + + + If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). -The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. +In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. The default value in Windows 11 is set to 'Local Peer Discovery'. The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. + - - -ADMX Info: -- GP Friendly name: *Select a method to restrict Peer Selection* -- GP name: *RestrictPeerSelectionBy* -- GP element: *RestrictPeerSelectionBy* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 - NAT -- 1 - Subnet mask -- 2 - Local Peer Discovery + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | None. | +| 1 | Subnet mask. | +| 2 | Local peer discovery (DNS-SD). | + -
    + +**Group policy mapping**: - -**DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth** +| Name | Value | +|:--|:--| +| Name | RestrictPeerSelectionBy | +| Friendly Name | Select a method to restrict Peer Selection | +| Element Name | Restrict Peer Selection By | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DOSetHoursToLimitBackgroundDownloadBandwidth - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Business Hours to Limit Background Download Bandwidth* -- GP name: *SetHoursToLimitBackgroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SetHoursToLimitBackgroundDownloadBandwidth | +| Friendly Name | Set Business Hours to Limit Background Download Bandwidth | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOSetHoursToLimitForegroundDownloadBandwidth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth +``` + + + + +Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + + + + This policy allows an IT Admin to define the following details: - Business hours range (for example 06:00 to 18:00) - % of throttle for background traffic during business hours - % of throttle for background traffic outside of business hours + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | SetHoursToLimitForegroundDownloadBandwidth | +| Friendly Name | Set Business Hours to Limit Foreground Download Bandwidth | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DOVpnKeywords -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOVpnKeywords +``` + - - -Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + + +This policy allows you to set one or more keywords used to recognize VPN connections. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Business Hours to Limit Foreground Download Bandwidth* -- GP name: *SetHoursToLimitForegroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + - - -This policy allows an IT Admin to define the following details: + +**Group policy mapping**: -- Business hours range (for example 06:00 to 18:00) -- % of throttle for foreground traffic during business hours -- % of throttle for foreground traffic outside of business hours +| Name | Value | +|:--|:--| +| Name | VpnKeywords | +| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat | +| Element Name | VpnKeywords | + - - -
    + + + + - + + + -## Related topics + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) - diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 1cd8888461..1cc683a423 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,92 +1,96 @@ --- -title: Policy CSP - Desktop -description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders. +title: Desktop Policy CSP +description: Learn more about the Desktop Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Desktop > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## Desktop policies + +## PreventUserRedirectionOfProfileFolders -
    -
    - Desktop/PreventUserRedirectionOfProfileFolders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/Desktop/PreventUserRedirectionOfProfileFolders +``` + -
    - - -**Desktop/PreventUserRedirectionOfProfileFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users from changing the path to their profile folders. + + +Prevents users from changing the path to their profile folders. By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. -If you enable this setting, users are unable to type a new location in the Target box. +- If you enable this setting, users are unable to type a new location in the Target box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit User from manually redirecting Profile Folders* -- GP name: *DisablePersonalDirChange* -- GP path: *Desktop* -- GP ADMX file name: *desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisablePersonalDirChange | +| Friendly Name | Prohibit User from manually redirecting Profile Folders | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisablePersonalDirChange | +| ADMX File Name | Desktop.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md index f6f865422e..36f2988560 100644 --- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md +++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md @@ -1,595 +1,707 @@ --- -title: Policy CSP - DesktopAppInstaller -description: Learn about the Policy CSP - DesktopAppInstaller. -ms.author: v-aljupudi +title: DesktopAppInstaller Policy CSP +description: Learn more about the DesktopAppInstaller Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: alekyaj -ms.date: 08/24/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DesktopAppInstaller ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## EnableAdditionalSources - -## DesktopAppInstaller policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    -
    - DesktopAppInstaller/EnableAdditionalSources -
    -
    - DesktopAppInstaller/EnableAppInstaller -
    -
    - DesktopAppInstaller/EnableDefaultSource -
    -
    - DesktopAppInstaller/EnableLocalManifestFiles -
    -
    - DesktopAppInstaller/EnableHashOverride -
    -
    - DesktopAppInstaller/EnableMicrosoftStoreSource -
    -
    - DesktopAppInstaller/EnableMSAppInstallerProtocol -
    -
    - DesktopAppInstaller/EnableSettings -
    -
    - DesktopAppInstaller/EnableAllowedSources -
    -
    - DesktopAppInstaller/EnableExperimentalFeatures -
    -
    - DesktopAppInstaller/SourceAutoUpdateInterval -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAdditionalSources +``` + + + +This policy controls additional sources provided by the enterprise IT administrator. -
    +- If you do not configure this policy, no additional sources will be configured for the [Windows Package Manager](/windows/package-manager/). - -**DesktopAppInstaller/EnableAdditionalSources** +- If you enable this policy, the additional sources will be added to the [Windows Package Manager](/windows/package-manager/) and cannot be removed. The representation for each additional source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. - +- If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - -This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/). +| Name | Value | +|:--|:--| +| Name | EnableAdditionalSources | +| Friendly Name | Enable App Installer Additional Sources | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableAdditionalSources | +| ADMX File Name | DesktopAppInstaller.admx | + -If you don't configure this setting, no additional sources will be configured for Windows Package Manager. + + + -If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/). + -If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + +## EnableAllowedSources - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -ADMX Info: -- GP Friendly name: *Enable Additional Windows Package Manager Sources* -- GP name: *EnableAdditionalSources* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAllowedSources +``` + - - + + +This policy controls additional sources allowed by the enterprise IT administrator. -
    +- If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy. +- If you enable this policy, only the sources specified can be added or removed from the [Windows Package Manager](/windows/package-manager/). The representation for each allowed source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. - -**DesktopAppInstaller/EnableAppInstaller** +- If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | EnableAllowedSources | +| Friendly Name | Enable App Installer Allowed Sources | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableAllowedSources | +| ADMX File Name | DesktopAppInstaller.admx | + - - -This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy. + + + -- If you enable or don't configure this setting, users will be able to use the Windows Package Manager. -- If you disable this setting, users won't be able to use the Windows Package Manager. + - + +## EnableAppInstaller - -ADMX Info: -- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users* -- GP name: *EnableAppInstaller* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAppInstaller +``` + -
    + + +This policy controls whether the [Windows Package Manager](/windows/package-manager/) can be used by users. - -**DesktopAppInstaller/EnableDefaultSource** +- If you enable or do not configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/). - +- If you disable this setting, users will not be able to use the [Windows Package Manager](/windows/package-manager/). + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | EnableAppInstaller | +| Friendly Name | Enable App Installer | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableAppInstaller | +| ADMX File Name | DesktopAppInstaller.admx | + -This policy controls the default source included with the Windows Package Manager. -If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed. -- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed. -- If you disable this setting the default source for the Windows Package Manager won't be available. + + + - + - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Default Source* -- GP name: *EnableDefaultSource* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + +## EnableDefaultSource - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableDefaultSource +``` + - -**DesktopAppInstaller/EnableLocalManifestFiles** + + +This policy controls the default source included with the [Windows Package Manager](/windows/package-manager/). - +- If you do not configure this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and can be removed. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. - -
    +- If you disable this setting the default source for the [Windows Package Manager](/windows/package-manager/) will not be available. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableDefaultSource | +| Friendly Name | Enable App Installer Default Source | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableDefaultSource | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## EnableExperimentalFeatures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableExperimentalFeatures +``` + + + + +This policy controls whether users can enable experimental features in the [Windows Package Manager](/windows/package-manager/). + +- If you enable or do not configure this setting, users will be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). + +- If you disable this setting, users will not be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). + + + + +Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableExperimentalFeatures | +| Friendly Name | Enable App Installer Experimental Features | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableExperimentalFeatures | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## EnableHashOverride + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableHashOverride +``` + + + + +This policy controls whether or not the [Windows Package Manager](/windows/package-manager/) can be configured to enable the ability override the SHA256 security validation in settings. + +- If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. + +- If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableHashOverride | +| Friendly Name | Enable App Installer Hash Override | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableHashOverride | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## EnableLocalManifestFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalManifestFiles +``` + + + + This policy controls whether users can install packages with local manifest files. -- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. -- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager. +- If you enable or do not configure this setting, users will be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). - +- If you disable this setting, users will not be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). + - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Local Manifest Files* -- GP name: *EnableLocalManifestFiles* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**DesktopAppInstaller/EnableHashOverride** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableLocalManifestFiles | +| Friendly Name | Enable App Installer Local Manifest Files | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableLocalManifestFiles | +| ADMX File Name | DesktopAppInstaller.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## EnableMicrosoftStoreSource -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource +``` + -This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest. + + +This policy controls the Microsoft Store source included with the [Windows Package Manager](/windows/package-manager/). -- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings. +- If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. -- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings. +- If you enable this setting, the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. - +- If you disable this setting the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will not be available. + - -ADMX Info: -- GP Friendly name: *Enable App Installer Hash Override* -- GP name: *EnableHashOverride* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**DesktopAppInstaller/EnableMicrosoftStoreSource** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableMicrosoftStoreSource | +| Friendly Name | Enable App Installer Microsoft Store Source | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableMicrosoftStoreSource | +| ADMX File Name | DesktopAppInstaller.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## EnableMSAppInstallerProtocol -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMSAppInstallerProtocol +``` + -This policy controls the Microsoft Store source included with the Windows Package Manager. -If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. -- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed. -- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available. - - - - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source* -- GP name: *EnableMicrosoftStoreSource* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/EnableMSAppInstallerProtocol** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol. + + +This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol. - If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. - If you disable this setting, users will not be able to install packages from websites that use this protocol. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableMSAppInstallerProtocol | +| Friendly Name | Enable App Installer ms-appinstaller protocol | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableMSAppInstallerProtocol | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## EnableSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableSettings +``` + + + + +This policy controls whether users can change their settings. + +- If you enable or do not configure this setting, users will be able to change settings for the [Windows Package Manager](/windows/package-manager/). + +- If you disable this setting, users will not be able to change settings for the [Windows Package Manager](/windows/package-manager/). + + + + +The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableSettings | +| Friendly Name | Enable App Installer Settings | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableSettings | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## SourceAutoUpdateInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/SourceAutoUpdateInterval +``` + + + + +This policy controls the auto update interval for package-based sources. + +- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/). + +- If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/). + + + + +The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources. + + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SourceAutoUpdateInterval | +| Friendly Name | Set App Installer Source Auto Update Interval In Minutes | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| ADMX File Name | DesktopAppInstaller.admx | + - -ADMX Info: -- GP Friendly name: *Enable MS App Installer Protocol* -- GP name: *EnableMSAppInstallerProtocol* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + + - - + -
    + + + + + + +## Related articles - -**DesktopAppInstaller/EnableSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy. - -- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager. -- If you disable this setting, users will not be able to change settings for Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Settings Command* -- GP name: *EnableSettings* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/EnableAllowedSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy. - -- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export. -- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Settings Command* -- GP name: *EnableAllowedSources* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/EnableExperimentalFeatures** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior. - -- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager. - -- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Experimental Features* -- GP name: *EnableExperimentalFeatures* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/SourceAutoUpdateInterval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources. - -- If you enable this setting, the number of minutes specified will be used by Windows Package Manager. - -- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes* -- GP name: *SourceAutoUpdateInterval* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index c7f637d5a7..03c560a1d3 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,259 +1,351 @@ --- -title: Policy CSP - DeviceGuard -description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. +title: DeviceGuard Policy CSP +description: Learn more about the DeviceGuard Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 03/01/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeviceGuard + + + -
    + +## ConfigureSystemGuardLaunch - -## DeviceGuard policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    -
    - DeviceGuard/ConfigureSystemGuardLaunch -
    -
    - DeviceGuard/EnableVirtualizationBasedSecurity -
    -
    - DeviceGuard/LsaCfgFlags -
    -
    - DeviceGuard/RequirePlatformSecurityFeatures -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch +``` + + + +Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. + -
    - - -**DeviceGuard/ConfigureSystemGuardLaunch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the IT admin to configure the launch of System Guard. - -Secure Launch configuration: - -- 0 - Unmanaged, configurable by Administrative user -- 1 - Enables Secure Launch if supported by hardware -- 2 - Disables Secure Launch. - + + For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). + - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP element: *SystemGuardDrop* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Unmanaged Configurable by Administrative user. | +| 1 | Unmanaged Enables Secure Launch if supported by hardware. | +| 2 | Unmanaged Disables Secure Launch. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Secure Launch Configuration. | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + - -**DeviceGuard/EnableVirtualizationBasedSecurity** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnableVirtualizationBasedSecurity + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Specifies whether Virtualization Based Security is enabled. -> [!div class = "checklist"] -> * Device +Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. -
    +Virtualization Based Protection of Code Integrity - - -Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. +This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* +The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option. - - -The following list shows the supported values: +The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. -- 0 (default) - disable virtualization based security. -- 1 - enable virtualization based security. +The "Enabled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy. - - +The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. -
    +The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. - -**DeviceGuard/LsaCfgFlags** +> [!WARNING] +> All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. - +Credential Guard -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. +For Windows 11 21. H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured". - -
    +The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +The "Enabled without lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511). -> [!div class = "checklist"] -> * Device +For Windows 11 21. H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock. -
    +Secure Launch - - +This setting sets the configuration of Secure Launch to secure the boot chain. + +The "Not Configured" setting is the default, and allows configuration of the feature by Administrative users. + +The "Enabled" option turns on Secure Launch on supported hardware. + +The "Disabled" option turns off Secure Launch, regardless of hardware support. + +Kernel-mode Hardware-enforced Stack Protection + +This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered. + +This security feature has the following prerequisites: +1) The CPU hardware supports hardware-based shadow stacks. +2) Virtualization Based Protection of Code Integrity is enabled. + +If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature. **Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately. + +Devices that enable this security feature must be running at least Windows 11 (Version 22. H2). + +The "Disabled" option turns off kernel-mode Hardware-enforced Stack Protection. + +The "Enabled in audit mode" option enables kernel-mode Hardware-enforced Stack Protection in audit mode, where shadow stack violations are not fatal and will be logged to the system event log. + +The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced Stack Protection in enforcement mode, where shadow stack violations are fatal. + +The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. + +> [!WARNING] +> All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, see [A driver can't load on this device](https://go.microsoft.com/fwlink/?LinkId=2162953). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disable virtualization based security. | +| 1 | Enable virtualization based security. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| Registry Value Name | EnableVirtualizationBasedSecurity | +| ADMX File Name | DeviceGuard.admx | + + + + + + + + + +## LsaCfgFlags + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags +``` + + + + +Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. | +| 1 | (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. | +| 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Credential Guard Configuration. | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + + + + + + + + + +## RequirePlatformSecurityFeatures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures +``` + + + + +Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. + + + + This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. + - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP element: *CredentialIsolationDrop* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. -- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. -- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 1 (Default) | Turns on VBS with Secure Boot. | +| 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. | + -
    + +**Group policy mapping**: - -**DeviceGuard/RequirePlatformSecurityFeatures** +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Select Platform Security Level. | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device - -
    - - - -This setting specifies the platform security level at the next reboot. Value type is integer. - - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP element: *RequirePlatformSecurityFeaturesDrop* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* - - - -The following list shows the supported values: - -- 1 (default) - Turns on VBS with Secure Boot. -- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. - - - -
    - - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 9b12315551..cd689bed30 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,189 +1,208 @@ --- -title: Policy CSP - DeviceHealthMonitoring -description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft. +title: DeviceHealthMonitoring Policy CSP +description: Learn more about the DeviceHealthMonitoring Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeviceHealthMonitoring + + + + +## AllowDeviceHealthMonitoring -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -## DeviceHealthMonitoring policies + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring +``` + -
    -
    - DeviceHealthMonitoring/AllowDeviceHealthMonitoring -
    -
    - DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope -
    -
    - DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination -
    -
    + + +Enable/disable 4. Nines device health monitoring on devices. + - -
    - - -**DeviceHealthMonitoring/AllowDeviceHealthMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it. + - - -The following list shows the supported values: + +**Description framework properties**: -- 1 -The DeviceHealthMonitoring connection is enabled. -- 0 - (default)—The DeviceHealthMonitoring connection is disabled. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 1 | The DeviceHealthMonitoring connection is enabled. | +| 0 (Default) | The DeviceHealthMonitoring connection is disabled. | + - - + + + -
    + - -**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope** + +## ConfigDeviceHealthMonitoringScope - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope +``` + + + +If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. + - -
    + + +This policy is applicable only if the [AllowDeviceHealthMonitoring](#allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringScope_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + -
    + + + - - -This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. -This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. -IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. + + +## ConfigDeviceHealthMonitoringServiceInstance - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringServiceInstance +``` + - - + + +If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which service instance to which events are to be uploaded. + - - + + + -
    + +**Description framework properties**: - -**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringServiceInstance_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## ConfigDeviceHealthMonitoringUploadDestination - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination +``` + -> [!div class = "checklist"] -> * Device + + +If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. + -
    - - - -This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. + + +This policy is applicable only if the [AllowDeviceHealthMonitoring](#allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios. In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service. + + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringUploadDestination_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + + + - - + - - -
    + + + + +## Related articles - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index de68aa4b4e..0696c7e877 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -1,135 +1,100 @@ --- -title: Policy CSP - DeviceInstallation -ms.reviewer: +title: DeviceInstallation Policy CSP +description: Learn more about the DeviceInstallation Area in Policy CSP. +author: vinaypamnani-msft manager: aaroncz -description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. ms.author: vinpa -ms.date: 09/27/2019 -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium +ms.topic: reference --- + + + # Policy CSP - DeviceInstallation ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -
    - - -## DeviceInstallation policies - -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses -
    -
    - DeviceInstallation/EnableInstallationPolicyLayering -
    -
    - DeviceInstallation/PreventDeviceMetadataFromNetwork -
    -
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses -
    -
    - - -
    - - -### DeviceInstallation/AllowInstallationOfMatchingDeviceIDs - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install. - > [!TIP] -> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## AllowInstallationOfMatchingDeviceIDs + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs +``` + + + + +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -- Prevent installation of devices that match these device IDs. -- Prevent installation of devices that match any of these device instance IDs. +NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). -> [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). - -If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. - -If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Allow installation of devices that match any of these device IDs* -- GP name: *DeviceInstall_IDs_Allow* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_IDs_Allow | +| Friendly Name | Allow installation of devices that match any of these device IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowDeviceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. - ```xml @@ -157,79 +122,77 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - + -
    + +## AllowInstallationOfMatchingDeviceInstanceIDs - -### DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. - -> [!TIP] -> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. + + +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match any of these device instance IDs +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -- Prevent installation of devices that match any of these device instance IDs. - -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. - -> [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). -If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + + Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Allow installation of devices that match any of these device instance IDs* -- GP name: *DeviceInstall_Instance_IDs_Allow* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Instance_IDs_Allow | +| Friendly Name | Allow installation of devices that match any of these device instance IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowInstanceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. ``` xml @@ -250,88 +213,90 @@ To enable this policy, use the following SyncML.     ``` + +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: + ``` txt >>> [Device Installation Restrictions Policy Check] >>> Section start 2018/11/15 12:26:41.659 <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - + -
    + +## AllowInstallationOfMatchingDeviceSetupClasses - -### DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. - -> [!TIP] -> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. + + +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: - - Prevent installation of devices for these device classes - Prevent installation of devices that match these device IDs - Prevent installation of devices that match any of these device instance IDs +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. - -> [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). -If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Allow installation of devices using drivers that match these device setup classes* -- GP name: *DeviceInstall_Classes_Allow* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Classes_Allow | +| Friendly Name | Allow installation of devices using drivers that match these device setup classes | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowDeviceClasses | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example allows Windows to install: - Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} @@ -340,7 +305,6 @@ To enable this policy, use the following SyncML. This example allows Windows to Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. - ```xml @@ -360,8 +324,9 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: +**Verify**: +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -369,82 +334,89 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - + -
    + +## EnableInstallationPolicyLayering - -### DeviceInstallation/EnableInstallationPolicyLayering + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -Added in Windows 10, Version 2106 -
    - - - + + This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: Device instance IDs > Device IDs > Device setup class > Removable devices -**Device instance IDs** +Device instance IDs -- Prevent installation of devices using drivers that match these device instance IDs. -- Allow installation of devices using drivers that match these device instance IDs. +1. Prevent installation of devices using drivers that match these device instance IDs +2. Allow installation of devices using drivers that match these device instance IDs -**Device IDs** -- Prevent installation of devices using drivers that match these device IDs. -- Allow installation of devices using drivers that match these device IDs. +Device IDs -**Device setup class** -- Prevent installation of devices using drivers that match these device setup classes. -- Allow installation of devices using drivers that match these device setup classes. +3. Prevent installation of devices using drivers that match these device IDs +4. Allow installation of devices using drivers that match these device IDs -**Removable devices** -- Prevent installation of removable devices. +Device setup class -> [!NOTE] -> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. +5. Prevent installation of devices using drivers that match these device setup classes +6. Allow installation of devices using drivers that match these device setup classes -If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. +Removable devices - +7. Prevent installation of removable devices +NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. - -ADMX Info: -- GP Friendly name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria* -- GP name: *DeviceInstall_Allow_Deny_Layered* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* +- If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. + - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Allow_Deny_Layered | +| Friendly Name | Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowDenyLayered | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - ```xml @@ -464,6 +436,8 @@ ADMX Info: ``` +**Verify**: + To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -476,127 +450,132 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. :::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image."::: + - - + - - -
    + +## PreventDeviceMetadataFromNetwork - -### DeviceInstallation/PreventDeviceMetadataFromNetwork + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventDeviceMetadataFromNetwork +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. -If you enable this policy setting, Windows doesn't retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). +- If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). -If you disable or don't configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. +- If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent device metadata retrieval from the Internet* -- GP name: *DeviceMetadata_PreventDeviceMetadataFromNetwork* -- GP path: *System/Device Installation* -- GP ADMX file name: *DeviceSetup.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | DeviceMetadata_PreventDeviceMetadataFromNetwork | +| Friendly Name | Prevent device metadata retrieval from the Internet | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Device Metadata | +| Registry Value Name | PreventDeviceMetadataFromNetwork | +| ADMX File Name | DeviceSetup.admx | + - - + + + -
    + - -### DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + +## PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings +``` + + + +This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. - -
    +NOTE: This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. -> [!div class = "checklist"] -> * Device +- If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. + -
    + + + - - -This policy setting allows you to prevent the installation of devices that aren't described by any other policy setting. + +**Description framework properties**: -> [!NOTE] -> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that isn't described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you disable or don't configure this policy setting, Windows is allowed to install or update the driver package for any device that isn't described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Unspecified_Deny | +| Friendly Name | Prevent installation of devices not described by other policy settings | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyUnspecified | +| ADMX File Name | DeviceInstallation.admx | + + + +**Example**: - -ADMX Info: -- GP Friendly name: *Prevent installation of devices not described by other policy settings* -- GP name: *DeviceInstall_Unspecified_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* - - - - - - To enable this policy, use the following SyncML. This example prevents Windows from installing devices that aren't described by any other policy setting. - ```xml @@ -616,6 +595,8 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -628,71 +609,73 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i You can also block installation by using a custom profile in Intune. ![Custom profile prevent devices.](images/custom-profile-prevent-other-devices.png) - - + - - + -
    + +## PreventInstallationOfMatchingDeviceIDs - -### DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -> [!NOTE] -> To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. +NOTE: To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. -If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +- If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent installation of devices that match any of these device IDs* -- GP name: *DeviceInstall_IDs_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - - -
    -To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use &#xF000; as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. +| Name | Value | +|:--|:--| +| Name | DeviceInstall_IDs_Deny | +| Friendly Name | Prevent installation of devices that match any of these device IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyDeviceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + +**Example**: + +To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. ```xml @@ -713,6 +696,8 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -727,65 +712,70 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed. ![Custom profile prevent device ids.](images/custom-profile-prevent-device-ids.png) - - + - - + -
    + +## PreventInstallationOfMatchingDeviceInstanceIDs - -### DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +- If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + + + Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent installation of devices that match any of these device instance IDs* -- GP name: *DeviceInstall_Instance_IDs_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Instance_IDs_Deny | +| Friendly Name | Prevent installation of devices that match any of these device instance IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyInstanceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with device instance IDs of USB\VID_1F75 and USB\VID_0781. To configure multiple classes, use `` as a delimiter. ``` xml @@ -806,6 +796,9 @@ To enable this policy, use the following SyncML. This example prevents Windows f     ``` + +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ``` txt @@ -824,78 +817,78 @@ For example, this custom profile prevents installation of devices with matching To prevent installation of devices with matching device instance IDs by using custom profile in Intune: 1. Locate the device instance ID. -2. Replace `&` in the device instance IDs with `&`. -For example: -Replace -```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` -with -```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` - > [!Note] - > don't use spaces in the value. -3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. +1. Replace `&` in the device instance IDs with `&`. For example: Replace `USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0` with `USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0`. - - + > [!NOTE] + > Don't use spaces in the value. - - +1. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. + -
    + - -### DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + +## PreventInstallationOfMatchingDeviceSetupClasses - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses +``` + - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -> [!NOTE] -> To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. +NOTE: To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. -If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. +- If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent installation of devices using drivers that match these device setup classes* -- GP name: *DeviceInstall_Classes_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Classes_Deny | +| Friendly Name | Prevent installation of devices using drivers that match these device setup classes | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyDeviceClasses | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example prevents Windows from installing: - Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} @@ -924,6 +917,8 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -932,17 +927,16 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - -
    + + + + + - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index fc07d7068e..9645d243cd 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,727 +1,865 @@ --- -title: Policy CSP - DeviceLock -description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state. +title: DeviceLock Policy CSP +description: Learn more about the DeviceLock Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 05/16/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeviceLock -
    +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## DeviceLock policies - -
    -
    - DeviceLock/AllowIdleReturnWithoutPassword -
    -
    - DeviceLock/AllowSimpleDevicePassword -
    -
    - DeviceLock/AllowScreenTimeoutWhileLockedUserConfig -
    -
    - DeviceLock/AlphanumericDevicePasswordRequired -
    -
    - DeviceLock/DevicePasswordEnabled -
    -
    - DeviceLock/DevicePasswordExpiration -
    -
    - DeviceLock/DevicePasswordHistory -
    -
    - DeviceLock/EnforceLockScreenAndLogonImage -
    -
    - DeviceLock/MaxDevicePasswordFailedAttempts -
    -
    - DeviceLock/MaxInactivityTimeDeviceLock -
    -
    - DeviceLock/MinDevicePasswordComplexCharacters -
    -
    - DeviceLock/MinDevicePasswordLength -
    -
    - DeviceLock/MinimumPasswordAge -
    -
    - DeviceLock/PreventEnablingLockScreenCamera -
    -
    - DeviceLock/PreventLockScreenSlideShow -
    -
    - - -
    - -> [!Important] + + +> [!IMPORTANT] > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). + - -**DeviceLock/AllowIdleReturnWithoutPassword** + +## AllowIdleReturnWithoutPassword - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowIdleReturnWithoutPassword +``` + + + +Specifies whether the user must input a PIN or password when the device resumes from an idle state. + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] > Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. -Specifies whether the user must input a PIN or password when the device resumes from an idle state. - > [!NOTE] > This policy must be wrapped in an Atomic command. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Not allowed. -- 1 (default) – Allowed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [DeviceLock_AllowIdleReturnWithoutPassword_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**DeviceLock/AllowSimpleDevicePassword** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowScreenTimeoutWhileLockedUserConfig + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!NOTE] -> This policy must be wrapped in an Atomic command. + +**Allowed values**: +| Value | Description | +|:--|:--| +| 1 | Allow. | +| 0 (Default) | Block. | + + + + + + + + + +## AllowSimpleDevicePassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowSimpleDevicePassword +``` + + + + +Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. + + + + For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - -The following list shows the supported values: - -- 0 (default) – Blocked -- 1 – Allowed - - - - -
    - - -**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**DeviceLock/AlphanumericDevicePasswordRequired** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). - > [!NOTE] > This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). + + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [DeviceLock_AllowSimpleDevicePassword_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AlphanumericDevicePasswordRequired + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired +``` + + + + +Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 + + + + > [!NOTE] > If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. -> > If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. - - -The following list shows the supported values: - -- 0 – Password or Alphanumeric PIN required. -- 1 – Password or Numeric PIN required. -- 2 (default) – Password, Numeric PIN, or Alphanumeric PIN required. - - - - -
    - - -**DeviceLock/DevicePasswordEnabled** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether device lock is enabled. - > [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). + + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | +| Dependency [DeviceLock_AlphanumericDevicePasswordRequired_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Password or Alphanumeric PIN required. | +| 1 | Password or Numeric PIN required. | +| 2 (Default) | Password, Numeric PIN, or Alphanumeric PIN required. | + + + + + + + + + +## ClearTextPassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/ClearTextPassword +``` + + + + +Store passwords using reversible encryption +This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Store passwords using reversible encryption | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## DevicePasswordEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled +``` + + + + +Specifies whether device lock is enabled. + + + + +> [!NOTE] +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions. > [!IMPORTANT] > The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: > -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock -> - MinDevicePasswordComplexCharacters -  - -> [!IMPORTANT] +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock +> - MinDevicePasswordComplexCharacters +> > If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: > -> - MinDevicePasswordLength is set to 4 -> - MinDevicePasswordComplexCharacters is set to 1 +> - MinDevicePasswordLength is set to 4 +> - MinDevicePasswordComplexCharacters is set to 1 > > If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: > -> - MinDevicePasswordLength -> - MinDevicePasswordComplexCharacters +> - MinDevicePasswordLength +> - MinDevicePasswordComplexCharacters +> +> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for backward compatibility with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1), it should be the only policy set from the DeviceLock group of policies listed below: +> +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MinDevicePasswordComplexCharacters +> - DevicePasswordExpiration +> - DevicePasswordHistory +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock + -> [!Important] -> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: -> - **DevicePasswordEnabled** is the parent policy of the following: -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MinDevicePasswordComplexCharacters -> - DevicePasswordExpiration -> - DevicePasswordHistory -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 (default) – Enabled -- 1 – Disabled + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Enabled. | +| 1 (Default) | Disabled. | + -
    + + + - -**DeviceLock/DevicePasswordExpiration** + - + +## DevicePasswordExpiration -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordExpiration +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies when the password expires (in days). + -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - - + + If all policy values = 0, then 0; otherwise, Min policy value is the most secure value. For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - -The following list shows the supported values: - -- An integer X where 0 <= X <= 730. -- 0 (default) - Passwords don't expire. - - - - -
    - - -**DeviceLock/DevicePasswordHistory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies how many passwords can be stored in the history that can’t be used. - > [!NOTE] > This policy must be wrapped in an Atomic command. + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-730]` | +| Default Value | 0 | +| Dependency [DeviceLock_DevicePasswordExpiration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +## DevicePasswordHistory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory +``` + + + + +Specifies how many passwords can be stored in the history that can't be used. + + + + The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords. Max policy value is the most restricted. For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - -The following list shows the supported values: - -- An integer X where 0 <= X <= 50. -- 0 (default) - - - - -
    - - -**DeviceLock/EnforceLockScreenAndLogonImage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the default lock screen and sign-in image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and sign-in screens. Users won't be able to change this image. - -> [!NOTE] -> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. - - -Value type is a string, which is the full image filepath and filename. - - - - -
    - - -**DeviceLock/MaxDevicePasswordFailedAttempts** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - > [!NOTE] > This policy must be wrapped in an Atomic command. + + +**Description framework properties**: -On a client device, when the user reaches the value set by this policy, it isn't wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker isn't enabled, then the policy can't be enforced. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-50]` | +| Default Value | 0 | +| Dependency [DeviceLock_DevicePasswordHistory_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + - Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. + + + + -Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. + +## EnforceLockScreenAndLogonImage -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenAndLogonImage +``` + -- An integer X where 4 <= X <= 16 for client devices. -- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. + + +Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. Value type is a string, which is the full image filepath and filename. + - - + + + -
    + +**Description framework properties**: - -**DeviceLock/MaxInactivityTimeDeviceLock** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## EnforceLockScreenProvider - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenProvider +``` + -> [!div class = "checklist"] -> * Device + + + -
    + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## MaxDevicePasswordFailedAttempts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxDevicePasswordFailedAttempts +``` + + + + +The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality + +> [!NOTE] +> This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-999]` | +| Default Value | 0 | +| Dependency [DeviceLock_MaxDevicePasswordFailedAttempts_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +## MaximumPasswordAge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaximumPasswordAge +``` + + + + +This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days + +> [!NOTE] +> It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default 42. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-999]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Maximum password age | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## MaxInactivityTimeDeviceLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock +``` + + + + + + + + Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. > [!NOTE] > This policy must be wrapped in an Atomic command. + + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-999]` | +| Default Value | 0 | +| Dependency [DeviceLock_MaxInactivityTimeDeviceLock_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + + + - - -The following list shows the supported values: + -- An integer X where 0 <= X <= 999. -- 0 (default) - No timeout is defined. + +## MaxInactivityTimeDeviceLockWithExternalDisplay - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay +``` + - -**DeviceLock/MinDevicePasswordComplexCharacters** + + +Sets the maximum timeout value for the external display. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-999]` | +| Default Value | 0 | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## MinDevicePasswordComplexCharacters -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters +``` + + + + The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. + -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. - -PIN enforces the following behavior for client devices: - -- 1 - Digits only -- 2 - Digits and lowercase letters are required -- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens. - -The default value is 1. The following list shows the supported values and actual enforced values: - -|Account Type|Supported Values|Actual Enforced Values| -|--- |--- |--- | -|Local Accounts|1,2,3|3| -|Microsoft Accounts|1,2|<p2| -|Domain Accounts|Not supported|Not supported| + + +The following list shows the supported values and actual enforced values: +| Account Type | Supported Values | Actual Enforced Values | +|--------------------|------------------|------------------------| +| Local Accounts | 1,2,3 | 3 | +| Microsoft Accounts | 1,2 | <p2 | +| Domain Accounts | Not supported | Not supported | Enforced values for Local and Microsoft Accounts: -- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. -- Passwords for local accounts must meet the following minimum requirements: - - - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - - Be at least six characters in length - - Contain characters from three of the following four categories: - - - English uppercase characters (A through Z) - - English lowercase characters (a through z) - - Base 10 digits (0 through 9) - - Special characters (!, $, \#, %, etc.) +- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. +- Passwords for local accounts must meet the following minimum requirements: + - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters + - Be at least six characters in length + - Contain characters from three of the following four categories: + - English uppercase characters (A through Z) + - English lowercase characters (a through z) + - Base 10 digits (0 through 9) + - Special characters (!, $, \#, %, etc.) The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - -
    - - -**DeviceLock/MinDevicePasswordLength** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the minimum number or characters required in the PIN or password. - > [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions. + + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [DeviceLock_MinDevicePasswordComplexCharacters_DependencyGroup] | Dependency Type: `DependsOn DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired`
    Dependency Allowed Value: `[0] [0]`
    Dependency Allowed Value Type: `Range Range`
    | + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Digits only. | +| 2 | Digits and lowercase letters are required. | +| 3 | Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. | +| 4 | Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop. | + + + + + + + + + +## MinDevicePasswordLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength +``` + + + + +Specifies the minimum number or characters required in the PIN or password. + + + + Max policy value is the most restricted. For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - -The following list shows the supported values: +> [!NOTE] +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions. + -- An integer X where 4 <= X <= 16 for client devices. However, local accounts will always enforce a minimum password length of 6. -- Not enforced. -- The default value is 4 for client devices. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[4-16]` | +| Default Value | 4 | +| Dependency [DeviceLock_MinDevicePasswordLength_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + +**Example**: - - The following example shows how to set the minimum password length to 4 characters. ```xml @@ -743,168 +881,341 @@ The following example shows how to set the minimum password length to 4 characte ``` - - + -
    + - -**DeviceLock/MinimumPasswordAge** + +## MinimumPasswordAge - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge +``` + + + +This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-998]` | +| Default Value | 1 | + -
    + +**Group policy mapping**: - - -This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. +| Name | Value | +|:--|:--| +| Name | Minimum password age | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. + + + -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting doesn't follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user doesn't have to choose a new password. For this reason, Enforce password history is set to 1 by default. + - - -GP Info: -- GP Friendly name: *Minimum password age* -- GP path: *Windows Settings/Security Settings/Account Policies/Password Policy* + +## PasswordComplexity - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordComplexity +``` + - -**DeviceLock/PreventEnablingLockScreenCamera** + + + - + + +Password must meet complexity requirements. This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters +- Be at least six characters in length +- Contain characters from three of the following four categories: + - English uppercase characters (A through Z) + - English lowercase characters (a through z) + - Base 10 digits (0 through 9) + - Non-alphabetic characters (for example, !, $, #, %) +Complexity requirements are enforced when passwords are changed or created. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Password must meet complexity requirements | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + - - -Disables the lock screen camera toggle-switch in PC Settings and prevents a camera from being invoked on the lock screen. + + + + + + + +## PasswordHistorySize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordHistorySize +``` + + + + +Minimum password length +This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required + +> [!NOTE] +> By default, member computers follow the configuration of their domain controllers. Default 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-24]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Minimum password length | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## PreventEnablingLockScreenCamera + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventEnablingLockScreenCamera +``` + + + + +Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. -If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera can't be invoked on the lock screen. +- If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen. + - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Prevent enabling lock screen camera* -- GP name: *CPL_Personalization_NoLockScreenCamera* -- GP path: *Control Panel/Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoLockScreenCamera | +| Friendly Name | Prevent enabling lock screen camera | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoLockScreenCamera | +| ADMX File Name | ControlPanelDisplay.admx | + -
    + + + - -**DeviceLock/PreventLockScreenSlideShow** + - + +## PreventLockScreenSlideShow -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Disables the lock screen slideshow settings in PC Settings and prevents a slide show from playing on the lock screen. + + +Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. -If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. +- If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. + - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Prevent enabling lock screen slide show* -- GP name: *CPL_Personalization_NoLockScreenSlideshow* -- GP path: *Control Panel/Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoLockScreenSlideshow | +| Friendly Name | Prevent enabling lock screen slide show | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoLockScreenSlideshow | +| ADMX File Name | ControlPanelDisplay.admx | + -
    + + + + + +## ScreenTimeoutWhileLocked - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/ScreenTimeoutWhileLocked +``` + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + +Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[10-1800]` | +| Default Value | 10 | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 8e0295af7e..5c610c1946 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,118 +1,105 @@ --- -title: Policy CSP - Display -description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications. +title: Display Policy CSP +description: Learn more about the Display Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Display -
    + + + - -## Display policies + +## DisablePerProcessDpiForApps -
    -
    - Display/DisablePerProcessDpiForApps -
    -
    - Display/EnablePerProcessDpi -
    -
    - Display/EnablePerProcessDpiForApps -
    -
    - Display/TurnOffGdiDPIScalingForApps -
    -
    - Display/TurnOnGdiDPIScalingForApps -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/DisablePerProcessDpiForApps +``` + -
    - - -**Display/DisablePerProcessDpiForApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. + - - -ADMX Info: -- GP Friendly name: *Configure Per-Process System DPI settings* -- GP name: *DisplayPerProcessSystemDpiSettings* -- GP element: *DisplayDisablePerProcessSystemDpiSettings* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Display/EnablePerProcessDpi** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisplayPerProcessSystemDpiSettings | +| Friendly Name | Configure Per-Process System DPI settings | +| Element Name | Disable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer and User Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## EnablePerProcessDpi - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * User -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi +``` + - - + + +Enable or disable Per-Process System DPI for all applications. + + + + Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows. When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows. @@ -126,100 +113,122 @@ Per Process System DPI won't work for all applications as some older desktop app In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled. Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or don't configure this setting, Per Process System DPI won't apply to any processes on the system. + - - -ADMX Info: -- GP Friendly name: *Configure Per-Process System DPI settings* -- GP name: *DisplayPerProcessSystemDpiSettings* -- GP element: *DisplayGlobalPerProcessSystemDpiSettings* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -- 0 - Disable. -- 1 - Enable. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Disable. | +| 1 | Enable. | + -
    + +**Group policy mapping**: - -**Display/EnablePerProcessDpiForApps** +| Name | Value | +|:--|:--| +| Name | DisplayPerProcessSystemDpiSettings | +| Friendly Name | Configure Per-Process System DPI settings | +| Element Name | Enable or disable Per-Process System DPI for all applications. | +| Location | Computer and User Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## EnablePerProcessDpiForApps - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpiForApps +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. + - - -ADMX Info: -- GP Friendly name: *Configure Per-Process System DPI settings* -- GP name: *DisplayPerProcessSystemDpiSettings* -- GP element: *DisplayEnablePerProcessSystemDpiSettings* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Display/TurnOffGdiDPIScalingForApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisplayPerProcessSystemDpiSettings | +| Friendly Name | Configure Per-Process System DPI settings | +| Element Name | Enable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer and User Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## TurnOffGdiDPIScalingForApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/TurnOffGdiDPIScalingForApps +``` + -
    + + +This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + - - + + GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware. This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off. @@ -229,58 +238,67 @@ If you enable this policy setting, GDI DPI Scaling is turned off for all applica If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off. + - - -ADMX Info: -- GP Friendly name: *Turn off GdiDPIScaling for applications* -- GP name: *DisplayTurnOffGdiDPIScaling* -- GP element: *DisplayTurnOffGdiDPIScalingPrompt* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisplayTurnOffGdiDPIScaling | +| Friendly Name | Turn off GdiDPIScaling for applications | +| Element Name | Disable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + + + + +**Validate**: - - To validate on Desktop, do the following tasks: 1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. - Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. - + -
    + - -**Display/TurnOnGdiDPIScalingForApps** + +## TurnOnGdiDPIScalingForApps - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/TurnOnGdiDPIScalingForApps +``` + + + +This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware. - + + This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on. If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list. @@ -288,31 +306,50 @@ If you enable this policy setting, GDI DPI Scaling is turned on for all legacy a If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off. + - - -ADMX Info: -- GP Friendly name: *Turn on GdiDPIScaling for applications* -- GP name: *DisplayTurnOnGdiDPIScaling* -- GP element: *DisplayTurnOnGdiDPIScalingPrompt* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisplayTurnOnGdiDPIScaling | +| Friendly Name | Turn on GdiDPIScaling for applications | +| Element Name | Enable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + + + + +**Validate**: - - To validate on Desktop, do the following tasks: 1. Configure the setting for an app, which uses GDI. 2. Run the app and observe crisp text. + - - -
    + + + + + - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 8de9e8a848..8901e92cae 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,101 +1,99 @@ --- -title: Policy CSP - DmaGuard -description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices. +title: DmaGuard Policy CSP +description: Learn more about the DmaGuard Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DmaGuard -
    + + + - -## DmaGuard policies + +## DeviceEnumerationPolicy -
    -
    - DmaGuard/DeviceEnumerationPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy +``` + -
    + + +Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. **Note** this policy does not apply to 1394, PCMCIA or ExpressCard devices. + - -**DmaGuard/DeviceEnumerationPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing. Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. + -> [!NOTE] -> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. + +**Description framework properties**: -The following are the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time. + +**Allowed values**: -1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen. +| Value | Description | +|:--|:--| +| 0 | Block all (Most restrictive). | +| 1 (Default) | Only after log in/screen unlock. | +| 2 | Allow all (Least restrictive). | + -2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Enumeration policy for external devices incompatible with Kernel DMA Protection* -- GP name: *DmaGuardEnumerationPolicy* -- GP path: *System/Kernel DMA Protection* -- GP ADMX file name: *dmaguard.admx* +| Name | Value | +|:--|:--| +| Name | DmaGuardEnumerationPolicy | +| Friendly Name | Enumeration policy for external devices incompatible with Kernel DMA Protection | +| Location | Computer Configuration | +| Path | System > Kernel DMA Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\Kernel DMA Protection | +| ADMX File Name | DmaGuard.admx | + - - + + + - - + - - + + + - - -
    + - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 4088b37c80..e5b3933b3c 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -1,86 +1,80 @@ --- -title: Policy CSP - EAP -description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +title: Eap Policy CSP +description: Learn more about the Eap Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - EAP + -
    + +# Policy CSP - Eap - -## EAP policies + + + -
    -
    - EAP/AllowTLS1_3 -
    -
    + +## AllowTLS1_3 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Eap/AllowTLS1_3 +``` + - -**EAP/AllowTLS1_3** + + +Added in Windows 10, version 21. H1. Allow or disallow use of TLS 1.3 during EAP client authentication. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Use of TLS version 1.3 is not allowed for authentication. | +| 1 (Default) | Use of TLS version 1.3 is allowed for authentication. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Added in Windows 10, version 21H1. This policy setting allows or disallows use of TLS 1.3 during EAP client authentication. + + + - - -ADMX Info: -- GP Friendly name: *AllowTLS1_3* -- GP name: *AllowTLS1_3* -- GP path: *Windows Components/EAP* -- GP ADMX file name: *EAP.admx* + - - -The following list shows the supported values: +## Related articles -- 0 – Use of TLS version 1.3 is not allowed for authentication. -- 1 (default) – Use of TLS version 1.3 is allowed for authentication. - - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 10da71d3b4..c8c5aed332 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,211 +1,353 @@ --- -title: Policy CSP - Education -description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. +title: Education Policy CSP +description: Learn more about the Education Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Education -
    + + + - -## Education policies + +## AllowGraphingCalculator -
    -
    - Education/AllowGraphingCalculator -
    -
    - Education/DefaultPrinterName -
    -
    - Education/PreventAddingNewPrinters -
    -
    - Education/PrinterNames -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/Education/AllowGraphingCalculator +``` + - -**Education/AllowGraphingCalculator** + + +This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. +- If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. +- If you enable or don't configure this policy setting, users will be able to access graphing functionality. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + -
    + +**Group policy mapping**: - - -This policy setting allows you to control, whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality. - - -ADMX Info: -- GP Friendly name: *Allow Graphing Calculator* -- GP name: *AllowGraphingCalculator* -- GP path: *Windows Components/Calculator* -- GP ADMX file name: *Programs.admx* +| Name | Value | +|:--|:--| +| Name | AllowGraphingCalculator | +| Friendly Name | Allow Graphing Calculator | +| Location | User Configuration | +| Path | Windows Components > Calculator | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Calculator | +| Registry Value Name | AllowGraphingCalculator | +| ADMX File Name | Programs.admx | + - - -The following list shows the supported values: -- 0 - Disabled -- 1 (default) - Enabled - - + + + -
    + - -**Education/DefaultPrinterName** + +## DefaultPrinterName - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/Education/DefaultPrinterName +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy allows IT Admins to set the user's default printer. + + +This policy sets user's default printer + + + The policy value is expected to be the name (network host name) of an installed printer. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**Education/PreventAddingNewPrinters** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnableEduThemes + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Education/EnableEduThemes +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting allows you to control whether EDU-specific theme packs are available in Settings > Personalization. +- If you disable or don't configure this policy setting, EDU-specific theme packs will not be included. +- If you enable this policy setting, users will be able to personalize their devices with EDU-specific themes. + -> [!div class = "checklist"] -> * User + + + -
    + +**Description framework properties**: - - -Allows IT Admins to prevent user installation of more printers from the printers settings. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Prevent addition of printers* -- GP name: *NoAddPrinter* -- GP path: *Control Panel/Printers* -- GP ADMX file name: *Printing.admx* + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -- 0 (default) – Allow user installation. -- 1 – Prevent user installation. + + + - - + -
    + +## IsEducationEnvironment - -**Education/PrinterNames** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting allows tenant to control whether to declare this OS as an education environment + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - - -Allows IT Admins to automatically provision printers based on their names (network host names). +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + +## PreventAddingNewPrinters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Education/PreventAddingNewPrinters +``` + + + + +Prevents users from using familiar methods to add local and network printers. + +- If this policy setting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. + +Also, users cannot add printers by dragging a printer icon into the Printers folder. If they try, a message appears explaining that the setting prevents the action. + +However, this setting does not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add printers. + +This setting does not delete printers that users have already added. However, if users have not added a printer when this setting is applied, they cannot print. + +> [!NOTE] +> You can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Properties, and then click the Security tab. + +If this policy is disabled, or not configured, users can add printers using the methods described above. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow user installation. | +| 1 | Prevent user installation. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NoAddPrinter | +| Friendly Name | Prevent addition of printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoAddPrinter | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PrinterNames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Education/PrinterNames +``` + + + + +This policy provisions per-user network printers + + + + The policy value is expected to be a `````` separated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer. + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index ebe04d9e51..b804039125 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -1,275 +1,307 @@ --- -title: Policy CSP - EnterpriseCloudPrint -description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point. +title: EnterpriseCloudPrint Policy CSP +description: Learn more about the EnterpriseCloudPrint Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - EnterpriseCloudPrint -
    + + + - -## EnterpriseCloudPrint policies + +## CloudPrinterDiscoveryEndPoint -
    -
    - EnterpriseCloudPrint/CloudPrintOAuthAuthority -
    -
    - EnterpriseCloudPrint/CloudPrintOAuthClientId -
    -
    - EnterpriseCloudPrint/CloudPrintResourceId -
    -
    - EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint -
    -
    - EnterpriseCloudPrint/DiscoveryMaxPrinterLimit -
    -
    - EnterpriseCloudPrint/MopriaDiscoveryResourceId -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint +``` + - -**EnterpriseCloudPrint/CloudPrintOAuthAuthority** + + +This policy provisions per-user discovery end point to discover cloud printers + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. - -Supported datatype is string. - -The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, ```https://azuretenant.contoso.com/adfs```. - - - - -
    - - -**EnterpriseCloudPrint/CloudPrintOAuthClientId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. - -Supported datatype is string. - -The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". - - - - -
    - - -**EnterpriseCloudPrint/CloudPrintResourceId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. - -Supported datatype is string. - -The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". - - - - -
    - - -**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. Supported datatype is string. -The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, ```https://cloudprinterdiscovery.contoso.com```. +The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. +**Example**: - - +```https://cloudprinterdiscovery.contoso.com```. + -
    + +**Description framework properties**: - -**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## CloudPrintOAuthAuthority - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintOAuthAuthority +``` + -
    + + +Authentication endpoint for acquiring OAuth tokens + - - -Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. - -Supported datatype is integer. - - - - -
    - - -**EnterpriseCloudPrint/MopriaDiscoveryResourceId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. + + +Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. Supported datatype is string. -The default value is an empty string. Otherwise, the value should contain a URL. For example, ```http://MopriaDiscoveryService/CloudPrint```. +The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. +**Example**: - - -
    +```https://azuretenant.contoso.com/adfs```. + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + +## CloudPrintOAuthClientId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintOAuthClientId +``` + + + + +A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority + + + + +Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. + +Supported datatype is string. + +The default value is an empty string. Otherwise, the value should contain a GUID. +**Example**: + +"E1CF1107-FF90-4228-93BF-26052DD2C714". + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## CloudPrintResourceId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintResourceId +``` + + + + +Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication + + + + +Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. + +Supported datatype is string. + +The default value is an empty string. Otherwise, the value should contain a URL. +**Example**: + +"http://MicrosoftEnterpriseCloudPrint/CloudPrint". + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## DiscoveryMaxPrinterLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/DiscoveryMaxPrinterLimit +``` + + + + +Defines the maximum number of printers that should be queried from discovery end point + + + + +This policy must target ./User, otherwise it fails. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-65535]` | +| Default Value | 20 | + + + + + + + + + +## MopriaDiscoveryResourceId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/MopriaDiscoveryResourceId +``` + + + + +Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication + + + + +This policy must target ./User, otherwise it fails. + +The default value is an empty string. Otherwise, the value should contain a URL. + +**Example**: + +```http://MopriaDiscoveryService/CloudPrint```. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 3e4f4435e7..2c1178445b 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -1,302 +1,349 @@ --- -title: Policy CSP - ErrorReporting -description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types. +title: ErrorReporting Policy CSP +description: Learn more about the ErrorReporting Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ErrorReporting > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ErrorReporting policies + +## CustomizeConsentSettings -
    -
    - ErrorReporting/CustomizeConsentSettings -
    -
    - ErrorReporting/DisableWindowsErrorReporting -
    -
    - ErrorReporting/DisplayErrorNotification -
    -
    - ErrorReporting/DoNotSendAdditionalData -
    -
    - ErrorReporting/PreventCriticalErrorDisplay -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/CustomizeConsentSettings +``` + - -**ErrorReporting/CustomizeConsentSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the consent behavior of Windows Error Reporting for specific event types. -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those even types for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. +- If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. - 1 (Always ask before sending data): Windows prompts the user for consent to send reports. -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any extra data requested by Microsoft. +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. -- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent, to send any extra data requested by Microsoft. +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. - 4 (Send all data): Any data requested by Microsoft is sent automatically. -If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting. +- If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Customize consent settings* -- GP name: *WerConsentCustomize_2* -- GP path: *Windows Components/Windows Error Reporting/Consent* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ErrorReporting/DisableWindowsErrorReporting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerConsentCustomize_2 | +| Friendly Name | Customize consent settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableWindowsErrorReporting -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting +``` + - - -This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization, when software unexpectedly stops working or fails. + + +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. -If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel. +- If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. -If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. +- If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + - + + + - -ADMX Info: -- GP Friendly name: *Disable Windows Error Reporting* -- GP name: *WerDisable_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ErrorReporting/DisplayErrorNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerDisable_2 | +| Friendly Name | Disable Windows Error Reporting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | Disabled | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisplayErrorNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisplayErrorNotification +``` + - - -This policy setting controls, whether users are shown an error dialog box that lets them report an error. + + +This policy setting controls whether users are shown an error dialog box that lets them report an error. -If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. +- If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. -If you disable this policy setting, users aren't notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that don't have interactive users. +- If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. -If you don't configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. +- If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. See also the Configure Error Reporting policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Display Error Notification* -- GP name: *PCH_ShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ErrorReporting/DoNotSendAdditionalData** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PCH_ShowUI | +| Friendly Name | Display Error Notification | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| Registry Value Name | ShowUI | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotSendAdditionalData -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DoNotSendAdditionalData +``` + - - -This policy setting controls, whether extra data in support of error reports can be sent to Microsoft automatically. + + +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. -If you enable this policy setting, any extra data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. +- If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. -If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. +- If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Do not send additional data* -- GP name: *WerNoSecondLevelData_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ErrorReporting/PreventCriticalErrorDisplay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerNoSecondLevelData_2 | +| Friendly Name | Do not send additional data | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DontSendAdditionalData | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventCriticalErrorDisplay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/PreventCriticalErrorDisplay +``` + - - + + This policy setting prevents the display of the user interface for critical errors. -If you enable this policy setting, Windows Error Reporting doesn't display any GUI-based error messages or dialog boxes for critical errors. +- If you enable or do not configure this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. -If you disable or don't configure this policy setting, Windows Error Reporting displays the user interface for critical errors. +- If you disable this policy setting, Windows Error Reporting displays the GUI-based error messages or dialog boxes for critical errors. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent display of the user interface for critical errors* -- GP name: *WerDoNotShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | WerDoNotShowUI | +| Friendly Name | Prevent display of the user interface for critical errors | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DontShowUI | +| ADMX File Name | ErrorReporting.admx | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 2062c3c59d..dd4e120109 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,234 +1,276 @@ --- -title: Policy CSP - EventLogService -description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size. +title: EventLogService Policy CSP +description: Learn more about the EventLogService Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - EventLogService -
    +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## EventLogService policies + + + -
    -
    - EventLogService/ControlEventLogBehavior -
    -
    - EventLogService/SpecifyMaximumFileSizeApplicationLog -
    -
    - EventLogService/SpecifyMaximumFileSizeSecurityLog -
    -
    - EventLogService/SpecifyMaximumFileSizeSystemLog -
    -
    + +## ControlEventLogBehavior -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -**EventLogService/ControlEventLogBehavior** + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/ControlEventLogBehavior +``` + - + + +This policy setting controls Event Log behavior when the log file reaches its maximum size. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls Event Log behavior, when the log file reaches its maximum size. - -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. - -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. > [!NOTE] > Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**EventLogService/SpecifyMaximumFileSizeApplicationLog** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention_1 | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaximumFileSizeApplicationLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/SpecifyMaximumFileSizeApplicationLog +``` + - - + + This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**EventLogService/SpecifyMaximumFileSizeSecurityLog** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize_1 | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| ADMX File Name | EventLog.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaximumFileSizeSecurityLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/SpecifyMaximumFileSizeSecurityLog +``` + - - + + This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_2* -- GP path: *Windows Components/Event Log Service/Security* -- GP ADMX file name: *eventlog.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**EventLogService/SpecifyMaximumFileSizeSystemLog** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize_2 | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| ADMX File Name | EventLog.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaximumFileSizeSystemLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/SpecifyMaximumFileSizeSystemLog +``` + - - + + This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_4* -- GP path: *Windows Components/Event Log Service/System* -- GP ADMX file name: *eventlog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize_4 | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| ADMX File Name | EventLog.admx | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index bb1fe34831..e46c94e961 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,1218 +1,1734 @@ --- -title: Policy CSP - Experience -description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory. +title: Experience Policy CSP +description: Learn more about the Experience Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Experience -
    + + + - -## Experience policies + +## AllowClipboardHistory -
    -
    - Experience/AllowClipboardHistory -
    -
    - Experience/AllowCortana -
    -
    - Experience/AllowDeviceDiscovery -
    -
    - Experience/AllowFindMyDevice -
    -
    - Experience/AllowManualMDMUnenrollment -
    -
    - Experience/AllowSaveAsOfOfficeFiles -
    -
    - Experience/AllowScreenCapture -
    -
    - Experience/AllowSharingOfOfficeFiles -
    -
    - Experience/AllowSIMErrorDialogPromptWhenNoSIM -
    -
    - Experience/AllowSyncMySettings -
    -
    - Experience/AllowSpotlightCollection -
    -
    - Experience/AllowTailoredExperiencesWithDiagnosticData -
    -
    - Experience/AllowThirdPartySuggestionsInWindowsSpotlight -
    -
    - Experience/AllowWindowsConsumerFeatures -
    -
    - Experience/AllowWindowsSpotlight -
    -
    - Experience/AllowWindowsSpotlightOnActionCenter -
    -
    - Experience/AllowWindowsSpotlightOnSettings -
    -
    - Experience/AllowWindowsSpotlightWindowsWelcomeExperience -
    -
    - Experience/AllowWindowsTips -
    -
    - Experience/ConfigureChatIcon -
    -
    - Experience/ConfigureWindowsSpotlightOnLockScreen -
    -
    - Experience/DisableCloudOptimizedContent -
    -
    - Experience/DoNotShowFeedbackNotifications -
    -
    - Experience/DoNotSyncBrowserSettings -
    -
    - Experience/PreventUsersFromTurningOnBrowserSyncing -
    -
    - Experience/ShowLockOnUserTile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowClipboardHistory +``` + - -**Experience/AllowClipboardHistory** + + +This policy setting determines whether history of Clipboard contents can be stored in memory. +- If you enable this policy setting, history of Clipboard contents are allowed to be stored. +- If you disable this policy setting, history of Clipboard contents are not allowed to be stored. +Policy change takes effect immediately. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + +**Group policy mapping**: - - -Allows history of clipboard items to be stored in memory. +| Name | Value | +|:--|:--| +| Name | AllowClipboardHistory | +| Friendly Name | Allow Clipboard History | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowClipboardHistory | +| ADMX File Name | OSPolicy.admx | + -Supported value type is integer. Supported values are: -- 0 - Not allowed -- 1 - Allowed (default) + + +**Validate**: - - -ADMX Info: -- GP Friendly name: *Allow Clipboard History* -- GP name: *AllowClipboardHistory* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - - - - - - - -**Validation procedure** - -1. Configure Experiences/AllowClipboardHistory to 0. +1. Configure Experience/AllowClipboardHistory to 0. 1. Open Notepad (or any editor app), select a text, and copy it to the clipboard. 1. Press Win+V to open the clipboard history UI. 1. You shouldn't see any clipboard item including current item you copied. -1. The setting under Settings App->System->Clipboard should be grayed out with policy warning. +1. The setting under Settings App -> System -> Clipboard should be grayed out with policy warning. + - - + -
    + +## AllowCopyPaste - -**Experience/AllowCortana** +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowCopyPaste +``` + - -
    + + +This policy is deprecated. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. + +**Allowed values**: -Most restricted value is 0. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - -ADMX Info: -- GP Friendly name: *Allow Cortana* -- GP name: *AllowCortana* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + -- 0 – Not allowed -- 1 (default) – Allowed + +## AllowCortana - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowCortana +``` + - -**Experience/AllowDeviceDiscovery** + + +This policy setting specifies whether Cortana is allowed on the device. - +- If you enable or don't configure this setting, Cortana will be allowed on the device. +- If you disable this setting, Cortana will be turned off. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +When Cortana is off, users will still be able to use search to find things on the device. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -Allows users to turn on/off device discovery UX. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys won't work on. + +**Group policy mapping**: -Most restricted value is 0. +| Name | Value | +|:--|:--| +| Name | AllowCortana | +| Friendly Name | Allow Cortana | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowCortana | +| ADMX File Name | Search.admx | + - - -The following list shows the supported values: + + + -- 0 – Not allowed -- 1 (default) – Allowed + - - + +## AllowDeviceDiscovery -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -**Experience/AllowFindMyDevice** + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowDeviceDiscovery +``` + - + + +Allows users to turn on/off device discovery UX. When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. Most restricted value is 0. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - - + + + + + + + +## AllowFindMyDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowFindMyDevice +``` + + + + This policy turns on Find My Device. -When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. +When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. On devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. -When Find My Device is off, the device and its location aren't registered, and the Find My Device feature won't work. In Windows 10, version 1709 the user won't be able to view the location of the last use of their active digitizer on their device. +When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. The user will also not be able to view the location of the last use of their active digitizer on their device. + - - -ADMX Info: -- GP Friendly name: *Turn On/Off Find My Device* -- GP name: *FindMy_AllowFindMyDeviceConfig* -- GP path: *Windows Components/Find My Device* -- GP ADMX file name: *FindMy.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Not allowed -- 1 (default) – Allowed +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**Experience/AllowManualMDMUnenrollment** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | FindMy_AllowFindMyDeviceConfig | +| Friendly Name | Turn On/Off Find My Device | +| Location | Computer Configuration | +| Path | Windows Components > Find My Device | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FindMyDevice | +| Registry Value Name | AllowFindMyDevice | +| ADMX File Name | FindMy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowManualMDMUnenrollment -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment +``` + - - -Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory-joined and MDM enrolled (for example, auto-enrolled), then disabling the MDM unenrollment has no effect. + + +Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect > [!NOTE] -> The MDM server can always remotely delete the account. +> The MDM server can always remotely delete the account. Most restricted value is 0. + -Most restricted value is 0. + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowSaveAsOfOfficeFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSaveAsOfOfficeFiles +``` + + + + +This policy is deprecated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowScreenCapture + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowScreenCapture +``` + + + + +Allow screen capture + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowSharingOfOfficeFiles + +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSharingOfOfficeFiles +``` + + + + +This policy is deprecated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowSIMErrorDialogPromptWhenNoSIM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSIMErrorDialogPromptWhenNoSIM +``` + + + + +Allow SIM error dialog prompts when no SIM is inserted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowSpotlightCollection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowSpotlightCollection +``` + + + + +Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. +- If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. +- If you disable this policy setting, Spotlight collection will not show as an option in Personalization Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop. + + + + The following list shows the supported values: -- 0 – Not allowed -- 1 (default) – Allowed +- When set to 0, Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop. +- When set to 1 (default), Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - -Experience/AllowSaveAsOfOfficeFiles + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DisableSpotlightCollectionOnDesktop | +| Friendly Name | Turn off Spotlight collection on Desktop | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableSpotlightCollectionOnDesktop | +| ADMX File Name | CloudContent.admx | + - -This policy is deprecated. + + + - - + -
    + +## AllowSyncMySettings - -**Experience/AllowScreenCapture** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - -Describe what values are supported in by this policy and meaning of each value is default value. - - - - -
    - - -**Experience/AllowSharingOfOfficeFiles** - - -This policy is deprecated. - - - - - -**Experience/AllowSIMErrorDialogPromptWhenNoSIM** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - -Describes what values are supported in by this policy and meaning of each value is default value. - - - - -
    - - -**Experience/AllowSyncMySettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). + - - -The following list shows the supported values: + + + -- 0 – Sync settings aren't allowed. -- 1 (default) – Sync settings allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Experience/AllowSpotlightCollection** +| Value | Description | +|:--|:--| +| 0 | Sync settings are not allowed. | +| 1 (Default) | Sync settings allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + - -
    + +## AllowTailoredExperiencesWithDiagnosticData - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowTailoredExperiencesWithDiagnosticData +``` + -
    - - - -This policy allows spotlight collection on the device. - -- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings. -- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop. - - - -The following list shows the supported values: - -- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop -- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft -- Default value: 1 - - - - -
    - - -**Experience/AllowTailoredExperiencesWithDiagnosticData** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows won't use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or don't configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. - -Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. + + +This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. +- If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. +- If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value > [!NOTE] -> This setting doesn't control Cortana customized experiences because there are separate policies to configure it. +> This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. + -Most restricted value is 0. + + + - - -ADMX Info: -- GP Friendly name: *Do not use diagnostic data for tailored experiences* -- GP name: *DisableTailoredExperiencesWithDiagnosticData* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowTailoredExperiencesWithDiagnosticData_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + -- 0 – Not allowed -- 1 (default) – Allowed + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + +**Group policy mapping**: - -**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** +| Name | Value | +|:--|:--| +| Name | DisableTailoredExperiencesWithDiagnosticData | +| Friendly Name | Do not use diagnostic data for tailored experiences | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableTailoredExperiencesWithDiagnosticData | +| ADMX File Name | CloudContent.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowTaskSwitcher - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - > [!NOTE] -> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. +> This policy is deprecated and may be removed in a future release. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowTaskSwitcher +``` + + + + +This policy is deprecated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowThirdPartySuggestionsInWindowsSpotlight + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowThirdPartySuggestionsInWindowsSpotlight +``` + + + + Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. + - - -ADMX Info: -- GP Friendly name: *Do not suggest third-party content in Windows spotlight* -- GP name: *DisableThirdPartySuggestions* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Third-party suggestions not allowed. -- 1 (default) – Third-party suggestions allowed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowThirdPartySuggestionsInWindowsSpotlight_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Third-party suggestions not allowed. | +| 1 (Default) | Third-party suggestions allowed. | + - -**Experience/AllowWindowsConsumerFeatures** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableThirdPartySuggestions | +| Friendly Name | Do not suggest third-party content in Windows spotlight | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableThirdPartySuggestions | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowVoiceRecording -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> Prior to Windows 10, version 1803, this policy had User scope. - -This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off Microsoft consumer experiences* -- GP name: *DisableWindowsConsumerFeatures* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 – Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlight** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -> [!NOTE] -> This policy is only available for Windows 10 Enterprise and Windows 10 Education. - -Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features, and other related features will be turned off. You should enable this policy setting, if your goal is to minimize network traffic from target devices. If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off all Windows spotlight features* -- GP name: *DisableWindowsSpotlightFeatures* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 (default) – Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlightOnActionCenter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or don't configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off Windows Spotlight on Action Center* -- GP name: *DisableWindowsSpotlightOnActionCenter* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 (default) – Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlightOnSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive. - -- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app. -- User Setting is changeable on a per user basis. -- If the Group policy is set to off, no suggestions will be shown to the user in Settings app. - - - -ADMX Info: -- GP Friendly name: *Turn off Windows Spotlight on Settings* -- GP name: *DisableWindowsSpotlightOnSettings* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 - Not allowed -- 1 - Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting lets you turn off the Windows spotlight, and Windows welcome experience feature. -The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or don't configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off the Windows Welcome Experience* -- GP name: *DisableWindowsSpotlightWindowsWelcomeExperience* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 (default) – Allowed - - - - -
    - - -**Experience/AllowWindowsTips** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowVoiceRecording +``` + + + + +This policy is deprecated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowWindowsConsumerFeatures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures +``` + + + + +Prior to Windows 10, version 1803, this policy had User scope. This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsConsumerFeatures_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsConsumerFeatures | +| Friendly Name | Turn off Microsoft consumer experiences | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsConsumerFeatures | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlight + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight +``` + + + + +Specifies whether to turn off all Windows spotlight features at once. +- If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. +- If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightFeatures | +| Friendly Name | Turn off all Windows spotlight features | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightFeatures | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlightOnActionCenter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlightOnActionCenter +``` + + + + +This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. +- If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. +- If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsSpotlightOnActionCenter_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightOnActionCenter | +| Friendly Name | Turn off Windows Spotlight on Action Center | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightOnActionCenter | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlightOnSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlightOnSettings +``` + + + + +This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive. User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app. User Setting is changeable on a per user basis. If the Group policy is set to off, no suggestions will be shown to the user in Settings app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightOnSettings | +| Friendly Name | Turn off Windows Spotlight on Settings | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightOnSettings | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlightWindowsWelcomeExperience + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlightWindowsWelcomeExperience +``` + + + + +This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. +- If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. +- If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsSpotlightWindowsWelcomeExperience_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightWindowsWelcomeExperience | +| Friendly Name | Turn off the Windows Welcome Experience | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightWindowsWelcomeExperience | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsTips + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsTips +``` + + + + Enables or disables Windows Tips / soft landing. + - - -ADMX Info: -- GP Friendly name: *Do not show Windows tips* -- GP name: *DisableSoftLanding* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Disabled -- 1 (default) – Enabled +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsTips_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -**Experience/ConfigureChatIcon** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSoftLanding | +| Friendly Name | Do not show Windows tips | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableSoftLanding | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureChatIcon -> [!div class = "checklist"] -> * Machine -
    - - -This policy setting allows you to configure the Chat icon on the taskbar. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -The values for this policy are 0, 1, 2, and 3. This policy defaults to 0, if not enabled. + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon +``` + -- 0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition. -- 1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings. -- 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings. -- 3 - Disabled: The Chat icon won't be displayed, and users can't show or hide it in Settings. + + +Configures the Chat icon on the taskbar + + + > [!NOTE] > Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Experience/ConfigureWindowsSpotlightOnLockScreen** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Not Configured. | +| 1 | Show. | +| 2 | Hide. | +| 3 | Disabled. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | ConfigureChatIcon | +| Friendly Name | Configures the Chat icon on the taskbar | +| Element Name | State | +| Location | Computer Configuration | +| Path | Windows Components > Chat | +| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Chat | +| ADMX File Name | Taskbar.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## ConfigureWindowsSpotlightOnLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/ConfigureWindowsSpotlightOnLockScreen +``` + + + + +This policy setting lets you configure Windows spotlight on the lock screen. + +- If you enable this policy setting, "Windows spotlight" will be set as the lock screen provider and users will not be able to modify their lock screen. "Windows spotlight" will display daily images from Microsoft on the lock screen. + +Additionally, if you check the "Include content from Enterprise spotlight" checkbox and your organization has setup an Enterprise spotlight content service in Azure, the lock screen will display internal messages and communications configured in that service, when available. If your organization does not have an Enterprise spotlight content service, the checkbox will have no effect. + +- If you disable this policy setting, Windows spotlight will be turned off and users will no longer be able to select it as their lock screen. Users will see the default lock screen image and will be able to select another image, unless you have enabled the "Prevent changing lock screen image" policy. + +- If you do not configure this policy, Windows spotlight will be available on the lock screen and will be selected by default, unless you have configured another default lock screen image using the "Force a specific default lock screen and logon image" policy. - - > [!NOTE] -> This policy is only available for Windows 10 Enterprise, and Windows 10 Education. +> This policy is only available for Enterprise SKUs + -Allows IT admins to specify, whether spotlight should be used on the user's lock screen. If your organization doesn't have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. + + + - - -ADMX Info: -- GP Friendly name: *Configure Windows spotlight on lock screen* -- GP name: *ConfigureWindowsSpotlight* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_ConfigureWindowsSpotlightOnLockScreen_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + -- 0 – None. -- 1 (default) – Windows spotlight enabled. -- 2 – placeholder only for future extension. Using this value has no effect. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Windows spotlight disabled. | +| 1 (Default) | Windows spotlight enabled. | +| 2 | Windows spotlight is always enabled, the user cannot disable it. | +| 3 | Windows spotlight is always enabled, the user cannot disable it. For special configurations only. | + - -**Experience/DisableCloudOptimizedContent** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureWindowsSpotlight | +| Friendly Name | Configure Windows spotlight on lock screen | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | ConfigureWindowsSpotlight | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableCloudOptimizedContent -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DisableCloudOptimizedContent +``` + - - + + This policy setting lets you turn off cloud optimized content in all Windows experiences. -If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content. +- If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. -If you disable or don't configure this policy setting, Windows experiences will be able to use cloud optimized content. +- If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content. + - - -ADMX Info: -- GP Friendly name: *Turn off cloud optimized content* -- GP name: *DisableCloudOptimizedContent* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Disabled -- 1 – Enabled +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - -**Experience/DoNotShowFeedbackNotifications** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableCloudOptimizedContent | +| Friendly Name | Turn off cloud optimized content | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableCloudOptimizedContent | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableConsumerAccountStateContent -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DisableConsumerAccountStateContent +``` + - - -Prevents devices from showing feedback questions from Microsoft. + + +This policy setting lets you turn off cloud consumer account state content in all Windows experiences. -If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or don't configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. +- If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. -If you disable or don't configure this policy setting, users can control how often they receive feedback questions. +- If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content. + - - -ADMX Info: -- GP Friendly name: *Do not show feedback notifications* -- GP name: *DoNotShowFeedbackNotifications* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *FeedbackNotifications.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Feedback notifications aren't disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. -- 1 – Feedback notifications are disabled. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - -**Experience/DoNotSyncBrowserSettings** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableConsumerAccountStateContent | +| Friendly Name | Turn off cloud consumer account state content | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableConsumerAccountStateContent | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotShowFeedbackNotifications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications +``` + - - -[!INCLUDE [do-not-sync-browser-settings-shortdesc](../includes/do-not-sync-browser-settings-shortdesc.md)] + + +This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. -Related policy: - [PreventUsersFromTurningOnBrowserSyncing](#experience-preventusersfromturningonbrowsersyncing) +- If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. - - -ADMX Info: -- GP Friendly name: *Do not sync browser settings* -- GP name: *DisableWebBrowserSettingSync* -- GP path: *Windows Components/Sync your settings* -- GP ADMX file name: *SettingSync.admx* +- If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback. - - -Supported values: +> [!NOTE] +> If you disable or do not configure this policy setting, users can control how often they receive feedback questions. + -- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes. -- 2 - Prevented/turned off. The "browser" group doesn't use the _Sync your Settings_ option. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. | +| 1 | Feedback notifications are disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotShowFeedbackNotifications | +| Friendly Name | Do not show feedback notifications | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| Registry Value Name | DoNotShowFeedbackNotifications | +| ADMX File Name | FeedbackNotifications.admx | + + + + + + + + + +## DoNotSyncBrowserSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings +``` + + + + +Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites. + +- If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced. + +Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "browser" group is on by default and configurable by the user. + + + + +Related policy: [PreventUsersFromTurningOnBrowserSyncing](#preventusersfromturningonbrowsersyncing) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Disable Syncing. | +| 0 (Default) | Allow syncing. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebBrowserSettingSync | +| Friendly Name | Do not sync browser settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableWebBrowserSettingSync | +| ADMX File Name | SettingSync.admx | + + + + _**Sync the browser settings automatically**_ Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). @@ -1230,64 +1746,120 @@ _**Prevent syncing of browser settings and let users turn on syncing**_ _**Turn syncing off by default but don’t disable**_ Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option. + - - + - - + +## EnableOrganizationalMessages - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows Insider Preview | + - -**Experience/PreventUsersFromTurningOnBrowserSyncing** + +```User +./User/Vendor/MSFT/Policy/Config/Experience/EnableOrganizationalMessages +``` + - + + +Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Intune. By default, this policy is disabled. +- If you enable this policy, these experiences will show content booked by Administrators. Enabling this policy will have no impact on existing MDM policy settings governing delivery of content from Microsoft on Windows experiences. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - - -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + + + -Related policy: - [DoNotSyncBrowserSettings](#experience-donotsyncbrowsersetting) + + +## PreventUsersFromTurningOnBrowserSyncing - - -ADMX Info: -- GP Friendly name: *Prevent users from turning on browser syncing* -- GP name: *PreventUsersFromTurningOnBrowserSyncing* -- GP path: *Windows Components/Sync your settings* -- GP ADMX file name: *SettingSync.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - -Supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +``` + -- 0 - Allowed/turned on. Users can sync the browser settings. -- 1 (default) - Prevented/turned off. + + + + + +By default, the "browser" group syncs automatically between the user's devices, letting users make changes. With this policy though, you can prevent the "browser" group from syncing and prevent users from turning on the **Sync your Settings** toggle in Settings. If you want syncing turned off by default but not disabled, select the **Allow syncing** option in the [DoNotSyncBrowserSettings](#donotsyncbrowsersettings). For this policy to work correctly, you must enable the DoNotSyncBrowserSettings policy. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Allowed/turned on. Users can sync the browser settings. | +| 1 (Default) | Prevented/turned off. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebBrowserSettingSync | +| Friendly Name | Do not sync browser settings | +| Element Name | Allow users to turn "browser" syncing on. | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| ADMX File Name | SettingSync.admx | + + + + +**Examples**: _**Sync the browser settings automatically**_ @@ -1303,83 +1875,88 @@ _**Prevent syncing of browser settings and let users turn on syncing**_ 1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). 2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). - - - - - -Validation procedure: +**Validate**: 1. Select **More > Settings**. 1. See, if the setting is enabled or disabled based on your selection. + - - + -
    + +## ShowLockOnUserTile - -**Experience/ShowLockOnUserTile** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/ShowLockOnUserTile +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Shows or hides lock from the user tile menu. +- If you enable this policy setting, the lock option will be shown in the User Tile menu. -If you enable this policy setting, the lock option is shown in the User Tile menu. +- If you disable this policy setting, the lock option will never be shown in the User Tile menu. -If you disable this policy setting, the lock option is never shown in the User Tile menu. +- If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. + -If you don't configure this policy setting, the lock option is shown in the User Tile menu. Users can choose, if they want to show the lock in the user tile menu from the Power Options control panel. + + + - - -ADMX Info: -- GP Friendly name: *Show lock in the user tile menu* -- GP name: *ShowLockOption* -- GP path: *File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -Supported values: -- false - The lock option isn't displayed in the User Tile menu. -- true (default) - The lock option is displayed in the User Tile menu. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | The lock option is not displayed in the User Tile menu. | +| 1 (Default) | The lock option is displayed in the User Tile menu. | + - - -
    + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowLockOption | +| Friendly Name | Show lock in the user tile menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowLockOption | +| ADMX File Name | WindowsExplorer.admx | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 9f1639a0ed..e1291d1cb0 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,75 +1,75 @@ --- -title: Policy CSP - ExploitGuard -description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization. +title: ExploitGuard Policy CSP +description: Learn more about the ExploitGuard Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ExploitGuard -
    + + + - -## ExploitGuard policies + +## ExploitProtectionSettings -
    -
    - ExploitGuard/ExploitProtectionSettings -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings +``` + - -**ExploitGuard/ExploitProtectionSettings** + + +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | ExploitProtection_Name | +| Friendly Name | Use a common set of exploit protection settings | +| Element Name | Type the location (local path, UNC path, or URL) of the mitigation settings configuration XML file | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Exploit Guard > Exploit Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection | +| ADMX File Name | ExploitGuard.admx | + -
    - - - -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). - -The system settings require a reboot; the application settings do not require a reboot. - - - -ADMX Info: -- GP Friendly name: *Use a common set of exploit protection settings* -- GP name: *ExploitProtection_Name* -- GP element: *ExploitProtection_Name* -- GP path: *Windows Components/Windows Defender Exploit Guard/Exploit Protection* -- GP ADMX file name: *ExploitGuard.admx* - - - -Here is an example: + + +**Example**: ```xml @@ -93,14 +93,16 @@ Here is an example: ``` + - - -
    + + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md index fd8823c506..41e2f19ab9 100644 --- a/windows/client-management/mdm/policy-csp-federatedauthentication.md +++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md @@ -1,81 +1,83 @@ --- -title: Policy CSP - FederatedAuthentication -description: Use the Policy CSP - Represents the enablement state of the Web Sign-in Credential Provider for device sign-in. -ms.author: v-nsatapathy -ms.topic: article +title: FederatedAuthentication Policy CSP +description: Learn more about the FederatedAuthentication Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: nimishasatapathy -ms.localizationpriority: medium -ms.date: 09/07/2022 -ms.reviewer: -manager: dansimp +ms.topic: reference --- + + + # Policy CSP - FederatedAuthentication + + + -
    + +## EnableWebSignInForPrimaryUser - -## FederatedAuthentication policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    -
    - FederatedAuthentication/EnableWebSignInForPrimaryUser -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser +``` + + + +Specifies whether web-based sign-in is enabled with the Primary User experience + -
    - - -**FederatedAuthentication/EnableWebSignInForPrimaryUser** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| -|Windows SE|Yes|No| - -> [!NOTE] -> Only available on Windows SE edition when Education/IsEducationEnvironment policy is also set to "1". - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - -This policy specifies whether Web Sign-in can be used for device sign-in in a single-user environment.​ - + + > [!NOTE] > Web Sign-in is only supported on Azure AD Joined PCs. + - + +**Description framework properties**: - -Value type is integer: -- 0 - (default): Feature defaults as appropriate for edition and device capabilities. -- 1 - Enabled: Web Sign-in Credential Provider will be enabled for device sign-in. -- 2 - Disabled: Web Sign-in Credential Provider won't be enabled for device sign-in. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. | +| 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. | +| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index e4dfc521d7..cb839593b8 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,416 +1,433 @@ --- -title: Policy CSP - FileExplorer -description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer. +title: FileExplorer Policy CSP +description: Learn more about the FileExplorer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - FileExplorer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowOptionToShowNetwork - -## FileExplorer policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - FileExplorer/AllowOptionToShowNetwork -
    -
    - FileExplorer/AllowOptionToShowThisPC -
    -
    - FileExplorer/TurnOffDataExecutionPreventionForExplorer -
    -
    - FileExplorer/TurnOffHeapTerminationOnCorruption -
    -
    - FileExplorer/SetAllowedFolderLocations -
    -
    - FileExplorer/SetAllowedStorageLocations -
    -
    - FileExplorer/DisableGraphRecentItems -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork +``` +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork +``` + + + +When the Network folder is restricted, give the user the option to enumerate and navigate into it. + -
    + + + - -**FileExplorer/AllowOptionToShowNetwork** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Not Allowed. | +| 1 | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowOptionToShowThisPC - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -This policy allows the user with an option to show the network folder when restricted. + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC +``` + - -The following list shows the supported values: + + +When This PC location is restricted, give the user the option to enumerate and navigate into it. + -- 0 - Disabled -- 1 (default) - Enabled + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow the user the option to show Network folder when restricted* -- GP name: *AllowOptionToShowNetwork* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Not Allowed. | +| 1 | Allowed. | + - -**FileExplorer/AllowOptionToShowThisPC** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableGraphRecentItems - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/DisableGraphRecentItems +``` + -> [!div class = "checklist"] -> * User + + +Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view. + -
    + + + - - + +**Description framework properties**: -This policy allows the user with an option to show this PC location when restricted. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | File Explorer will request cloud file metadata and display it in the Quick access view. | +| 1 | File Explorer will not request cloud file metadata or display it in the Quick access view. | + -- 0 - Disabled -- 1 (default) - Enabled + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableGraphRecentItems | +| Friendly Name | Turn off files from Office.com in Quick access view | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableGraphRecentItems | +| ADMX File Name | Explorer.admx | + - -ADMX Info: -- GP Friendly name: *Allow the user the option to show Network folder when restricted* -- GP name: *AllowOptionToShowThisPC* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + + + - - + -
    + +## SetAllowedFolderLocations - -**FileExplorer/TurnOffDataExecutionPreventionForExplorer** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations +``` + - -
    + + +A value that can represent one or more folder locations in File Explorer. If not specified, the default is access to all folder locations. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Access to all folder locations. | +| 13 | Documents, Pictures, Downloads. | +| 15 | Desktop, Documents, Pictures, Downloads. | +| 31 | Desktop, Documents, Pictures, Downloads, Network. | +| 47 | This PC, Desktop, Documents, Pictures, Downloads. | +| 63 | This PC, Desktop, Documents, Pictures, Downloads, Network. | + + + + + + + + + +## SetAllowedStorageLocations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations +``` + + + + +A value that can represent one or more storage locations in File Explorer. If not specified, the default is access to all storage locations. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Access to all storage locations. | +| 1 | Removable Drives. | +| 2 | Sync roots. | +| 3 | Removable Drives, Sync roots. | +| 4 | Local Drives. | +| 5 | Removable Drives, Local Drives. | +| 6 | Sync Roots, Local Drives. | +| 7 | Removable Drives, Sync Roots, Local Drives. | + + + + + + + + + +## TurnOffDataExecutionPreventionForExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffDataExecutionPreventionForExplorer +``` + + + + Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Data Execution Prevention for Explorer* -- GP name: *NoDataExecutionPrevention* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**FileExplorer/TurnOffHeapTerminationOnCorruption** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDataExecutionPrevention | +| Friendly Name | Turn off Data Execution Prevention for Explorer | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoDataExecutionPrevention | +| ADMX File Name | Explorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOffHeapTerminationOnCorruption -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffHeapTerminationOnCorruption +``` + - - + + Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off heap termination on corruption* -- GP name: *NoHeapTerminationOnCorruption* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**FileExplorer/SetAllowedFolderLocations** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoHeapTerminationOnCorruption | +| Friendly Name | Turn off heap termination on corruption | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoHeapTerminationOnCorruption | +| ADMX File Name | Explorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + + + -
    + - - - - -This policy configures the folders that the user can enumerate and access in the File Explorer. - - - - -The following list shows the supported values: - -- 0: All folders -- 15: Desktop, Documents, Pictures, and Downloads -- 31: Desktop, Documents, Pictures, Downloads, and Network -- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads -- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network - - - - -ADMX Info: -- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* -- GP name: *SetAllowedFolderLocations* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
    - - -**FileExplorer/SetAllowedStorageLocations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - - -This policy configures the folders that the user can enumerate and access in the File Explorer. - - - - -The following list shows the supported values: - -- 0: All storage locations -- 1: Removable Drives -- 2: Sync roots -- 3: Removable Drives, Sync roots, local drive - - - - -ADMX Info: -- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* -- GP name: *SetAllowedStorageLocations* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
    - - -**FileExplorer/DisableGraphRecentItems** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - - -This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer. - - - - -The following list shows the supported values: - -- 0: Files from Office.com will display in the Home node -- 1: No files from Office.com will be retrieved or displayed - - - - -ADMX Info: -- GP Friendly name: *Turn off files from Office.com in Quick access view* -- GP name: *DisableGraphRecentItems* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
    - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index d2d17d4b28..e27040ab3b 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -1,77 +1,80 @@ --- -title: Policy CSP - Games -description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used. +title: Games Policy CSP +description: Learn more about the Games Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Games -
    + + + - -## Games policies + +## AllowAdvancedGamingServices -
    -
    - Games/AllowAdvancedGamingServices -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices +``` + - -**Games/AllowAdvancedGamingServices** + + +Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - - -Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. + -Supported value type is integer. + + + - - -The following list shows the supported values: + -- 0 - Not Allowed -- 1 (default) - Allowed +## Related articles - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 21b975f9b1..92691739f8 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -1,89 +1,97 @@ --- -title: Policy CSP - Handwriting -description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel. +title: Handwriting Policy CSP +description: Learn more about the Handwriting Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Handwriting -
    + + + - -## Handwriting policies + +## PanelDefaultModeDocked -
    -
    - Handwriting/PanelDefaultModeDocked -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Handwriting/PanelDefaultModeDocked +``` + - -**Handwriting/PanelDefaultModeDocked** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows an enterprise to configure the default mode for the handwriting panel. - -The handwriting panel has two modes - floats near the text box, or docked to the bottom of the screen. The default configuration is the one floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. + + +The handwriting panel has 2 modes - floats near the text box, or, attached to the bottom of the screen. Default is floating near text box. If you want the panel to be fixed, use this policy to fix it to the bottom. + + + In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel, to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction. The docked mode is especially useful in Kiosk mode, where you don't expect the end-user to drag the flying-in panel out of the way. + - - -ADMX Info: -- GP Friendly name: *Handwriting Panel Default Mode Docked* -- GP name: *PanelDefaultModeDocked* -- GP path: *Windows Components/Handwriting* -- GP ADMX file name: *Handwriting.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) - Disabled. -- 1 - Enabled. + +**Allowed values**: - - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | PanelDefaultModeDocked | +| Friendly Name | Handwriting Panel Default Mode Docked | +| Location | Computer Configuration | +| Path | Windows Components > Handwriting | +| Registry Key Name | Software\Policies\Microsoft\Handwriting | +| Registry Value Name | PanelDefaultModeDocked | +| ADMX File Name | Handwriting.admx | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 103060ecab..2a1b573428 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,246 +1,287 @@ --- -title: Policy CSP - HumanPresence -description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. +title: HumanPresence Policy CSP +description: Learn more about the HumanPresence Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - HumanPresence -
    + + + - -## HumanPresence policies + +## ForceInstantDim -
    -
    - HumanPresence/ForceInstantDim -
    -
    - HumanPresence/ForceInstantLock -
    -
    - HumanPresence/ForceInstantWake -
    -
    - HumanPresence/ForceLockTimeout -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceInstantDim +``` + - -**HumanPresence/ForceInstantDim** + + +Determines whether Attention Based Display Dimming is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out. + - + + +This is a power saving feature that prolongs battery charge. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + -
    + +**Group policy mapping**: - - -This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge. +| Name | Value | +|:--|:--| +| Name | ForceInstantDim | +| Friendly Name | Force Instant Dim | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| ADMX File Name | Sensors.admx | + - - -ADMX Info: -- GP Friendly name: *Force Instant Dim* -- GP name: *ForceInstantDim* -- GP path: *Windows Components/Human Presence* -- GP ADMX file name: *Sensors.admx* + + + - - -The following list shows the supported values: + -- 2 = ForcedOff -- 1 = ForcedOn -- 0 = DefaultToUserChoice -- Defaults to 0. + +## ForceInstantLock - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceInstantLock +``` + - -**HumanPresence/ForceInstantLock** + + +Determines whether Lock on Leave is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + -
    + +**Group policy mapping**: - - -This policy specifies, whether the device can lock when a human presence sensor detects a human. +| Name | Value | +|:--|:--| +| Name | ForceInstantLock | +| Friendly Name | Force Instant Lock | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| Registry Value Name | ForceInstantLock | +| ADMX File Name | Sensors.admx | + - - -ADMX Info: -- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* -- GP name: *ForceInstantLock* -- GP path: *Windows Components/HumanPresence* -- GP ADMX file name: *HumanPresence.admx* + + + - - -The following list shows the supported values: + -- 2 = ForcedOff -- 1 = ForcedOn -- 0 = DefaultToUserChoice -- Defaults to 0 + +## ForceInstantWake - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**HumanPresence/ForceInstantWake** + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceInstantWake +``` + - + + +Determines whether Wake On Arrival is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + - - -This policy specifies, whether the device can lock when a human presence sensor detects a human. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* -- GP name: *ForceInstantWake* -- GP path: *Windows Components/HumanPresence* -- GP ADMX file name: *HumanPresence.admx* +| Name | Value | +|:--|:--| +| Name | ForceInstantWake | +| Friendly Name | Force Instant Wake | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| Registry Value Name | ForceInstantWake | +| ADMX File Name | Sensors.admx | + - - -The following list shows the supported values: + + + -- 2 = ForcedOff -- 1 = ForcedOn -- 0 = DefaultToUserChoice -- Defaults to 0 + - - -
    + +## ForceLockTimeout - -**HumanPresence/ForceLockTimeout** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceLockTimeout +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + + +Determines the timeout for Lock on Leave forced by the MDM policy. The user will be unable to change this setting and the toggle in the UI will be greyed out. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - - -This policy specifies, at what distance the sensor wakes up when it sees a human in seconds. +| Value | Description | +|:--|:--| +| 120 | TwoMinutes. | +| 30 | ThirtySeconds. | +| 10 | TenSeconds. | +| 0 (Default) | DefaultToUserChoice. | + - - -ADMX Info: -- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* -- GP name: *ForceLockTimeout* -- GP path: *Windows Components/HumanPresence* -- GP ADMX file name: *HumanPresence.admx* + +**Group policy mapping**: - - -Integer value that specifies, whether the device can lock when a human presence sensor detects a human. +| Name | Value | +|:--|:--| +| Name | ForceLockTimeout | +| Friendly Name | Lock Timeout | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| ADMX File Name | Sensors.admx | + -The following list shows the supported values: + + + -- 120 = 120 seconds -- 30 = 30 seconds -- 10 = 10 seconds -- 0 = DefaultToUserChoice -- Defaults to 0 + - - -
    + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 275de06fef..b60ae5ce2c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,1966 +1,1491 @@ --- -title: Policy CSP - InternetExplorer -description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers. +title: InternetExplorer Policy CSP +description: Learn more about the InternetExplorer Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.reviewer: -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - InternetExplorer -
    - - -## InternetExplorer policies - -
    -
    - InternetExplorer/AddSearchProvider -
    -
    - InternetExplorer/AllowActiveXFiltering -
    -
    - InternetExplorer/AllowAddOnList -
    -
    - InternetExplorer/AllowAutoComplete -
    -
    - InternetExplorer/AllowCertificateAddressMismatchWarning -
    -
    - InternetExplorer/AllowDeletingBrowsingHistoryOnExit -
    -
    - InternetExplorer/AllowEnhancedProtectedMode -
    -
    - InternetExplorer/AllowEnhancedSuggestionsInAddressBar -
    -
    - InternetExplorer/AllowEnterpriseModeFromToolsMenu -
    -
    - InternetExplorer/AllowEnterpriseModeSiteList -
    -
    - InternetExplorer/AllowFallbackToSSL3 -
    -
    - InternetExplorer/AllowInternetExplorer7PolicyList -
    -
    - InternetExplorer/AllowInternetExplorerStandardsMode -
    -
    - InternetExplorer/AllowInternetZoneTemplate -
    -
    - InternetExplorer/AllowIntranetZoneTemplate -
    -
    - InternetExplorer/AllowLocalMachineZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownInternetZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownIntranetZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownLocalMachineZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate -
    -
    - InternetExplorer/AllowOneWordEntry -
    -
    - InternetExplorer/AllowSaveTargetAsInIEMode -
    -
    - InternetExplorer/AllowSiteToZoneAssignmentList -
    -
    - InternetExplorer/AllowSoftwareWhenSignatureIsInvalid -
    -
    - InternetExplorer/AllowSuggestedSites -
    -
    - InternetExplorer/AllowTrustedSitesZoneTemplate -
    -
    - InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate -
    -
    - InternetExplorer/AllowsRestrictedSitesZoneTemplate -
    -
    - InternetExplorer/CheckServerCertificateRevocation -
    -
    - InternetExplorer/CheckSignaturesOnDownloadedPrograms -
    -
    - InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses -
    - -
    - InternetExplorer/ConfigureEdgeRedirectChannel -
    -
    - InternetExplorer/DisableActiveXVersionListAutoDownload -
    -
    - InternetExplorer/DisableAdobeFlash -
    -
    - InternetExplorer/DisableBypassOfSmartScreenWarnings -
    -
    - InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles -
    -
    - InternetExplorer/DisableCompatView -
    -
    - InternetExplorer/DisableConfiguringHistory -
    -
    - InternetExplorer/DisableCrashDetection -
    -
    - InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation -
    -
    - InternetExplorer/DisableDeletingUserVisitedWebsites -
    -
    - InternetExplorer/DisableEnclosureDownloading -
    -
    - InternetExplorer/DisableEncryptionSupport -
    -
    - InternetExplorer/DisableFeedsBackgroundSync -
    -
    - InternetExplorer/DisableFirstRunWizard -
    -
    - InternetExplorer/DisableFlipAheadFeature -
    -
    - InternetExplorer/DisableGeolocation -
    -
    - InternetExplorer/DisableHomePageChange -
    -
    - InternetExplorer/DisableInternetExplorerApp -
    -
    - InternetExplorer/DisableIgnoringCertificateErrors -
    -
    - InternetExplorer/DisableInPrivateBrowsing -
    -
    - InternetExplorer/DisableProcessesInEnhancedProtectedMode -
    -
    - InternetExplorer/DisableProxyChange -
    -
    - InternetExplorer/DisableSearchProviderChange -
    -
    - InternetExplorer/DisableSecondaryHomePageChange -
    -
    - InternetExplorer/DisableSecuritySettingsCheck -
    -
    - InternetExplorer/DisableUpdateCheck -
    -
    - InternetExplorer/DisableWebAddressAutoComplete -
    -
    - InternetExplorer/DoNotAllowActiveXControlsInProtectedMode -
    -
    - InternetExplorer/DoNotAllowUsersToAddSites -
    -
    - InternetExplorer/DoNotAllowUsersToChangePolicies -
    -
    - InternetExplorer/DoNotBlockOutdatedActiveXControls -
    -
    - InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains -
    -
    - InternetExplorer/EnableExtendedIEModeHotkeys -
    -
    - InternetExplorer/EnableGlobalWindowListInIEMode -
    -
    - InternetExplorer/HideInternetExplorer11RetirementNotification -
    -
    - InternetExplorer/IncludeAllLocalSites -
    -
    - InternetExplorer/IncludeAllNetworkPaths -
    -
    - InternetExplorer/InternetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/InternetZoneAllowCopyPasteViaScript -
    -
    - InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles -
    -
    - InternetExplorer/InternetZoneAllowFontDownloads -
    -
    - InternetExplorer/InternetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles -
    -
    - InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls -
    -
    - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
    -
    - InternetExplorer/InternetZoneAllowScriptInitiatedWindows -
    -
    - InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls -
    -
    - InternetExplorer/InternetZoneAllowScriptlets -
    -
    - InternetExplorer/InternetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript -
    -
    - InternetExplorer/InternetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer -
    -
    - InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/InternetZoneDownloadSignedActiveXControls -
    -
    - InternetExplorer/InternetZoneDownloadUnsignedActiveXControls -
    -
    - InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter -
    -
    - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
    -
    - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    -
    - InternetExplorer/InternetZoneEnableMIMESniffing -
    -
    - InternetExplorer/InternetZoneEnableProtectedMode -
    -
    - InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer -
    -
    - InternetExplorer/InternetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
    -
    - InternetExplorer/InternetZoneJavaPermissions -
    -
    - InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME -
    -
    - InternetExplorer/InternetZoneLogonOptions -
    -
    - InternetExplorer/InternetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
    -
    - InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles -
    -
    - InternetExplorer/InternetZoneUsePopupBlocker -
    -
    - InternetExplorer/IntranetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/IntranetZoneAllowFontDownloads -
    -
    - InternetExplorer/IntranetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/IntranetZoneAllowScriptlets -
    -
    - InternetExplorer/IntranetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/IntranetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/IntranetZoneJavaPermissions -
    -
    - InternetExplorer/IntranetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/KeepIntranetSitesInInternetExplorer -
    -
    - InternetExplorer/LocalMachineZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LocalMachineZoneAllowFontDownloads -
    -
    - InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LocalMachineZoneAllowScriptlets -
    -
    - InternetExplorer/LocalMachineZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LocalMachineZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneJavaPermissions -
    -
    - InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownInternetZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownInternetZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownInternetZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownIntranetJavaPermissions -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownLocalMachineZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses -
    -
    - InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses -
    -
    - InternetExplorer/NewTabDefaultPage -
    -
    - InternetExplorer/NotificationBarInternetExplorerProcesses -
    -
    - InternetExplorer/PreventManagingSmartScreenFilter -
    -
    - InternetExplorer/PreventPerUserInstallationOfActiveXControls -
    -
    - InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses -
    -
    - InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls -
    -
    - InternetExplorer/ResetZoomForDialogInIEMode -
    -
    - InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses -
    -
    - InternetExplorer/RestrictFileDownloadInternetExplorerProcesses -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/RestrictedSitesZoneAllowActiveScripting -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors -
    -
    - InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript -
    -
    - InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles -
    -
    - InternetExplorer/RestrictedSitesZoneAllowFileDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles -
    -
    - InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH -
    -
    - InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript -
    -
    - InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer -
    -
    - InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter -
    -
    - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
    -
    - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    -
    - InternetExplorer/RestrictedSitesZoneEnableMIMESniffing -
    -
    - InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer -
    -
    - InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneJavaPermissions -
    -
    - InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME -
    -
    - InternetExplorer/RestrictedSitesZoneLogonOptions -
    -
    - InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins -
    -
    - InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
    -
    - InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting -
    -
    - InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets -
    -
    - InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles -
    -
    - InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode -
    -
    - InternetExplorer/RestrictedSitesZoneUsePopupBlocker -
    -
    - InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses -
    -
    - InternetExplorer/SearchProviderList -
    -
    - InternetExplorer/SecurityZonesUseOnlyMachineSettings -
    -
    - InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge -
    -
    - InternetExplorer/SpecifyUseOfActiveXInstallerService -
    -
    - InternetExplorer/TrustedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/TrustedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/TrustedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/TrustedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/TrustedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneJavaPermissions -
    -
    - InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**InternetExplorer/AddSearchProvider** + +## AddSearchProvider - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AddSearchProvider +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AddSearchProvider +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. -If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). +- If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]) > [!NOTE] > This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. -If you disable or do not configure this policy setting, the user can configure their list of search providers, unless another policy setting restricts such configuration. +- If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. + - + + + - -ADMX Info: -- GP Friendly name: *Add a specific list of search providers to the user's list of search providers* -- GP name: *AddSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowActiveXFiltering** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AddSearchProvider | +| Friendly Name | Add a specific list of search providers to the user's list of search providers | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | AddPolicySearchProviders | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowActiveXFiltering -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowActiveXFiltering +``` - - -This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites, so that ActiveX controls can run properly. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowActiveXFiltering +``` + -If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. + + +This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. -If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. +- If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. - +- If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. + - -ADMX Info: -- GP Friendly name: *Turn on ActiveX Filtering* -- GP name: *TurnOnActiveXFiltering* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/AllowAddOnList** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TurnOnActiveXFiltering | +| Friendly Name | Turn on ActiveX Filtering | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering | +| Registry Value Name | IsEnabled | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## AllowAddOnList -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAddOnList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAddOnList +``` + + + + This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. -If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: +- If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: -- Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. +Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, '{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. -- Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied, enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. +Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will determine, whether add-ons not in this list are assumed to be denied. +- If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. + - + + + - -ADMX Info: -- GP Friendly name: *Add-on List* -- GP name: *AddonManagement_AddOnList* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowAutoComplete** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AddonManagement_AddOnList | +| Friendly Name | Add-on List | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | ListBox_Support_CLSID | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowAutoComplete -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAutoComplete +``` + - - + + This AutoComplete feature can remember and suggest User names and passwords on Forms. -If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". +- If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". -If you disable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. +- If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. -If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. +- If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on the auto-complete feature for user names and passwords on forms* -- GP name: *RestrictFormSuggestPW* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowCertificateAddressMismatchWarning** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RestrictFormSuggestPW | +| Friendly Name | Turn on the auto-complete feature for user names and passwords on forms | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | FormSuggest Passwords | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowCertificateAddressMismatchWarning -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowCertificateAddressMismatchWarning +``` - - -This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned, when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowCertificateAddressMismatchWarning +``` + -If you enable this policy setting, the certificate address mismatch warning always appears. + + +This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. -If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). +- If you enable this policy setting, the certificate address mismatch warning always appears. - +- If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). + - -ADMX Info: -- GP Friendly name: *Turn on certificate address mismatch warning* -- GP name: *IZ_PolicyWarnCertMismatch* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/AllowDeletingBrowsingHistoryOnExit** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyWarnCertMismatch | +| Friendly Name | Turn on certificate address mismatch warning | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | WarnOnBadCertRecving | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## AllowDeletingBrowsingHistoryOnExit -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowDeletingBrowsingHistoryOnExit +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowDeletingBrowsingHistoryOnExit +``` + + + + This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted. -If you enable this policy setting, deleting browsing history on exit is turned on. +- If you enable this policy setting, deleting browsing history on exit is turned on. -If you disable this policy setting, deleting browsing history on exit is turned off. +- If you disable this policy setting, deleting browsing history on exit is turned off. -If you do not configure this policy setting, it can be configured on the General tab in Internet Options. +- If you do not configure this policy setting, it can be configured on the General tab in Internet Options. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. + - + + + - -ADMX Info: -- GP Friendly name: *Allow deleting browsing history on exit* -- GP name: *DBHDisableDeleteOnExit* -- GP path: *Windows Components/Internet Explorer/Delete Browsing History* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowEnhancedProtectedMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DBHDisableDeleteOnExit | +| Friendly Name | Allow deleting browsing history on exit | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Delete Browsing History | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Privacy | +| Registry Value Name | ClearBrowsingHistoryOnExit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEnhancedProtectedMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedProtectedMode +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedProtectedMode +``` + + + + Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. -If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. +- If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. -If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. +- If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. -If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. +- If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Enhanced Protected Mode* -- GP name: *Advanced_EnableEnhancedProtectedMode* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowEnhancedSuggestionsInAddressBar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_EnableEnhancedProtectedMode | +| Friendly Name | Turn on Enhanced Protected Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | Isolation | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEnhancedSuggestionsInAddressBar -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedSuggestionsInAddressBar +``` - - -This policy setting allows Internet Explorer to provide enhanced suggestions, as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedSuggestionsInAddressBar +``` + -If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. + + +This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. -If you disable this policy setting, users do not receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. +- If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. -If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm. +- If you disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. - +- If you don't configure this policy setting, users can change the Suggestions setting on the Settings charm. + - -ADMX Info: -- GP Friendly name: *Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar* -- GP name: *AllowServicePoweredQSA* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + + + - - -Supported values: -- 0 - Disabled -- 1 - Enabled (Default) - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** +| Name | Value | +|:--|:--| +| Name | AllowServicePoweredQSA | +| Friendly Name | Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer | +| Registry Value Name | AllowServicePoweredQSA | +| ADMX File Name | inetres.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowEnterpriseModeFromToolsMenu - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeFromToolsMenu +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeFromToolsMenu +``` + - - -This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode, using the Tools menu. + + +This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. -If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. +- If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. + - + + + - -ADMX Info: -- GP Friendly name: *Let users turn on and use Enterprise Mode from the Tools menu* -- GP name: *EnterpriseModeEnable* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowEnterpriseModeSiteList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnterpriseModeEnable | +| Friendly Name | Let users turn on and use Enterprise Mode from the Tools menu | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEnterpriseModeSiteList -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeSiteList +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeSiteList +``` + + + + This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. -If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. +- If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. -If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. +- If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. + - + + + - -ADMX Info: -- GP Friendly name: *Use the Enterprise Mode IE website list* -- GP name: *EnterpriseModeSiteList* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowFallbackToSSL3** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnterpriseModeSiteList | +| Friendly Name | Use the Enterprise Mode IE website list | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowFallbackToSSL3 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowFallbackToSSL3 +``` + - - -This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below, when TLS 1.0 or greater fails. + + +This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack. This policy does not affect which security protocols are enabled. -If you disable this policy, system defaults will be used. +- If you disable this policy, system defaults will be used. + - + + + - -ADMX Info: -- GP Friendly name: *Allow fallback to SSL 3.0 (Internet Explorer)* -- GP name: *Advanced_EnableSSL3Fallback* -- GP path: *Windows Components/Internet Explorer/Security Features* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowInternetExplorer7PolicyList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_EnableSSL3Fallback | +| Friendly Name | Allow fallback to SSL 3.0 (Internet Explorer) | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer > Security Features | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowInternetExplorer7PolicyList -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorer7PolicyList +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorer7PolicyList +``` + + + + This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. -If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. +- If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. + +- If you disable or do not configure this policy setting, the user can add and remove sites from the list. + + + + + -If you disable or do not configure this policy setting, the user can add and remove sites from the list. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CompatView_UsePolicyList | +| Friendly Name | Use Policy List of Internet Explorer 7 sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Compatibility View | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList | +| ADMX File Name | inetres.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Use Policy List of Internet Explorer 7 sites* -- GP name: *CompatView_UsePolicyList* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* + - - + +## AllowInternetExplorerStandardsMode -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -**InternetExplorer/AllowInternetExplorerStandardsMode** + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorerStandardsMode +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorerStandardsMode +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. - -
    +- If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. -> [!div class = "checklist"] -> * User -> * Device +- If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. + -
    + + + - - -This policy setting controls, how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. + +**Description framework properties**: -If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CompatView_IntranetSites | +| Friendly Name | Turn on Internet Explorer Standards Mode for local intranet | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Compatibility View | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\BrowserEmulation | +| Registry Value Name | IntranetCompatibilityMode | +| ADMX File Name | inetres.admx | + + + + + - + - -ADMX Info: -- GP Friendly name: *Turn on Internet Explorer Standards Mode for local intranet* -- GP name: *CompatView_IntranetSites* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* + +## AllowInternetZoneTemplate - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetZoneTemplate +``` - -**InternetExplorer/AllowInternetZoneTemplate** +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetZoneTemplate +``` + - + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -
    +- If you disable this template policy setting, no security level is configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you do not configure this template policy setting, no security level is configured. -> [!div class = "checklist"] -> * User -> * Device +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -
    +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. + + + -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +**Description framework properties**: -If you disable this template policy setting, no security level is configured. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you do not configure this template policy setting, no security level is configured. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +**ADMX mapping**: -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +| Name | Value | +|:--|:--| +| Name | IZ_PolicyInternetZoneTemplate | +| Friendly Name | Internet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies | +| Registry Value Name | InternetZoneTemplate | +| ADMX File Name | inetres.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + - - + +## AllowIntranetZoneTemplate -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -**InternetExplorer/AllowIntranetZoneTemplate** + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowIntranetZoneTemplate +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowIntranetZoneTemplate +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -
    +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable this template policy setting, no security level is configured. -> [!div class = "checklist"] -> * User -> * Device +- If you do not configure this template policy setting, no security level is configured. -
    +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - - -This template policy setting allows you to configure policy settings in this zone, consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + + + -If you disable this template policy setting, no security level is configured. + +**Description framework properties**: -If you do not configure this template policy setting, no security level is configured. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyIntranetZoneTemplate | +| Friendly Name | Intranet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies | +| Registry Value Name | IntranetZoneTemplate | +| ADMX File Name | inetres.admx | + - -ADMX Info: -- GP Friendly name: *Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + + + - - + -
    + +## AllowLocalMachineZoneTemplate - -**InternetExplorer/AllowLocalMachineZoneTemplate** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLocalMachineZoneTemplate +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLocalMachineZoneTemplate +``` + - -
    + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -> [!div class = "checklist"] -> * User -> * Device +- If you disable this template policy setting, no security level is configured. -
    +- If you do not configure this template policy setting, no security level is configured. - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + -If you disable this template policy setting, no security level is configured. + + + -If you do not configure this template policy setting, no security level is configured. + +**Description framework properties**: -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLocalMachineZoneTemplate | +| Friendly Name | Local Machine Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template Policies | +| Registry Value Name | LocalMachineZoneTemplate | +| ADMX File Name | inetres.admx | + - - + + + -
    + - -**InternetExplorer/AllowLockedDownInternetZoneTemplate** + +## AllowLockedDownInternetZoneTemplate - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownInternetZoneTemplate +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownInternetZoneTemplate +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -> [!div class = "checklist"] -> * User -> * Device +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -
    +- If you disable this template policy setting, no security level is configured. - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +- If you do not configure this template policy setting, no security level is configured. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -If you disable this template policy setting, no security level is configured. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + -If you do not configure this template policy setting, no security level is configured. + + + -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +**Description framework properties**: -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Locked-Down Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyInternetZoneLockdownTemplate | +| Friendly Name | Locked-Down Internet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template Policies | +| Registry Value Name | InternetZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + -
    + + + - -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** + - + +## AllowLockedDownIntranetZoneTemplate -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownIntranetZoneTemplate +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownIntranetZoneTemplate +``` + -> [!div class = "checklist"] -> * User -> * Device + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -
    +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +- If you disable this template policy setting, no security level is configured. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you do not configure this template policy setting, no security level is configured. -If you disable this template policy setting, no security level is configured. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -If you do not configure this template policy setting, no security level is configured. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + + + -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Locked-Down Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyIntranetZoneLockdownTemplate | +| Friendly Name | Locked-Down Intranet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template Policies | +| Registry Value Name | IntranetZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + - -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowLockedDownLocalMachineZoneTemplate - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownLocalMachineZoneTemplate +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownLocalMachineZoneTemplate +``` + -
    + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you disable this template policy setting, no security level is configured. -If you disable this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Locked-Down Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLocalMachineZoneLockdownTemplate | +| Friendly Name | Locked-Down Local Machine Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings\Template Policies | +| Registry Value Name | LocalMachineZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + +## AllowLockedDownRestrictedSitesZoneTemplate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -> [!div class = "checklist"] -> * User -> * Device +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -
    +- If you disable this template policy setting, no security level is configured. - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +- If you do not configure this template policy setting, no security level is configured. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -If you disable this template policy setting, no security level is configured. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + -If you do not configure this template policy setting, no security level is configured. + + + -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +**Description framework properties**: -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Locked-Down Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyRestrictedSitesZoneLockdownTemplate | +| Friendly Name | Locked-Down Restricted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Template Policies | +| Registry Value Name | RestrictedSitesZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + + + + + + + + + +## AllowOneWordEntry + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowOneWordEntry +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowOneWordEntry +``` + -
    - - -**InternetExplorer/AllowOneWordEntry** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. -If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. +- If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. -If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. +- If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. + - + + + - -ADMX Info: -- GP Friendly name: *Go to an intranet site for a one-word entry in the Address bar* -- GP name: *UseIntranetSiteForOneWordEntry* -- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowSaveTargetAsInIEMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | UseIntranetSiteForOneWordEntry | +| Friendly Name | Go to an intranet site for a one-word entry in the Address bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Settings > Advanced settings > Browsing | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | GotoIntranetSiteForSingleWordEntry | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSaveTargetAsInIEMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSaveTargetAsInIEMode +``` - - -This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSaveTargetAsInIEMode +``` + + + + +This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode. - If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. + - If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. -For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq) +For more information, see + - + + + - -ADMX Info: -- GP Friendly name: *Allow "Save Target As" in Internet Explorer mode* -- GP name: *AllowSaveTargetAsInIEMode* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSaveTargetAsInIEMode | +| Friendly Name | Allow "Save Target As" in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | AllowSaveTargetAsInIEMode | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -1973,69 +1498,82 @@ ADMX Info: ``` + - -**InternetExplorer/AllowSiteToZoneAssignmentList** + - + +## AllowSiteToZoneAssignmentList -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList +``` + -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: -1. Intranet zone -1. Trusted Sites zone -1. Internet zone -1. Restricted Sites zone +Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) -Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) +- If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: +Valuename - A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. -- Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter `` as the valuename, other protocols are not affected. If you enter just `www.contoso.com,` then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for `www.contoso.com` and `www.contoso.com/mail` would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. +Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. -- Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. - -If you disable or do not configure this policy, users may choose their own site-to-zone assignments. +- If you disable or do not configure this policy, users may choose their own site-to-zone assignments. + + + > [!NOTE] > This policy is a list that contains the site and index value. + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Zonemaps | +| Friendly Name | Site to Zone Assignment List | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | ListBox_Support_ZoneMapKey | +| ADMX File Name | inetres.admx | + + + + The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. - +**Example**: - -ADMX Info: -- GP Friendly name: *Site to Zone Assignment List* -- GP name: *IZ_Zonemaps* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - ```xml @@ -2058,444 +1596,560 @@ ADMX Info: Value and index pairs in the SyncML example: - `https://adfs.contoso.org 1` - `https://microsoft.com 2` + - - + -
    + +## AllowsLockedDownTrustedSitesZoneTemplate - -**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate +``` + - -
    + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -> [!div class = "checklist"] -> * User -> * Device +- If you disable this template policy setting, no security level is configured. -
    +- If you do not configure this template policy setting, no security level is configured. - - +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTrustedSitesZoneLockdownTemplate | +| Friendly Name | Locked-Down Trusted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Template Policies | +| Registry Value Name | TrustedSitesZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + + + + + + + + + +## AllowSoftwareWhenSignatureIsInvalid + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSoftwareWhenSignatureIsInvalid +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSoftwareWhenSignatureIsInvalid +``` + + + + This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. -If you enable this policy setting, users will be prompted to install or run files with an invalid signature. +- If you enable this policy setting, users will be prompted to install or run files with an invalid signature. -If you disable this policy setting, users cannot run or install files with an invalid signature. +- If you disable this policy setting, users cannot run or install files with an invalid signature. -If you do not configure this policy, users can choose to run or install files with an invalid signature. +- If you do not configure this policy, users can choose to run or install files with an invalid signature. + - + + + - -ADMX Info: -- GP Friendly name: *Allow software to run or install even if the signature is invalid* -- GP name: *Advanced_InvalidSignatureBlock* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowSuggestedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_InvalidSignatureBlock | +| Friendly Name | Allow software to run or install even if the signature is invalid | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Download | +| Registry Value Name | RunInvalidSignatures | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowsRestrictedSitesZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsRestrictedSitesZoneTemplate +``` - - -This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft, to suggest sites that the user might want to visit. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsRestrictedSitesZoneTemplate +``` + -If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions. + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you disable this policy setting, the entry points and functionality associated with this feature are turned off. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. +- If you disable this template policy setting, no security level is configured. - +- If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -ADMX Info: -- GP Friendly name: *Turn on Suggested Sites* -- GP name: *EnableSuggestedSites* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/AllowTrustedSitesZoneTemplate** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyRestrictedSitesZoneTemplate | +| Friendly Name | Restricted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Policies | +| Registry Value Name | RestrictedSitesZoneTemplate | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## AllowSuggestedSites -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSuggestedSites +``` -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSuggestedSites +``` + -If you disable this template policy setting, no security level is configured. + + +This policy setting controls the Suggested Sites feature, which recommends websites based on the user's browsing activity. Suggested Sites reports a user's browsing history to Microsoft to suggest sites that the user might want to visit. -If you do not configure this template policy setting, no security level is configured. +- If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user's browsing history is sent to Microsoft to produce suggestions. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +- If you disable this policy setting, the entry points and functionality associated with this feature are turned off. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +- If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. + - + + + - -ADMX Info: -- GP Friendly name: *Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableSuggestedSites | +| Friendly Name | Turn on Suggested Sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Suggested Sites | +| Registry Value Name | Enabled | +| ADMX File Name | inetres.admx | + + + + + + + + + +## AllowTrustedSitesZoneTemplate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowTrustedSitesZoneTemplate +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowTrustedSitesZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this template policy setting, no security level is configured. - -
    +- If you do not configure this template policy setting, no security level is configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!div class = "checklist"] -> * User -> * Device +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + -
    + + + + + +**Description framework properties**: - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you disable this template policy setting, no security level is configured. +**ADMX mapping**: -If you do not configure this template policy setting, no security level is configured. +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTrustedSitesZoneTemplate | +| Friendly Name | Trusted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policies | +| Registry Value Name | TrustedSitesZoneTemplate | +| ADMX File Name | inetres.admx | + + + + + + + + + +## CheckServerCertificateRevocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/CheckServerCertificateRevocation +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/CheckServerCertificateRevocation +``` + -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - -ADMX Info: -- GP Friendly name: *Locked-Down Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - -ADMX Info: -- GP Friendly name: *Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/CheckServerCertificateRevocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure. -If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. +- If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. -If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. +- If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. -If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. +- If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. + - + + + - -ADMX Info: -- GP Friendly name: *Check for server certificate revocation* -- GP name: *Advanced_CertificateRevocation* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/CheckSignaturesOnDownloadedPrograms** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_CertificateRevocation | +| Friendly Name | Check for server certificate revocation | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | CertificateRevocation | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CheckSignaturesOnDownloadedPrograms -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/CheckSignaturesOnDownloadedPrograms +``` - - -This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software, and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/CheckSignaturesOnDownloadedPrograms +``` + -If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. + + +This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. -If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. +- If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. -If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. +- If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. - +- If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. + - -ADMX Info: -- GP Friendly name: *Check for signatures on downloaded programs* -- GP name: *Advanced_DownloadSignatures* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**InternetExplorer/ConfigureEdgeRedirectChannel** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Advanced_DownloadSignatures | +| Friendly Name | Check for signatures on downloaded programs | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Download | +| Registry Value Name | CheckExeSignatures | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## ConfigureEdgeRedirectChannel -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + - - -Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ConfigureEdgeRedirectChannel +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ConfigureEdgeRedirectChannel +``` + + + + +Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed. If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur: - +- If you disable or don't configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: - - 1 = Microsoft Edge Stable - - 2 = Microsoft Edge Beta version 77 or later - - 3 = Microsoft Edge Dev version 77 or later - - 4 = Microsoft Edge Canary version 77 or later - -- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. +1 = Microsoft Edge Stable +2 = Microsoft Edge Beta version 77 or later +3 = Microsoft Edge Dev version 77 or later +4 = Microsoft Edge Canary version 77 or later If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur: - +- If you disable or don't configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: - - 0 = Microsoft Edge version 45 or earlier - - 1 = Microsoft Edge Stable - - 2 = Microsoft Edge Beta version 77 or later - - 3 = Microsoft Edge Dev version 77 or later - - 4 = Microsoft Edge Canary version 77 or later +0 = Microsoft Edge version 45 or earlier +1 = Microsoft Edge Stable +2 = Microsoft Edge Beta version 77 or later +3 = Microsoft Edge Dev version 77 or later +4 = Microsoft Edge Canary version 77 or later -- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. +*For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see . This update applies only to Windows 10 version 1709 and higher. + -> [!NOTE] -> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq). This update applies only to Windows 10 version 1709 and higher. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure which channel of Microsoft Edge to use for opening redirected sites* -- GP name: *NeedEdgeBrowser* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NeedEdgeBrowser | +| Friendly Name | Configure which channel of Microsoft Edge to use for opening redirected sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -2701,943 +2355,1312 @@ ADMX Info: ``` - -**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConsistentMimeHandlingInternetExplorerProcesses - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses +``` + -
    - - - + + Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. -This policy setting determines, whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain, but the MIME sniff indicates that the file is really an executable file, then Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. +This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. -If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. +- If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. -If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files. +- If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files. -If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. +- If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. + - + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_5* -- GP path: *Windows Components/Internet Explorer/Security Features/Consistent Mime Handling* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableActiveXVersionListAutoDownload** +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_5 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Consistent Mime Handling | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING | +| ADMX File Name | inetres.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableActiveXVersionListAutoDownload - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableActiveXVersionListAutoDownload +``` + -
    + + +This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. + +- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. + +- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML. + +For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library. + - - -This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. + + + -> [!Caution] -> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download, breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. - -If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. - - - - -ADMX Info: -- GP Friendly name: *Turn off automatic download of the ActiveX VersionList* -- GP name: *VersionListAutomaticDownloadDisable* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - -Supported values: -- 0 - Enabled -- 1 - Disabled (Default) - - - - - - - - - -
    - - -**InternetExplorer/DisableAdobeFlash** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. - -If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. - -If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. - -Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. - - - - -ADMX Info: -- GP Friendly name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* -- GP name: *DisableFlashInIE* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableBypassOfSmartScreenWarnings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen prevents the user from browsing to or downloading from sites that are known to host malicious content. Windows Defender SmartScreen also prevents the execution of files that are known to be malicious. - -If you enable this policy setting, Windows Defender SmartScreen warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. - - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing SmartScreen Filter warnings* -- GP name: *DisableSafetyFilterOverride* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the user about executable files that Internet Explorer users do not commonly download from the Internet. - -If you enable this policy setting, Windows Defender SmartScreen warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. - - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* -- GP name: *DisableSafetyFilterOverrideForAppRepUnknown* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableCompatView** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls the Compatibility View feature, which allows users to fix website display problems that they may encounter while browsing. - -If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. - -If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. - - - - -ADMX Info: -- GP Friendly name: *Turn off Compatibility View* -- GP name: *CompatView_DisableList* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* - - - -Supported values: -- 0 - Disabled (Default) -- 1 - Enabled - - - - - - - - - -
    - - -**InternetExplorer/DisableConfiguringHistory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, do the following: - -1. From the Menu bar, on the Tools menu, click Internet Options. -1. Click the General tab, and then click Settings under Browsing history. - -If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history. - -If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. - - - - -ADMX Info: -- GP Friendly name: *Disable "Configuring History"* -- GP name: *RestrictHistory* -- GP path: *Windows Components/Internet Explorer/Delete Browsing History* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableCrashDetection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | VersionListAutomaticDownloadDisable | +| Friendly Name | Turn off automatic download of the ActiveX VersionList | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Internet Explorer\VersionManager | +| Registry Value Name | DownloadVersionList | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableBypassOfSmartScreenWarnings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarnings +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarnings +``` + + + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. + +- If you enable this policy setting, SmartScreen Filter warnings block the user. + +- If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSafetyFilterOverride | +| Friendly Name | Prevent bypassing SmartScreen Filter warnings | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\PhishingFilter | +| Registry Value Name | PreventOverride | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableBypassOfSmartScreenWarningsAboutUncommonFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles +``` + + + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. + +- If you enable this policy setting, SmartScreen Filter warnings block the user. + +- If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSafetyFilterOverrideForAppRepUnknown | +| Friendly Name | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\PhishingFilter | +| Registry Value Name | PreventOverrideAppRepUnknown | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableCompatView + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCompatView +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCompatView +``` + + + + +This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she may encounter while browsing. + +- If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. + +- If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CompatView_DisableList | +| Friendly Name | Turn off Compatibility View | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Compatibility View | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\BrowserEmulation | +| Registry Value Name | DisableSiteListEditing | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableConfiguringHistory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableConfiguringHistory +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableConfiguringHistory +``` + + + + +This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history. + +- If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history. + +- If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictHistory | +| Friendly Name | Disable "Configuring History" | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Delete Browsing History | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | +| Registry Value Name | History | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableCrashDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCrashDetection +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCrashDetection +``` + + + + This policy setting allows you to manage the crash detection feature of add-on Management. -If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. +- If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. -If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. +- If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Crash Detection* -- GP name: *AddonManagement_RestrictCrashDetection* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AddonManagement_RestrictCrashDetection | +| Friendly Name | Turn off Crash Detection | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Restrictions | +| Registry Value Name | NoCrashDetection | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableCustomerExperienceImprovementProgramParticipation -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation +``` + + + + This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). -If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. +- If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. -If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. +- If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. -If you do not configure this policy setting, the user can choose to participate in the CEIP. +- If you do not configure this policy setting, the user can choose to participate in the CEIP. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent participation in the Customer Experience Improvement Program* -- GP name: *SQM_DisableCEIP* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableDeletingUserVisitedWebsites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SQM_DisableCEIP | +| Friendly Name | Prevent participation in the Customer Experience Improvement Program | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\SQM | +| Registry Value Name | DisableCustomerImprovementProgram | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableDeletingUserVisitedWebsites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableDeletingUserVisitedWebsites +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableDeletingUserVisitedWebsites +``` + + + + This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box. -If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete. +- If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete. -If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete. +- If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete. -If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete. +- If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent deleting websites that the user has visited* -- GP name: *DBHDisableDeleteHistory* -- GP path: *Windows Components/Internet Explorer/Delete Browsing History* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableEnclosureDownloading** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DBHDisableDeleteHistory | +| Friendly Name | Prevent deleting websites that the user has visited | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Delete Browsing History | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Privacy | +| Registry Value Name | CleanHistory | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableEnclosureDownloading -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEnclosureDownloading +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEnclosureDownloading +``` + + + + This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. -If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. +- If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. -If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. +- If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent downloading of enclosures* -- GP name: *Disable_Downloading_of_Enclosures* -- GP path: *Windows Components/RSS Feeds* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableEncryptionSupport** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Disable_Downloading_of_Enclosures | +| Friendly Name | Prevent downloading of enclosures | +| Location | Computer and User Configuration | +| Path | Windows Components > RSS Feeds | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Feeds | +| Registry Value Name | DisableEnclosureDownload | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableEncryptionSupport -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEncryptionSupport +``` - - -This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEncryptionSupport +``` + -If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. + + +This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other's list of supported protocols and versions, and they select the most preferred match. -If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. +- If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. + +- If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. > [!NOTE] > SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off encryption support* -- GP name: *Advanced_SetWinInetProtocols* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableFeedsBackgroundSync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_SetWinInetProtocols | +| Friendly Name | Turn off encryption support | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableFeedsBackgroundSync -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFeedsBackgroundSync +``` - - -This policy setting allows you to choose whether or not to have background synchronization for feeds and Web Slices. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFeedsBackgroundSync +``` + -If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. + + +This policy setting controls whether to have background synchronization for feeds and Web Slices. -If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. +- If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. - +- If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. + - -ADMX Info: -- GP Friendly name: *Turn off background synchronization for feeds and Web Slices* -- GP name: *Disable_Background_Syncing* -- GP path: *Windows Components/RSS Feeds* -- GP ADMX file name: *inetres.admx* + + + - - -Supported values: -- 0 - Enabled (Default) -- 1 - Disabled - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**InternetExplorer/DisableFirstRunWizard** +| Name | Value | +|:--|:--| +| Name | Disable_Background_Syncing | +| Friendly Name | Turn off background synchronization for feeds and Web Slices | +| Location | Computer and User Configuration | +| Path | Windows Components > RSS Feeds | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Feeds | +| Registry Value Name | BackgroundSyncStatus | +| ADMX File Name | inetres.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableFirstRunWizard - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard +``` + - - -This policy setting prevents Internet Explorer from running the First Run wizard, the first time a user starts the browser after installing Internet Explorer or Windows. + + +This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. -If you enable this policy setting, you must make one of the following choices: -- Skip the First Run wizard, and go directly to the user's home page. -- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. +- If you enable this policy setting, you must make one of the following choices: +- Skip the First Run wizard, and go directly to the user's home page. +- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard, the first time the browser is started after installation. +- If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent running First Run wizard* -- GP name: *NoFirstRunCustomise* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableFlipAheadFeature** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoFirstRunCustomise | +| Friendly Name | Prevent running First Run wizard | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableFlipAheadFeature -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFlipAheadFeature +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFlipAheadFeature +``` + + + + This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. -If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. +- If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. -If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. +- If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. -If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. +- If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the flip ahead with page prediction feature* -- GP name: *Advanced_DisableFlipAhead* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableGeolocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_DisableFlipAhead | +| Friendly Name | Turn off the flip ahead with page prediction feature | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\FlipAhead | +| Registry Value Name | Enabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableGeolocation -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableGeolocation +``` - - -This policy setting allows you to disable browser geolocation support. This prevents websites from requesting location data about the user. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableGeolocation +``` + -If you enable this policy setting, browser geolocation support is turned off. + + +This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data about the user. -If you disable this policy setting, browser geolocation support is turned on. +- If you enable this policy setting, browser geolocation support is turned off. -If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. +- If you disable this policy setting, browser geolocation support is turned on. - +- If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. + - -ADMX Info: -- GP Friendly name: *Turn off browser geolocation* -- GP name: *GeolocationDisable* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + + + - - -Supported values: -- 0 - Disabled (Default) -- 1 - Enabled - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**InternetExplorer/DisableHomePageChange** +| Name | Value | +|:--|:--| +| Name | GeolocationDisable | +| Friendly Name | Turn off browser geolocation | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Geolocation | +| Registry Value Name | PolicyDisableGeolocation | +| ADMX File Name | inetres.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableHomePageChange - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange +``` + -
    - - - + + The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. +- If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. +- If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. + - + + + - -ADMX Info: -- GP Friendly name: *Disable changing home page settings* -- GP name: *RestrictHomePage* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/DisableInternetExplorerApp** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RestrictHomePage | +| Friendly Name | Disable changing home page settings | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | +| Registry Value Name | HomePage | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## DisableHTMLApplication -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.1060] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHTMLApplication +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHTMLApplication +``` + + + + +This policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. + +- If you enable this policy setting, running the HTML Application (HTA file) will be blocked. + +- If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableHTMLApplication | +| Friendly Name | Disable HTML Application | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Hta | +| Registry Value Name | DisableHTMLApplication | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableIgnoringCertificateErrors + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableIgnoringCertificateErrors +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableIgnoringCertificateErrors +``` + + + + +This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. + +- If you enable this policy setting, the user cannot continue browsing. + +- If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoCertError | +| Friendly Name | Prevent ignoring certificate errors | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | PreventIgnoreCertErrors | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableInPrivateBrowsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInPrivateBrowsing +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInPrivateBrowsing +``` + + + + +This policy setting allows you to turn off the InPrivate Browsing feature. + +InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data. + +- If you enable this policy setting, InPrivate Browsing is turned off. + +- If you disable this policy setting, InPrivate Browsing is available for use. + +- If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableInPrivateBrowsing | +| Friendly Name | Turn off InPrivate Browsing | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Privacy | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Privacy | +| Registry Value Name | EnableInPrivateBrowsing | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableInternetExplorerApp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp +``` + + + + This policy lets you restrict launching of Internet Explorer as a standalone browser. -If you enable this policy, it: +- If you enable this policy, it - Prevents Internet Explorer 11 from launching as a standalone browser. - Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'. - Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. - Overrides any other policies that redirect to Internet Explorer 11. -If you disable, or do not configure this policy, all sites are opened using the current active browser settings. +If you disable, or don't configure this policy, all sites are opened using the current active browser settings > [!NOTE] > Microsoft Edge Stable Channel must be installed for this policy to take effect. + - + + + - -ADMX Info: -- GP Friendly name: *Disable Internet Explorer 11 as a standalone browser* -- GP name: *DisableInternetExplorerApp* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableInternetExplorerApp | +| Friendly Name | Disable Internet Explorer 11 as a standalone browser | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -3659,548 +3682,555 @@ ADMX Info: ``` - -**InternetExplorer/DisableIgnoringCertificateErrors** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableProcessesInEnhancedProtectedMode - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProcessesInEnhancedProtectedMode +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProcessesInEnhancedProtectedMode +``` + -
    - - - -This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. - -If you enable this policy setting, the user cannot continue browsing. - -If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. - - - - -ADMX Info: -- GP Friendly name: *Prevent ignoring certificate errors* -- GP name: *NoCertError* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableInPrivateBrowsing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to turn off the InPrivate Browsing feature. - -InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data. - -If you enable this policy setting, InPrivate Browsing is turned off. - -If you disable this policy setting, InPrivate Browsing is available for use. - -If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. - - - - -ADMX Info: -- GP Friendly name: *Turn off InPrivate Browsing* -- GP name: *DisableInPrivateBrowsing* -- GP path: *Windows Components/Internet Explorer/Privacy* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableProcessesInEnhancedProtectedMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility), when running in Enhanced Protected Mode on 64-bit versions of Windows. + + +This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. > [!IMPORTANT] > Some ActiveX controls and toolbars may not be available when 64-bit processes are used. -If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows. +- If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. -If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows. +- If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. -If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. +- If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows* -- GP name: *Advanced_EnableEnhancedProtectedMode64Bit* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableProxyChange** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_EnableEnhancedProtectedMode64Bit | +| Friendly Name | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | Isolation64Bit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableProxyChange -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProxyChange +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProxyChange +``` + + + + This policy setting specifies if a user can change proxy settings. -If you enable this policy setting, the user will not be able to configure proxy settings. +- If you enable this policy setting, the user will not be able to configure proxy settings. -If you disable or do not configure this policy setting, the user can configure proxy settings. +- If you disable or do not configure this policy setting, the user can configure proxy settings. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing proxy settings* -- GP name: *RestrictProxy* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableSearchProviderChange** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RestrictProxy | +| Friendly Name | Prevent changing proxy settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | +| Registry Value Name | Proxy | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSearchProviderChange -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSearchProviderChange +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSearchProviderChange +``` + + + + This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. -If you enable this policy setting, the user cannot change the default search provider. +- If you enable this policy setting, the user cannot change the default search provider. -If you disable or do not configure this policy setting, the user can change the default search provider. +- If you disable or do not configure this policy setting, the user can change the default search provider. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing the default search provider* -- GP name: *NoSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableSecondaryHomePageChange** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSearchProvider | +| Friendly Name | Prevent changing the default search provider | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | NoChangeDefaultSearchProvider | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSecondaryHomePageChange -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange +``` + + + + Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. -If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. +- If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. -If you disable or do not configure this policy setting, the user can add secondary home pages. +- If you disable or do not configure this policy setting, the user can add secondary home pages. > [!NOTE] -> If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. +> If the "Disable Changing Home Page Settings" policy is enabled, the user cannot add secondary home pages. + - + + + - -ADMX Info: -- GP Friendly name: *Disable changing secondary home page settings* -- GP name: *SecondaryHomePages* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableSecuritySettingsCheck** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SecondaryHomePages | +| Friendly Name | Disable changing secondary home page settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSecuritySettingsCheck -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecuritySettingsCheck +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecuritySettingsCheck +``` + + + + This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. -If you enable this policy setting, the feature is turned off. +- If you enable this policy setting, the feature is turned off. -If you disable or do not configure this policy setting, the feature is turned on. +- If you disable or do not configure this policy setting, the feature is turned on. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the Security Settings Check feature* -- GP name: *Disable_Security_Settings_Check* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableUpdateCheck** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Disable_Security_Settings_Check | +| Friendly Name | Turn off the Security Settings Check feature | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Security | +| Registry Value Name | DisableSecuritySettingsCheck | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableUpdateCheck -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck +``` + - - + + Prevents Internet Explorer from checking whether a new version of the browser is available. -If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifies users if a new version is available. +- If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. -If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. +- If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. + - + + + - -ADMX Info: -- GP Friendly name: *Disable Periodic Check for Internet Explorer software updates* -- GP name: *NoUpdateCheck* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DisableWebAddressAutoComplete** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoUpdateCheck | +| Friendly Name | Disable Periodic Check for Internet Explorer software updates | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | NoUpdateCheck | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableWebAddressAutoComplete -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableWebAddressAutoComplete +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableWebAddressAutoComplete +``` + + + + This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar. -If you enable this policy setting, users are not suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. +- If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. -If you disable this policy setting, users are suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. +- If you disable this policy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. -If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off. +- If you do not configure this policy setting, a user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the auto-complete feature for web addresses* -- GP name: *RestrictWebAddressSuggest* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - -Supported values: -- yes - Disabled (Default) -- no - Enabled - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | RestrictWebAddressSuggest | +| Friendly Name | Turn off the auto-complete feature for web addresses | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete | +| Registry Value Name | AutoSuggest | +| ADMX File Name | inetres.admx | + - -**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DoNotAllowActiveXControlsInProtectedMode - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowActiveXControlsInProtectedMode +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowActiveXControlsInProtectedMode +``` + -
    - - - + + This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website. -If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode. +- If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode. -If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. +- If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled* -- GP name: *Advanced_DisableEPMCompat* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DoNotAllowUsersToAddSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_DisableEPMCompat | +| Friendly Name | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | DisableEPMCompat | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowUsersToAddSites -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowUsersToAddSites +``` + - - + + Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. -If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) +- If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) -If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. +- If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. This policy prevents users from changing site management settings for security zones established by the administrator. @@ -4208,53 +4238,66 @@ This policy prevents users from changing site management settings for security z > The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. + - + + + - -ADMX Info: -- GP Friendly name: *Security Zones: Do not allow users to add/delete sites* -- GP name: *Security_zones_map_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DoNotAllowUsersToChangePolicies** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Security_zones_map_edit | +| Friendly Name | Security Zones: Do not allow users to add/delete sites | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | Security_zones_map_edit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowUsersToChangePolicies -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowUsersToChangePolicies +``` + - - + + Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. -If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. +- If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. -If you disable this policy or do not configure it, users can change the settings for security zones. +- If you disable this policy or do not configure it, users can change the settings for security zones. This policy prevents users from changing security zone settings established by the administrator. @@ -4262,1263 +4305,1572 @@ This policy prevents users from changing security zone settings established by t > The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. + - + + + - -ADMX Info: -- GP Friendly name: *Security Zones: Do not allow users to change policies* -- GP name: *Security_options_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DoNotBlockOutdatedActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Security_options_edit | +| Friendly Name | Security Zones: Do not allow users to change policies | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | Security_options_edit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotBlockOutdatedActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControls +``` + + + + This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. -If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. +- If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. -If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. +- If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* -- GP name: *VerMgmtDisable* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerMgmtDisable | +| Friendly Name | Turn off blocking of outdated ActiveX controls for Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | VersionCheckEnabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotBlockOutdatedActiveXControlsOnSpecificDomains -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains +``` + + + + This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. -If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: +- If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com". -2. "hostname". For example, if you want to include http://example, use "example". -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm". +1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" +2. "hostname". For example, if you want to include https://example, use "example" -If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. +3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" + +- If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* -- GP name: *VerMgmtDomainAllowlist* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/EnableExtendedIEModeHotkeys** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerMgmtDomainAllowlist | +| Friendly Name | Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | ListBox_DomainAllowlist | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableExtendedIEModeHotkeys -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.143] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/EnableExtendedIEModeHotkeys +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/EnableExtendedIEModeHotkeys +``` + + + + This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as "Ctrl+S" to have "Save as" functionality. - If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer. -- If you disable, or don't configure this policy, extended hotkeys will not work in Internet Explorer mode. +If you disable, or don't configure this policy, extended hotkeys will not work in Internet Explorer mode. - - -The following list shows the supported values: +For more information, see + -- 0 (default) - Disabled -- 1 - Enabled + + + - - -ADMX Info: -- GP Friendly name: *Enable extended hot keys in Internet Explorer mode* -- GP name: *EnableExtendedIEModeHotkeys* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/EnableGlobalWindowListInIEMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableExtendedIEModeHotkeys | +| Friendly Name | Enable extended hot keys in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | EnableExtendedIEModeHotkeys | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableGlobalWindowListInIEMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.558] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/EnableGlobalWindowListInIEMode +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/EnableGlobalWindowListInIEMode +``` + + + + This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. - If you enable this policy, Internet Explorer mode will use the global window list. -- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. +- If you disable or don't configure this policy, Internet Explorer mode will continue to maintain a separate window list. + +To learn more about Internet Explorer mode, see +To learn more about disabling Internet Explorer 11 as a standalone browser, see + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableGlobalWindowListInIEMode | +| Friendly Name | Enable global window list in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | EnableGlobalWindowListInIEMode | +| ADMX File Name | inetres.admx | + + + + + + + - - -The following list shows the supported values: + +## IncludeAllLocalSites -- 0 (default) - Disabled -- 1 - Enabled + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -ADMX Info: -- GP Friendly name: *Enable global window list in Internet Explorer mode* -- GP name: *EnableGlobalWindowListInIEMode* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllLocalSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllLocalSites +``` + + + + +This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. + +- If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. + +- If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). + +- If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_IncludeUnspecifiedLocalSites | +| Friendly Name | Intranet Sites: Include all local (intranet) sites not listed in other zones | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | +| Registry Value Name | IntranetName | +| ADMX File Name | inetres.admx | + + + + + + + + + +## IncludeAllNetworkPaths + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllNetworkPaths +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllNetworkPaths +``` + + + + +This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. + +- If you enable this policy setting, all network paths are mapped into the Intranet Zone. + +- If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). + +- If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. + + + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_UNCAsIntranet | +| Friendly Name | Intranet Sites: Include all network paths (UNCs) | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | +| Registry Value Name | UNCAsIntranet | +| ADMX File Name | inetres.admx | + + + + + + + + + +## InternetZoneAllowAccessToDataSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAccessToDataSources +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - -**InternetExplorer/HideInternetExplorer11RetirementNotification** + + + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_1 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + + + + +## InternetZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_1 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + - - -This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. + + + -- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. + +**Description framework properties**: -- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_1 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - - -The following list shows the supported values: + + + -- 0 (default) - Disabled -- 1 - Enabled + + + +## InternetZoneAllowCopyPasteViaScript + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowCopyPasteViaScript +``` - - -ADMX Info: -- GP Friendly name: *Hide Internet Explorer 11 retirement notification* -- GP name: *DisableIEAppDeprecationNotification* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowCopyPasteViaScript +``` + - - + + +This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. + +- If you enable this policy setting, a script can perform a clipboard operation. + +If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. + +- If you disable this policy setting, a script cannot perform a clipboard operation. + +- If you do not configure this policy setting, a script can perform a clipboard operation. + -
    - -**InternetExplorer/IncludeAllLocalSites** + + + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowPasteViaScript_1 | +| Friendly Name | Allow cut, copy or paste operations from the clipboard via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneAllowDragAndDropCopyAndPasteFiles -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting controls, whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles +``` -If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles +``` + + + + +This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. + +- If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered in the Intranet Zone (so would typically be in the Internet Zone). +- If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. -If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. +- If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* -- GP name: *IZ_IncludeUnspecifiedLocalSites* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDropOrPasteFiles_1 | +| Friendly Name | Allow drag and drop or copy and paste files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -
    + + + + + - -**InternetExplorer/IncludeAllNetworkPaths** + +## InternetZoneAllowFontDownloads - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether URLs representing UNCs are mapped into the local Intranet security zone. - -If you enable this policy setting, all network paths are mapped into the Intranet Zone. - -If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). - -If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. - - - - -ADMX Info: -- GP Friendly name: *Intranet Sites: Include all network paths (UNCs)* -- GP name: *IZ_UNCAsIntranet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowCopyPasteViaScript** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. - -If you enable this policy setting, a script can perform a clipboard operation. - -If you select Prompt in the drop-down box, users are queried, whether to perform clipboard operations. - -If you disable this policy setting, a script cannot perform a clipboard operation. - -If you do not configure this policy setting, a script can perform a clipboard operation. - - - - -ADMX Info: -- GP Friendly name: *Allow cut, copy or paste operations from the clipboard via script* -- GP name: *IZ_PolicyAllowPasteViaScript_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone. - -If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. - -If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. - -If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow drag and drop or copy and paste files* -- GP name: *IZ_PolicyDropOrPasteFiles_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_1 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## InternetZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_1 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## InternetZoneAllowLoadingOfXAMLFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles +``` + + + + This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. -If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. +- If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. -If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. +- If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. -If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. +- If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Allow loading of XAML files* -- GP name: *IZ_Policy_XAML_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_XAML_1 | +| Friendly Name | Allow loading of XAML files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - +- If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_1 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting controls, whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` -If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` + -If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. + + +This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. - +- If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use ActiveX controls without prompt* -- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +- If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet | +| Friendly Name | Allow only approved domains to use ActiveX controls without prompt | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - -This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` -If you disable this policy setting, the TDC Active X control will run from all sites in this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` + - + + +This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use the TDC ActiveX control* -- GP name: *IZ_PolicyAllowTDCControl_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +- If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. - - +- If you disable this policy setting, the TDC Active X control will run from all sites in this zone. + -
    + + + - -**InternetExplorer/InternetZoneAllowScriptInitiatedWindows** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowTDCControl_Both_Internet | +| Friendly Name | Allow only approved domains to use the TDC ActiveX control | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + - - + +## InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` + + + + +This policy setting determines whether a page can control embedded WebBrowser controls via script. + +- If you enable this policy setting, script access to the WebBrowser control is allowed. + +- If you disable this policy setting, script access to the WebBrowser control is not allowed. + +- If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_WebBrowserControl_1 | +| Friendly Name | Allow scripting of Internet Explorer WebBrowser controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## InternetZoneAllowScriptInitiatedWindows + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptInitiatedWindows +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptInitiatedWindows +``` + + + + This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. -If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. +- If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. -If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +- If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +- If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + - + + + - -ADMX Info: -- GP Friendly name: *Allow script-initiated windows without size or position constraints* -- GP name: *IZ_PolicyWindowsRestrictionsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyWindowsRestrictionsURLaction_1 | +| Friendly Name | Allow script-initiated windows without size or position constraints | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptlets +``` - - -This policy setting determines, whether a page can control embedded WebBrowser controls via script. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptlets +``` + -If you enable this policy setting, script access to the WebBrowser control is allowed. + + +This policy setting allows you to manage whether the user can run scriptlets. -If you disable this policy setting, script access to the WebBrowser control is not allowed. +- If you enable this policy setting, the user can run scriptlets. -If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. +- If you disable this policy setting, the user cannot run scriptlets. - +- If you do not configure this policy setting, the user can enable or disable scriptlets. + - -ADMX Info: -- GP Friendly name: *Allow scripting of Internet Explorer WebBrowser controls* -- GP name: *IZ_Policy_WebBrowserControl_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneAllowScriptlets** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_1 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneAllowSmartScreenIE -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage, whether the user can run scriptlets. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowSmartScreenIE +``` -If you enable this policy setting, the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowSmartScreenIE +``` + -If you disable this policy setting, the user cannot run scriptlets. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. > [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_1 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowUpdatesToStatusBarViaScript -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript +``` - - -This policy setting allows you to manage, whether script is allowed to update the status bar within the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript +``` + -If you enable this policy setting, script is allowed to update the status bar. + + +This policy setting allows you to manage whether script is allowed to update the status bar within the zone. -If you disable or do not configure this policy setting, script is not allowed to update the status bar. +- If you enable this policy setting, script is allowed to update the status bar. - +- If you disable or do not configure this policy setting, script is not allowed to update the status bar. + - -ADMX Info: -- GP Friendly name: *Allow updates to status bar via script* -- GP name: *IZ_Policy_ScriptStatusBar_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_ScriptStatusBar_1 | +| Friendly Name | Allow updates to status bar via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUserDataPersistence +``` -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUserDataPersistence +``` + -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_1 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## InternetZoneAllowVBScriptToRunInInternetExplorer - - -This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer +``` + + + + +This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. If you selected Enable in the drop-down box, VBScript can run without user intervention. @@ -5527,1626 +5879,2157 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t If you selected Disable in the drop-down box, VBScript is prevented from running. If you do not configure or disable this policy setting, VBScript is prevented from running. + - + + + - -ADMX Info: -- GP Friendly name: *Allow VBScript to run in Internet Explorer* -- GP name: *IZ_PolicyAllowVBScript_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowVBScript_1 | +| Friendly Name | Allow VBScript to run in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneDoNotRunAntimalwareAgainstActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls +``` + + + + This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - + + + - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneDownloadSignedActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneDownloadSignedActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadSignedActiveXControls +``` - - -This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadSignedActiveXControls +``` + -If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. + + +This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. -If you disable the policy setting, signed controls cannot be downloaded. +- If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. -If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. +- If you disable the policy setting, signed controls cannot be downloaded. - +- If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. + - -ADMX Info: -- GP Friendly name: *Download signed ActiveX controls* -- GP name: *IZ_PolicyDownloadSignedActiveX_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadSignedActiveX_1 | +| Friendly Name | Download signed ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneDownloadUnsignedActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadUnsignedActiveXControls +``` -If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadUnsignedActiveXControls +``` + -If you disable this policy setting, users cannot run unsigned controls. + + +This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. -If you do not configure this policy setting, users cannot run unsigned controls. +- If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. - +- If you disable this policy setting, users cannot run unsigned controls. - -ADMX Info: -- GP Friendly name: *Download unsigned ActiveX controls* -- GP name: *IZ_PolicyDownloadUnsignedActiveX_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, users cannot run unsigned controls. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadUnsignedActiveX_1 | +| Friendly Name | Download unsigned ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## InternetZoneEnableCrossSiteScriptingFilter - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter +``` + + + + This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. -If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. +- If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. -If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. +- If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Cross-Site Scripting Filter* -- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTurnOnXSSFilter_Both_Internet | +| Friendly Name | Turn on Cross-Site Scripting Filter | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` + -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting. +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. - +In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. + - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains across windows* -- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet | +| Friendly Name | Enable dragging of content from different domains across windows | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` + -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. -In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. - +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains within a window* -- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/InternetZoneEnableMIMESniffing** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet | +| Friendly Name | Enable dragging of content from different domains within a window | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## InternetZoneEnableMIMESniffing - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableMIMESniffing +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableMIMESniffing +``` + + + + This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. -If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. +- If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. -If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. +- If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. -If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. +- If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Enable MIME Sniffing* -- GP name: *IZ_PolicyMimeSniffingURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneEnableProtectedMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyMimeSniffingURLaction_1 | +| Friendly Name | Enable MIME Sniffing | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneEnableProtectedMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableProtectedMode +``` - - -This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities, by reducing the locations that Internet Explorer can write to in the registry and the file system. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableProtectedMode +``` + -If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. + + +This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. -If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. +- If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. -If you do not configure this policy setting, the user can turn on or turn off Protected Mode. +- If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. - +- If you do not configure this policy setting, the user can turn on or turn off Protected Mode. + - -ADMX Info: -- GP Friendly name: *Turn on Protected Mode* -- GP name: *IZ_Policy_TurnOnProtectedMode_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_TurnOnProtectedMode_1 | +| Friendly Name | Turn on Protected Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneIncludeLocalPathWhenUploadingFilesToServer -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting controls whether or not local path information is sent, when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer +``` -If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer +``` + -If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. + + +This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. -If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. +- If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. - +- If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. - -ADMX Info: -- GP Friendly name: *Include local path when user is uploading files to a server* -- GP name: *IZ_Policy_LocalPathForUpload_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_Policy_LocalPathForUpload_1 | +| Friendly Name | Include local path when user is uploading files to a server | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## InternetZoneInitializeAndScriptActiveXControls - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** +**ADMX mapping**: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_1 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - + - - + +## InternetZoneJavaPermissions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -**InternetExplorer/InternetZoneJavaPermissions** + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneJavaPermissions +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneJavaPermissions +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, the permission is set to High Safety. +- If you do not configure this policy setting, the permission is set to High Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_1 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneLaunchingApplicationsAndFilesInIFRAME -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME +``` - - -This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME +``` + -If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone, without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. + + +This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. -If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. +- If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. -If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. +- If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. - +- If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. + - -ADMX Info: -- GP Friendly name: *Launching applications and files in an IFRAME* -- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneLogonOptions** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME_1 | +| Friendly Name | Launching applications and files in an IFRAME | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneLogonOptions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLogonOptions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLogonOptions +``` + + + + This policy setting allows you to manage settings for logon options. -If you enable this policy setting, you can choose from the following logon options. +- If you enable this policy setting, you can choose from the following logon options. -Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol. +Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. -Automatic logon, only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. +Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. -If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. +- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. + +- If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. + -If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. + + + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLogon_1 | +| Friendly Name | Logon options | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -ADMX Info: -- GP Friendly name: *Logon options* -- GP name: *IZ_PolicyLogon_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + -
    + +## InternetZoneNavigateWindowsAndFrames - -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneNavigateWindowsAndFrames +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneNavigateWindowsAndFrames +``` + - -
    + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_1 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -
    + + + + + - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. + +## InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. + +- If you disable this policy setting, Internet Explorer will not execute signed managed components. + +- If you do not configure this policy setting, Internet Explorer will execute signed managed components. + -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. + + + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +| Name | Value | +|:--|:--| +| Name | IZ_PolicySignedFrameworkComponentsURLaction_1 | +| Friendly Name | Run .NET Framework-reliant components signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - - + + + + + -
    + +## InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - -**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` + + + + +This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). + +- If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. + +- If you disable this policy setting, these files do not open. + +- If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | IZ_Policy_UnsafeFiles_1 | +| Friendly Name | Show security warning for potentially unsafe files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -> [!div class = "checklist"] -> * User -> * Device + + + + + -
    + +## InternetZoneUsePopupBlocker - - -This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneUsePopupBlocker +``` -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneUsePopupBlocker +``` + + + + +This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. + +- If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. + +- If you disable this policy setting, pop-up windows are not prevented from appearing. + +- If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. + -If you disable this policy setting, Internet Explorer will not execute signed managed components. + + + -If you do not configure this policy setting, Internet Explorer will execute signed managed components. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyBlockPopupWindows_1 | +| Friendly Name | Use Pop-up Blocker | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components signed with Authenticode* -- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + + + - - + +## IntranetZoneAllowAccessToDataSources -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAccessToDataSources +``` - -**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles** +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_3 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + + + -> [!div class = "checklist"] -> * User -> * Device + +## IntranetZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_3 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -
    + + + + + + + +## IntranetZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + + + - - -This policy setting controls, whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_3 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. + + + + + + + +## IntranetZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + -If you disable this policy setting, these files do not open. + + + -If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_3 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + - + + + + + + + +## IntranetZoneAllowLessPrivilegedSites - -ADMX Info: -- GP Friendly name: *Show security warning for potentially unsafe files* -- GP name: *IZ_Policy_UnsafeFiles_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowLessPrivilegedSites +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + -
    + + + - -**InternetExplorer/InternetZoneUsePopupBlocker** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_3 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + - + + + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## IntranetZoneAllowNETFrameworkReliantComponents - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +- If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - - -This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened, when the end user clicks a link are not blocked. +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_3 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. + + + + + -If you disable this policy setting, pop-up windows are not prevented from appearing. + +## IntranetZoneAllowScriptlets -If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowScriptlets +``` + - + + +This policy setting allows you to manage whether the user can run scriptlets. - -ADMX Info: -- GP Friendly name: *Use Pop-up Blocker* -- GP name: *IZ_PolicyBlockPopupWindows_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +- If you enable this policy setting, the user can run scriptlets. - - +- If you disable this policy setting, the user cannot run scriptlets. -
    +- If you do not configure this policy setting, the user can enable or disable scriptlets. + - -**InternetExplorer/IntranetZoneAllowAccessToDataSources** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User -> * Device +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_3 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -
    + + + - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +## IntranetZoneAllowSmartScreenIE -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowSmartScreenIE +``` -If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowSmartScreenIE +``` + - + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - - +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -
    - - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/IntranetZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag, and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/IntranetZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/IntranetZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. > [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/IntranetZoneAllowUserDataPersistence** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_3 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowUserDataPersistence -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowUserDataPersistence +``` - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowUserDataPersistence +``` + -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_3 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## IntranetZoneDoNotRunAntimalwareAgainstActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls +``` -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls +``` + -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. - +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* +- If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## IntranetZoneInitializeAndScriptActiveXControls - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/IntranetZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_3 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, the permission is set to Medium Safety. +- If you do not configure this policy setting, the permission is set to Medium Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_3 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/KeepIntranetSitesInInternetExplorer** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_3 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## JScriptReplacement -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents intranet sites from being opened in any browser except Internet Explorer. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/JScriptReplacement +``` -> [!NOTE] -> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies) policy is not enabled, then this policy has no effect. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/JScriptReplacement +``` + -If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. -If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge. + + +This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations. -We strongly recommend keeping this policy in sync with the [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. +- If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated. + +- If you disable this policy, then JScript will be utilized. + +If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | JScriptReplacement | +| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | JScriptReplacement | +| ADMX File Name | inetres.admx | + + + + + + + + + +## KeepIntranetSitesInInternetExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/KeepIntranetSitesInInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/KeepIntranetSitesInInternetExplorer +``` + + + + +Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge' ('RestrictIE') policy isn't enabled, this policy has no effect. + +- If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. + +- If you disable or don't configure this policy, all intranet sites are automatically opened in Microsoft Edge. + +We strongly recommend keeping this policy in sync with the 'Send all intranet sites to Internet Explorer' ('SendIntranetToInternetExplorer') policy. Additionally, it's best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. Related policies: -- [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) -- [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies) +- Send all intranet sites to Internet Explorer ('SendIntranetToInternetExplorer') +- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge ('RestrictIE') -For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](/DeployEdge/edge-ie-mode-policies#configure-internet-explorer-integration) +For more info about how to use this policy together with other related policies to create the optimal configuration for your organization, see . + - + + + - -ADMX Info: -- GP Friendly name: *Keep all Intranet Sites in Internet Explorer* -- GP name: *KeepIntranetSitesInInternetExplorer* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | KeepIntranetSitesInInternetExplorer | +| Friendly Name | Keep all intranet sites in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | KeepIntranetSitesInInternetExplorer | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -7168,5348 +8051,6847 @@ ADMX Info: ``` - -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## LocalMachineZoneAllowAccessToDataSources - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAccessToDataSources +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAccessToDataSources +``` + -
    + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_9 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LocalMachineZoneAllowAutomaticPromptingForActiveXControls - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_9 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + + + + + +## LocalMachineZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + + + -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. - - - - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. - -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. - -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. - -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. - - - - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - - - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneJavaPermissions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage permissions for Java applets. - -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. - -Low Safety enables applets to perform all operations. - -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. - -High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. - -If you disable this policy setting, Java applets cannot run. - -If you do not configure this policy setting, the permission is set to Medium Safety. - - - - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. - - - - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage whether, .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. - - - - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneJavaPermissions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage permissions for Java applets. - -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. - -Low Safety enables applets to perform all operations. - -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. - -High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. - -If you disable this policy setting, Java applets cannot run. - -If you do not configure this policy setting, Java applets are disabled. - - - - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. - - - - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetJavaPermissions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage permissions for Java applets. - -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. - -Low Safety enables applets to perform all operations. - -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. - -High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. - -If you disable this policy setting, Java applets cannot run. - -If you do not configure this policy setting, Java applets are disabled. - - - - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. - - - - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. - - - - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. - - - - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage permissions for Java applets. - -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. - -Low Safety enables applets to perform all operations. - -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. - -High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. - -If you disable this policy setting, Java applets cannot run. - -If you do not configure this policy setting, Java applets are disabled. - - - - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. - - - - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. - - - - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage permissions for Java applets. - -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. - -Low Safety enables applets to perform all operations. - -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. - -High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. - -If you disable this policy setting, Java applets cannot run. - -If you do not configure this policy setting, Java applets are disabled. - - - - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. - -If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. - -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - - - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_9 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LocalMachineZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_9 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LocalMachineZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites +``` + + + + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_9 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_9 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LocalMachineZoneAllowScriptlets -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage, whether the user can run scriptlets. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowScriptlets +``` -If you enable this policy setting, the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowScriptlets +``` + -If you disable this policy setting, the user cannot run scriptlets. + + +This policy setting allows you to manage whether the user can run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you enable this policy setting, the user can run scriptlets. - +- If you disable this policy setting, the user cannot run scriptlets. - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, the user can enable or disable scriptlets. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_9 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## LocalMachineZoneAllowSmartScreenIE - - -This policy setting controls whether, Windows Defender SmartScreen scans pages in this zone for malicious content. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowSmartScreenIE +``` -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowSmartScreenIE +``` + -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. > [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_9 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowUserDataPersistence -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowUserDataPersistence +``` - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowUserDataPersistence +``` + -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_9 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls +``` + + + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. + +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. + +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. + +- If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LocalMachineZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_9 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, the permission is set to Medium Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_9 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_9 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LockedDownInternetZoneAllowAccessToDataSources -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_2 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_2 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_2 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_2 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_2 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowNETFrameworkReliantComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_2 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowScriptlets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. + +- If you enable this policy setting, the user can run scriptlets. + +- If you disable this policy setting, the user cannot run scriptlets. + +- If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_2 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowSmartScreenIE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE +``` + + + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_2 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneAllowUserDataPersistence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_2 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls +``` + + + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_2 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneJavaPermissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneJavaPermissions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneJavaPermissions +``` + + + + +This policy setting allows you to manage permissions for Java applets. + +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. + +Low Safety enables applets to perform all operations. + +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. + +High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. + +- If you disable this policy setting, Java applets cannot run. + +- If you do not configure this policy setting, Java applets are disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_2 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownInternetZoneNavigateWindowsAndFrames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames +``` + + + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_2 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetJavaPermissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetJavaPermissions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetJavaPermissions +``` + + + + +This policy setting allows you to manage permissions for Java applets. + +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. + +Low Safety enables applets to perform all operations. + +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. + +High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. + +- If you disable this policy setting, Java applets cannot run. + +- If you do not configure this policy setting, Java applets are disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_4 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowAccessToDataSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_4 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_4 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_4 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_4 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_4 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowNETFrameworkReliantComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_4 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowScriptlets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. + +- If you enable this policy setting, the user can run scriptlets. + +- If you disable this policy setting, the user cannot run scriptlets. + +- If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_4 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowSmartScreenIE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE +``` + + + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_4 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneAllowUserDataPersistence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_4 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls +``` + + + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_4 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownIntranetZoneNavigateWindowsAndFrames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames +``` + + + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_4 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowAccessToDataSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_10 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_10 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_10 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_10 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_10 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_10 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowScriptlets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. + +- If you enable this policy setting, the user can run scriptlets. + +- If you disable this policy setting, the user cannot run scriptlets. + +- If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_10 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowSmartScreenIE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE +``` + + + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_10 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneAllowUserDataPersistence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_10 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls +``` + + + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_10 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneJavaPermissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneJavaPermissions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneJavaPermissions +``` + + + + +This policy setting allows you to manage permissions for Java applets. + +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. + +Low Safety enables applets to perform all operations. + +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. + +High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. + +- If you disable this policy setting, Java applets cannot run. + +- If you do not configure this policy setting, Java applets are disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_10 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownLocalMachineZoneNavigateWindowsAndFrames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames +``` + + + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_10 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowAccessToDataSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_8 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_8 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_8 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_8 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_8 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_8 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowScriptlets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. + +- If you enable this policy setting, the user can run scriptlets. + +- If you disable this policy setting, the user cannot run scriptlets. + +- If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_8 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowSmartScreenIE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE +``` + + + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_8 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneAllowUserDataPersistence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_8 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls +``` + + + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_8 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneJavaPermissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions +``` + + + + +This policy setting allows you to manage permissions for Java applets. + +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. + +Low Safety enables applets to perform all operations. + +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. + +High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. + +- If you disable this policy setting, Java applets cannot run. + +- If you do not configure this policy setting, Java applets are disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_8 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneNavigateWindowsAndFrames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames +``` + + + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +- If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + +- If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. + +- If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_8 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowAccessToDataSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_6 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_6 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_6 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_6 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_6 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_6 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowScriptlets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. + +- If you enable this policy setting, the user can run scriptlets. + +- If you disable this policy setting, the user cannot run scriptlets. + +- If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_6 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowSmartScreenIE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE +``` + + + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_6 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowUserDataPersistence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_6 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls +``` + + + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_6 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneJavaPermissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions +``` + + + + +This policy setting allows you to manage permissions for Java applets. + +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. + +Low Safety enables applets to perform all operations. + +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. + +High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. + +- If you disable this policy setting, Java applets cannot run. + +- If you do not configure this policy setting, Java applets are disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_6 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneNavigateWindowsAndFrames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames +``` + + + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_6 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## MimeSniffingSafetyFeatureInternetExplorerProcesses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses +``` + + + + +This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. + +- If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. + +- If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. + +- If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_6 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING | +| ADMX File Name | inetres.admx | + + + + + + + + + +## MKProtocolSecurityRestrictionInternetExplorerProcesses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses +``` + + + + The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. -If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. +- If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. + +- If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes. + +- If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. + -If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes. + + + -If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_3 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL | +| ADMX File Name | inetres.admx | + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_3* -- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction* -- GP ADMX file name: *inetres.admx* + + + - - + -
    + +## NewTabDefaultPage - -**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/NewTabDefaultPage +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/NewTabDefaultPage +``` + + + + +This policy setting allows you to specify what is displayed when the user opens a new tab. + +- If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. + +- If you disable or do not configure this policy setting, the user can select his or her preference for this behavior. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NewTabAction | +| Friendly Name | Specify default behavior for a new tab | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing | +| ADMX File Name | inetres.admx | + -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. - -If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. - -If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. - -If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_6* -- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/NewTabDefaultPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to specify, what is displayed when the user opens a new tab. - -If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. - -If you disable or do not configure this policy setting, users can select their preference for this behavior. - - - - -ADMX Info: -- GP Friendly name: *Specify default behavior for a new tab* -- GP name: *NewTabAction* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -Supported values: -- 0 - NewTab_AboutBlank (about:blank) -- 1 - NewTab_Homepage (Home page) -- 2 - NewTab_AboutTabs (New tab page) -- 3 - NewTab_AboutNewsFeed (New tab page with my news feed) (Default) - - - - - - - - - -
    - - -**InternetExplorer/NotificationBarInternetExplorerProcesses** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. - -If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. - -If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes. - -If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_10* -- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/PreventManagingSmartScreenFilter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. - -If you enable this policy setting, the user is not prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. - -If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. - - - - -ADMX Info: -- GP Friendly name: *Prevent managing SmartScreen Filter* -- GP name: *Disable_Managing_Safety_Filter_IE9* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/PreventPerUserInstallationOfActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + + + + + + +## NotificationBarInternetExplorerProcesses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/NotificationBarInternetExplorerProcesses +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/NotificationBarInternetExplorerProcesses +``` + + + + +This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. + +- If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. + +- If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes. + +- If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_10 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Notification bar | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND | +| ADMX File Name | inetres.admx | + + + + + + + + + +## PreventManagingSmartScreenFilter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/PreventManagingSmartScreenFilter +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/PreventManagingSmartScreenFilter +``` + + + + +This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. + +- If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. + +- If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Disable_Managing_Safety_Filter_IE9 | +| Friendly Name | Prevent managing SmartScreen Filter | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\PhishingFilter | +| ADMX File Name | inetres.admx | + + + + + + + + + +## PreventPerUserInstallationOfActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/PreventPerUserInstallationOfActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/PreventPerUserInstallationOfActiveXControls +``` + + + + This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. -If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. +- If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. -If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. +- If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent per-user installation of ActiveX controls* -- GP name: *DisablePerUserActiveXInstall* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisablePerUserActiveXInstall | +| Friendly Name | Prevent per-user installation of ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Security\ActiveX | +| Registry Value Name | BlockNonAdminActiveXInstall | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProtectionFromZoneElevationInternetExplorerProcesses -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses +``` - - -Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation, if there is no security context. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses +``` + -If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. + + +Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. -If you disable this policy setting, no zone receives such protection for Internet Explorer processes. +- If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. -If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. +- If you disable this policy setting, no zone receives such protection for Internet Explorer processes. - +- If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_9* -- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_9 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RemoveRunThisTimeButtonForOutdatedActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +``` + + + + This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. -If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control. +- If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. -If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. +- If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + - + + + - -ADMX Info: -- GP Friendly name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer* -- GP name: *VerMgmtDisableRunThisTime* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/ResetZoomForDialogInIEMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerMgmtDisableRunThisTime | +| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | RunThisTimeEnabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ResetZoomForDialogInIEMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.261] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ResetZoomForDialogInIEMode +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ResetZoomForDialogInIEMode +``` + + + + This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. - If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. -- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. +If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. - - -The following list shows the supported values: +For more information, see + -- 0 (default) - Disabled -- 1 - Enabled + + + - - -ADMX Info: -- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* -- GP name: *ResetZoomForDialogInIEMode* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ResetZoomForDialogInIEMode | +| Friendly Name | Reset zoom to default for HTML dialogs in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | ResetZoomForDialogInIEMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictActiveXInstallInternetExplorerProcesses -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses +``` + + + + This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. -If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. +- If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. -If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes. +- If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes. + +- If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. + -If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_11* -- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install* -- GP ADMX file name: *inetres.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_11 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL | +| ADMX File Name | inetres.admx | + -
    + + + - -**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses** + - + +## RestrictedSitesZoneAllowAccessToDataSources -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources +``` + -> [!div class = "checklist"] -> * User -> * Device + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -
    +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - - -This policy setting enables blocking of file download prompts that are not user initiated. + + + -If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. + +**Description framework properties**: -If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: -If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_7 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - + + + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_12* -- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download* -- GP ADMX file name: *inetres.admx* + +## RestrictedSitesZoneAllowActiveScripting - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowActiveScripting +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowActiveScripting +``` + + + + +This policy setting allows you to manage whether script code on pages in the zone is run. + +- If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. + +- If you disable this policy setting, script code on pages in the zone is prevented from running. + +- If you do not configure this policy setting, script code on pages in the zone is prevented from running. + - -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** + + + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyActiveScripting_7 | +| Friendly Name | Allow active scripting | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowActiveScripting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether script code on pages in the zone is run. - -If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. - -If you disable this policy setting, script code on pages in the zone is prevented from running. - -If you do not configure this policy setting, script code on pages in the zone is prevented from running. - - - - -ADMX Info: -- GP Friendly name: *Allow active scripting* -- GP name: *IZ_PolicyActiveScripting_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + +## RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_7 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_7 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## RestrictedSitesZoneAllowBinaryAndScriptBehaviors + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors +``` + + + + This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. -If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. +- If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. -If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. +- If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. -If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. +- If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. + - + + + - -ADMX Info: -- GP Friendly name: *Allow binary and script behaviors* -- GP name: *IZ_PolicyBinaryBehaviors_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyBinaryBehaviors_7 | +| Friendly Name | Allow binary and script behaviors | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowCopyPasteViaScript -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript +``` - - -This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript +``` + -If you enable this policy setting, a script can perform a clipboard operation. + + +This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. + +- If you enable this policy setting, a script can perform a clipboard operation. If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. -If you disable this policy setting, a script cannot perform a clipboard operation. +- If you disable this policy setting, a script cannot perform a clipboard operation. + +- If you do not configure this policy setting, a script cannot perform a clipboard operation. + -If you do not configure this policy setting, a script cannot perform a clipboard operation. + + + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowPasteViaScript_7 | +| Friendly Name | Allow cut, copy or paste operations from the clipboard via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -ADMX Info: -- GP Friendly name: *Allow cut, copy or paste operations from the clipboard via script* -- GP name: *IZ_PolicyAllowPasteViaScript_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + -
    + +## RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - -**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles +``` + - -
    + + +This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. + +- If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. + +- If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. + +- If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDropOrPasteFiles_7 | +| Friendly Name | Allow drag and drop or copy and paste files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -
    + + + + + - - -This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone. + +## RestrictedSitesZoneAllowFileDownloads -If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFileDownloads +``` + + + + +This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. + +- If you enable this policy setting, files can be downloaded from the zone. + +- If you disable this policy setting, files are prevented from being downloaded from the zone. + +- If you do not configure this policy setting, files are prevented from being downloaded from the zone. + + + + + -If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFileDownload_7 | +| Friendly Name | Allow file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. + + + + + - + +## RestrictedSitesZoneAllowFontDownloads - -ADMX Info: -- GP Friendly name: *Allow drag and drop or copy and paste files* -- GP name: *IZ_PolicyDropOrPasteFiles_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + - - + + + -
    - - -**InternetExplorer/RestrictedSitesZoneAllowFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. - -If you enable this policy setting, files can be downloaded from the zone. - -If you disable this policy setting, files are prevented from being downloaded from the zone. - -If you do not configure this policy setting, files are prevented from being downloaded from the zone. - - - - -ADMX Info: -- GP Friendly name: *Allow file downloads* -- GP name: *IZ_PolicyFileDownload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_7 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## RestrictedSitesZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_7 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## RestrictedSitesZoneAllowLoadingOfXAMLFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles +``` + + + + This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. -If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. +- If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. -If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. +- If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. -If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. +- If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Allow loading of XAML files* -- GP name: *IZ_Policy_XAML_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_XAML_7 | +| Friendly Name | Allow loading of XAML files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowMETAREFRESH -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH +``` - - -This policy setting allows you to manage, whether a user's browser can be redirected to another Web page, if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH +``` + -If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. + + +This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. -If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. +- If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. -If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. +- If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. - +- If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. + - -ADMX Info: -- GP Friendly name: *Allow META REFRESH* -- GP name: *IZ_PolicyAllowMETAREFRESH_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowMETAREFRESH_7 | +| Friendly Name | Allow META REFRESH | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneAllowNETFrameworkReliantComponents -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents +``` -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents +``` + -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_7 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` + + + + This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. -If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control, to run from the current site or from all sites. +- If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. + +- If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted | +| Friendly Name | Allow only approved domains to use ActiveX controls without prompt | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. + + + - + - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use ActiveX controls without prompt* -- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +## RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` + + + + +This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. + +- If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. + +- If you disable this policy setting, the TDC Active X control will run from all sites in this zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowTDCControl_Both_Restricted | +| Friendly Name | Allow only approved domains to use the TDC ActiveX control | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` - -**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` + + + + +This policy setting determines whether a page can control embedded WebBrowser controls via script. + +- If you enable this policy setting, script access to the WebBrowser control is allowed. + +- If you disable this policy setting, script access to the WebBrowser control is not allowed. + +- If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_WebBrowserControl_7 | +| Friendly Name | Allow scripting of Internet Explorer WebBrowser controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowScriptInitiatedWindows -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows +``` + + + + +This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. + +- If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. + +- If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + +- If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + - - -This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites. + + + -If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: -If you disable this policy setting, the TDC Active X control will run from all sites in this zone. +| Name | Value | +|:--|:--| +| Name | IZ_PolicyWindowsRestrictionsURLaction_7 | +| Friendly Name | Allow script-initiated windows without size or position constraints | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - + + + + + - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use the TDC ActiveX control* -- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +## RestrictedSitesZoneAllowScriptlets - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptlets +``` + -
    + + +This policy setting allows you to manage whether the user can run scriptlets. - -**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows** +- If you enable this policy setting, the user can run scriptlets. - +- If you disable this policy setting, the user cannot run scriptlets. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, the user can enable or disable scriptlets. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This policy setting allows you to manage restrictions on script-initiated pop-up windows, and windows that include the title and status bars. +**ADMX mapping**: -If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_7 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone, as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + + + -If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone<> as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + - + +## RestrictedSitesZoneAllowSmartScreenIE - -ADMX Info: -- GP Friendly name: *Allow script-initiated windows without size or position constraints* -- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE +``` + -
    + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls** +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether a page can control embedded WebBrowser controls via script. - -If you enable this policy setting, script access to the WebBrowser control is allowed. - -If you disable this policy setting, script access to the WebBrowser control is not allowed. - -If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. - - - - -ADMX Info: -- GP Friendly name: *Allow scripting of Internet Explorer WebBrowser controls* -- GP name: *IZ_Policy_WebBrowserControl_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. > [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_7 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowUpdatesToStatusBarViaScript -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript +``` - - -This policy setting allows you to manage, whether script is allowed to update the status bar within the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript +``` + -If you enable this policy setting, script is allowed to update the status bar. + + +This policy setting allows you to manage whether script is allowed to update the status bar within the zone. -If you disable or do not configure this policy setting, script is not allowed to update the status bar. +- If you enable this policy setting, script is allowed to update the status bar. - +- If you disable or do not configure this policy setting, script is not allowed to update the status bar. + - -ADMX Info: -- GP Friendly name: *Allow updates to status bar via script* -- GP name: *IZ_Policy_ScriptStatusBar_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_ScriptStatusBar_7 | +| Friendly Name | Allow updates to status bar via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence +``` -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence +``` + -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_7 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - -This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer +``` + + + + +This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. If you selected Enable in the drop-down box, VBScript can run without user intervention. @@ -12518,614 +14900,794 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t If you selected Disable in the drop-down box, VBScript is prevented from running. If you do not configure or disable this policy setting, VBScript is prevented from running. + - + + + - -ADMX Info: -- GP Friendly name: *Allow VBScript to run in Internet Explorer* -- GP name: *IZ_PolicyAllowVBScript_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowVBScript_7 | +| Friendly Name | Allow VBScript to run in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - - + + + -
    + - -**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** + +## RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` + + + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. + +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. + +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. + +- If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + -
    + +## RestrictedSitesZoneDownloadSignedActiveXControls - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls +``` -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls +``` + + + + +This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. + +- If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. + +- If you disable the policy setting, signed controls cannot be downloaded. + +- If you do not configure this policy setting, signed controls cannot be downloaded. + -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. + + + -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadSignedActiveX_7 | +| Friendly Name | Download signed ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + + + - - + +## RestrictedSitesZoneDownloadUnsignedActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls +``` + + + + +This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. + +- If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. + +- If you disable this policy setting, users cannot run unsigned controls. + +- If you do not configure this policy setting, users cannot run unsigned controls. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadUnsignedActiveX_7 | +| Friendly Name | Download unsigned ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -
    + + + + + - -**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls** + +## RestrictedSitesZoneEnableCrossSiteScriptingFilter - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter +``` + + + + +This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. + +- If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. + +- If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTurnOnXSSFilter_Both_Restricted | +| Friendly Name | Turn on Cross-Site Scripting Filter | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -
    + + + - - -This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone. + -If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. + +## RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -If you disable the policy setting, signed controls cannot be downloaded. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -If you do not configure this policy setting, signed controls cannot be downloaded. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` + - -ADMX Info: -- GP Friendly name: *Download signed ActiveX controls* -- GP name: *IZ_PolicyDownloadSignedActiveX_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. + +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. + +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. + +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. - - +In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. + -
    + + + - -**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted | +| Friendly Name | Enable dragging of content from different domains across windows | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + + + +## RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` - - -This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` + + + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. -If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. -If you disable this policy setting, users cannot run unsigned controls. +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -If you do not configure this policy setting, users cannot run unsigned controls. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. - +In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. + - -ADMX Info: -- GP Friendly name: *Download unsigned ActiveX controls* -- GP name: *IZ_PolicyDownloadUnsignedActiveX_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy controls, whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. - -If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. - -If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. - - - - -ADMX Info: -- GP Friendly name: *Turn on Cross-Site Scripting Filter* -- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows. - -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. - -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting. - -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. - -In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. - - - - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains across windows* -- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window. - -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting. - -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. - -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. - -In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. - - - - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains within a window* -- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted | +| Friendly Name | Enable dragging of content from different domains within a window | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## RestrictedSitesZoneEnableMIMESniffing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableMIMESniffing +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableMIMESniffing +``` + + + + This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. -If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. +- If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. -If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. +- If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. -If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. +- If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. + - + + + - -ADMX Info: -- GP Friendly name: *Enable MIME Sniffing* -- GP name: *IZ_PolicyMimeSniffingURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyMimeSniffingURLaction_7 | +| Friendly Name | Enable MIME Sniffing | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer +``` - - -This policy setting controls, whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer +``` + -If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. + + +This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. -If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. +- If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. -If you do not configure this policy setting, the user can choose whether path information is sent, when he or she is uploading a file via an HTML form. By default, path information is sent. +- If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. - +- If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. + - -ADMX Info: -- GP Friendly name: *Include local path when user is uploading files to a server* -- GP name: *IZ_Policy_LocalPathForUpload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_LocalPathForUpload_7 | +| Friendly Name | Include local path when user is uploading files to a server | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneInitializeAndScriptActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_7 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, Java applets are disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_7 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME +``` - - -This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME +``` + -If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. + + +This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. -If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. +- If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. -If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. +- If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. - +- If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. + - -ADMX Info: -- GP Friendly name: *Launching applications and files in an IFRAME* -- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneLogonOptions** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME_7 | +| Friendly Name | Launching applications and files in an IFRAME | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneLogonOptions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLogonOptions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLogonOptions +``` + + + + This policy setting allows you to manage settings for logon options. -If you enable this policy setting, you can choose from the following logon options. +- If you enable this policy setting, you can choose from the following logon options. -Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol. +Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. @@ -13133,632 +15695,900 @@ Automatic logon only in Intranet zone to query users for user IDs and passwords Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. -If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. +- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. -If you do not configure this policy setting, logon is set to Prompt for username and password. +- If you do not configure this policy setting, logon is set to Prompt for username and password. + - + + + - -ADMX Info: -- GP Friendly name: *Logon options* -- GP name: *IZ_PolicyLogon_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLogon_7 | +| Friendly Name | Logon options | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. +- If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. +- If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. - +- If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_7 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneRunActiveXControlsAndPlugins -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to manage, whether ActiveX controls and plug-ins can be run on pages from the specified zone. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins +``` -If you enable this policy setting, controls and plug-ins can run without user intervention. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins +``` + + + + +This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. + +- If you enable this policy setting, controls and plug-ins can run without user intervention. If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run. -If you disable this policy setting, controls and plug-ins are prevented from running. +- If you disable this policy setting, controls and plug-ins are prevented from running. -If you do not configure this policy setting, controls and plug-ins are prevented from running. +- If you do not configure this policy setting, controls and plug-ins are prevented from running. + - + + + - -ADMX Info: -- GP Friendly name: *Run ActiveX controls and plugins* -- GP name: *IZ_PolicyRunActiveXControls_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyRunActiveXControls_7 | +| Friendly Name | Run ActiveX controls and plugins | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` - - -This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` + -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components. + + +This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you disable this policy setting, Internet Explorer will not execute signed managed components. +- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. -If you do not configure this policy setting, Internet Explorer will not execute signed managed components. +- If you disable this policy setting, Internet Explorer will not execute signed managed components. - +- If you do not configure this policy setting, Internet Explorer will not execute signed managed components. + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components signed with Authenticode* -- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicySignedFrameworkComponentsURLaction_7 | +| Friendly Name | Run .NET Framework-reliant components signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to manage, whether an ActiveX control marked safe for scripting can interact with a script. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting +``` -If you enable this policy setting, script interaction can occur automatically without user intervention. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting +``` + + + + +This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. + +- If you enable this policy setting, script interaction can occur automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction. -If you disable this policy setting, script interaction is prevented from occurring. +- If you disable this policy setting, script interaction is prevented from occurring. -If you do not configure this policy setting, script interaction is prevented from occurring. +- If you do not configure this policy setting, script interaction is prevented from occurring. + - + + + - -ADMX Info: -- GP Friendly name: *Script ActiveX controls marked safe for scripting* -- GP name: *IZ_PolicyScriptActiveXMarkedSafe_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXMarkedSafe_7 | +| Friendly Name | Script ActiveX controls marked safe for scripting | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneScriptingOfJavaApplets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets +``` - - -This policy setting allows you to manage, whether applets are exposed to scripts within the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets +``` + -If you enable this policy setting, scripts can access applets automatically without user intervention. + + +This policy setting allows you to manage whether applets are exposed to scripts within the zone. + +- If you enable this policy setting, scripts can access applets automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets. -If you disable this policy setting, scripts are prevented from accessing applets. +- If you disable this policy setting, scripts are prevented from accessing applets. -If you do not configure this policy setting, scripts are prevented from accessing applets. +- If you do not configure this policy setting, scripts are prevented from accessing applets. + - + + + - -ADMX Info: -- GP Friendly name: *Scripting of Java applets* -- GP name: *IZ_PolicyScriptingOfJavaApplets_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptingOfJavaApplets_7 | +| Friendly Name | Scripting of Java applets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` - - -This policy setting controls, whether or not the "Open File - Security Warning" message appears, when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` + -If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. + + +This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). -If you disable this policy setting, these files do not open. +- If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. -If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. +- If you disable this policy setting, these files do not open. - +- If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. + - -ADMX Info: -- GP Friendly name: *Show security warning for potentially unsafe files* -- GP name: *IZ_Policy_UnsafeFiles_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_UnsafeFiles_7 | +| Friendly Name | Show security warning for potentially unsafe files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneTurnOnProtectedMode -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode +``` + + + + This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. -If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. +- If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. -If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. +- If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. -If you do not configure this policy setting, the user can turn on or turn off Protected Mode. +- If you do not configure this policy setting, the user can turn on or turn off Protected Mode. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Protected Mode* -- GP name: *IZ_Policy_TurnOnProtectedMode_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/RestrictedSitesZoneUsePopupBlocker** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_TurnOnProtectedMode_7 | +| Friendly Name | Turn on Protected Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneUsePopupBlocker -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneUsePopupBlocker +``` - - -This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneUsePopupBlocker +``` + -If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. + + +This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. -If you disable this policy setting, pop-up windows are not prevented from appearing. +- If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. -If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. +- If you disable this policy setting, pop-up windows are not prevented from appearing. - +- If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. + - -ADMX Info: -- GP Friendly name: *Use Pop-up Blocker* -- GP name: *IZ_PolicyBlockPopupWindows_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyBlockPopupWindows_7 | +| Friendly Name | Use Pop-up Blocker | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictFileDownloadInternetExplorerProcesses -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts pop-up windows, and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictFileDownloadInternetExplorerProcesses +``` -If you enable this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictFileDownloadInternetExplorerProcesses +``` + -If you disable this policy setting, scripts can continue to create pop-up windows and windows that obfuscate other windows. + + +This policy setting enables blocking of file download prompts that are not user initiated. -If you do not configure this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes. +- If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. - +- If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_8* -- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/SearchProviderList** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_12 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Restrict File Download | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses +``` + + + + +Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. + +- If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. + +- If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows. + +- If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses_8 | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS | +| ADMX File Name | inetres.admx | + + + + + + + + + +## SearchProviderList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/SearchProviderList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SearchProviderList +``` + + + + This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. -If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. +- If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers > [!NOTE] > This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. -If you disable or do not configure this policy setting, the user can configure his or her list of search providers. +- If you disable or do not configure this policy setting, the user can configure his or her list of search providers. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict search providers to a specific list* -- GP name: *SpecificSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/SecurityZonesUseOnlyMachineSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SpecificSearchProvider | +| Friendly Name | Restrict search providers to a specific list | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | UsePolicySearchProvidersOnly | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SecurityZonesUseOnlyMachineSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SecurityZonesUseOnlyMachineSettings +``` + - - + + Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. -If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. +- If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. -If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings. +- If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings. This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user. Also, see the "Security zones: Do not allow users to change policies" policy. + - + + + - -ADMX Info: -- GP Friendly name: *Security Zones: Use only machine settings* -- GP name: *Security_HKLM_only* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Security_HKLM_only | +| Friendly Name | Security Zones: Use only machine settings | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | Security_HKLM_only | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SendSitesNotInEnterpriseSiteListToEdge -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge +``` - - -This setting lets you decide, whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting, and you must include at least one site in the Enterprise Mode Site List. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge +``` + -If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. + + +This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List. -If you disable, or not configure this setting, then it opens all sites based on the currently active browser. +Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. + +Disabling, or not configuring this setting, opens all sites based on the currently active browser. > [!NOTE] -> If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11. - - - - -ADMX Info: -- GP Friendly name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* -- GP name: *RestrictInternetExplorer* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* +> If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. + + + > [!NOTE] > This MDM policy is still outstanding. - - + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictInternetExplorer | +| Friendly Name | Send all sites not included in the Enterprise Mode Site List to Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | RestrictIE | +| ADMX File Name | inetres.admx | + + + + +**Example**: + ```xml @@ -13780,714 +16610,935 @@ ADMX Info: ``` - -**InternetExplorer/SpecifyUseOfActiveXInstallerService** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SpecifyUseOfActiveXInstallerService - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/SpecifyUseOfActiveXInstallerService +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SpecifyUseOfActiveXInstallerService +``` + -
    - - - + + This policy setting allows you to specify how ActiveX controls are installed. -If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. +- If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. + +- If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. + + + + + -If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OnlyUseAXISForActiveXInstall | +| Friendly Name | Specify use of ActiveX Installer Service for installation of ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AxInstaller | +| Registry Value Name | OnlyUseAXISForActiveXInstall | +| ADMX File Name | inetres.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Specify use of ActiveX Installer Service for installation of ActiveX controls* -- GP name: *OnlyUseAXISForActiveXInstall* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + - - + +## TrustedSitesZoneAllowAccessToDataSources -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAccessToDataSources +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_5 | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## TrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +- If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction_5 | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + + + + + +## TrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +- If you enable this setting, users will receive a file download dialog for automatic download attempts. + +- If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction_5 | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -
    + + + + + + + +## TrustedSitesZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +- If you disable this policy setting, HTML fonts are prevented from downloading. + +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + + + -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload_5 | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + + + +## TrustedSitesZoneAllowLessPrivilegedSites -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +- If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction_5 | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -
    + + + + + - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** + +## TrustedSitesZoneAllowNETFrameworkReliantComponents - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +- If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: -> [!div class = "checklist"] -> * User -> * Device +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_5 | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -
    + + + + + - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. + +## TrustedSitesZoneAllowScriptlets -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowScriptlets +``` + -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + +This policy setting allows you to manage whether the user can run scriptlets. -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, the user can run scriptlets. - +- If you disable this policy setting, the user cannot run scriptlets. - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* +- If you do not configure this policy setting, the user can enable or disable scriptlets. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets_5 | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## TrustedSitesZoneAllowSmartScreenIE - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowSmartScreenIE +``` -If you enable this setting, users will receive a file download dialog for automatic download attempts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowSmartScreenIE +``` + -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - - - -
    - - -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/TrustedSitesZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. > [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing_5 | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowUserDataPersistence -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowUserDataPersistence +``` - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowUserDataPersistence +``` + -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence_5 | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` + -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. - +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* +- If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## TrustedSitesZoneInitializeAndScriptActiveXControls - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/TrustedSitesZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_5 | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, the permission is set to Low Safety. +- If you do not configure this policy setting, the permission is set to Low Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions_5 | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains_5 | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 0950cd842a..68f64fc6e5 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,672 +1,804 @@ --- -title: Policy CSP - Kerberos -description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). +title: Kerberos Policy CSP +description: Learn more about the Kerberos Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Kerberos -
    - - -## Kerberos policies - -
    -
    - Kerberos/AllowForestSearchOrder -
    -
    - Kerberos/CloudKerberosTicketRetrievalEnabled -
    -
    - Kerberos/KerberosClientSupportsClaimsCompoundArmor -
    -
    - Kerberos/PKInitHashAlgorithmConfiguration -
    -
    - Kerberos/PKInitHashAlgorithmSHA1 -
    -
    - Kerberos/PKInitHashAlgorithmSHA256 -
    -
    - Kerberos/PKInitHashAlgorithmSHA384 -
    -
    - Kerberos/PKInitHashAlgorithmSHA512 -
    -
    - Kerberos/RequireKerberosArmoring -
    -
    - Kerberos/RequireStrictKDCValidation -
    -
    - Kerberos/SetMaximumContextTokenSize -
    -
    - Kerberos/UPNNameHints -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**Kerberos/AllowForestSearchOrder** + +## AllowForestSearchOrder - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/AllowForestSearchOrder +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -If you enable this policy setting, the Kerberos client searches the forests in this list, if it's unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. +- If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. -If you disable or don't configure this policy setting, the Kerberos client doesn't search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name isn't found, NTLM authentication might be used. +- If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. + - + + + - -ADMX Info: -- GP Friendly name: *Use forest search order* -- GP name: *ForestSearch* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Kerberos/CloudKerberosTicketRetrievalEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForestSearch | +| Friendly Name | Use forest search order | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | UseForestSearch | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CloudKerberosTicketRetrievalEnabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled +``` + - - -This policy allows retrieving the cloud Kerberos ticket during the sign in. + + +This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon. -- If you disable (0) or don't configure this policy setting, the cloud Kerberos ticket isn't retrieved during the sign in. +- If you disable or do not configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket is not retrieved during logon. -- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the sign in. - +- If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon. + - -Valid values: -0 (default) - Disabled -1 - Enabled + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow retrieving the cloud Kerberos ticket during the logon* -- GP name: *CloudKerberosTicketRetrievalEnabled* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | CloudKerberosTicketRetrievalEnabled | +| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | CloudKerberosTicketRetrievalEnabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## KerberosClientSupportsClaimsCompoundArmor -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/KerberosClientSupportsClaimsCompoundArmor +``` + - - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring, using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring. + + +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +- If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. -If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition. +- If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. + - + + + - -ADMX Info: -- GP Friendly name: *Kerberos client support for claims, compound authentication and Kerberos armoring* -- GP name: *EnableCbacAndArmor* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Kerberos/PKInitHashAlgorithmConfiguration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableCbacAndArmor | +| Friendly Name | Kerberos client support for claims, compound authentication and Kerberos armoring | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | EnableCbacAndArmor | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PKInitHashAlgorithmConfiguration -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration +``` + + + This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. -If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies. +- If you enable this policy, you will be able to configure one of four states for each algorithm: -If you disable or don't configure this policy, each algorithm will assume the **Default** state. +- "Default" sets the algorithm to the recommended state. -* 0 - **Disabled** -* 1 - **Enabled** +- "Supported" enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. -More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037. +- "Audited" enables usage of the algorithm and reports an event (ID 206) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled. - +- "Not Supported" disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* +- If you disable or do not configure this policy, each algorithm will assume the "Default" state. +More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at . - - +Events generated by this configuration: 205, 206, 207, 208. + -
    + + + - -**Kerberos/PKInitHashAlgorithmSHA1** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled / Not Configured. | +| 1 | Enabled. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmConfiguration | +| Friendly Name | Configure hash algorithms for certificate logon | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | PKInitHashAlgorithmConfigurationEnabled | +| ADMX File Name | Kerberos.admx | + -
    + + + - - + + +## PKInitHashAlgorithmSHA1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA1 +``` + + + + + + + + This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. If you don't configure this policy, the SHA1 algorithm will assume the **Default** state. + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | + - -**Kerberos/PKInitHashAlgorithmSHA256** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA1 | +| Path | Kerberos > AT > System > kerberos | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PKInitHashAlgorithmSHA256 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA256 +``` + - - + + + + + This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. If you don't configure this policy, the SHA256 algorithm will assume the **Default** state. + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | + - -**Kerberos/PKInitHashAlgorithmSHA384** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA256 | +| Path | Kerberos > AT > System > kerberos | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PKInitHashAlgorithmSHA384 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA384 +``` + - - + + + + + This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. If you don't configure this policy, the SHA384 algorithm will assume the **Default** state. + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | + - -**Kerberos/PKInitHashAlgorithmSHA512** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA384 | +| Path | Kerberos > AT > System > kerberos | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PKInitHashAlgorithmSHA512 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA512 +``` + - - + + + + + This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. If you don't configure this policy, the SHA512 algorithm will assume the **Default** state. + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - -
    + +**Allowed values**: - -**Kerberos/RequireKerberosArmoring** +| Value | Description | +|:--|:--| +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA512 | +| Path | Kerberos > AT > System > kerberos | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RequireKerberosArmoring -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting controls whether a computer requires that Kerberos message exchanges being armored when communicating with a domain controller. + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/RequireKerberosArmoring +``` + + + + +This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. > [!WARNING] -> When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. +> When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. +- If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. > [!NOTE] > The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. -If you disable or don't configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. +- If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. + - + + + - -ADMX Info: -- GP Friendly name: *Fail authentication requests when Kerberos armoring is not available* -- GP name: *ClientRequireFast* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Kerberos/RequireStrictKDCValidation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClientRequireFast | +| Friendly Name | Fail authentication requests when Kerberos armoring is not available | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | RequireFast | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequireStrictKDCValidation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/RequireStrictKDCValidation +``` + - - + + This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. +- If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. -If you disable or don't configure this policy setting, the Kerberos client requires only the KDC certificate that contains the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server. +- If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. + - + + + - -ADMX Info: -- GP Friendly name: *Require strict KDC validation* -- GP name: *ValidateKDC* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Kerberos/SetMaximumContextTokenSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ValidateKDC | +| Friendly Name | Require strict KDC validation | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | KdcValidation | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetMaximumContextTokenSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/SetMaximumContextTokenSize +``` + - - -This policy setting allows you to set the value returned to applications that request the maximum size of the SSPI context token buffer size. + + +This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. +- If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. -If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. +- If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. > [!NOTE] -> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8, the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes. +> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. + - + + + - -ADMX Info: -- GP Friendly name: *Set maximum Kerberos SSPI context token buffer size* -- GP name: *MaxTokenSize* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Kerberos/UPNNameHints** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxTokenSize | +| Friendly Name | Set maximum Kerberos SSPI context token buffer size | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | System\CurrentControlSet\Control\Lsa\Kerberos\Parameters | +| Registry Value Name | EnableMaxTokenSize | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## UPNNameHints -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/UPNNameHints +``` + - - -Adds a list of domains that an Azure Active Directory-joined device can attempt to contact when it can't resolve a UPN to a principal. + + +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. +This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. + -Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures, when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - - + + + - - -
    + - + + + -## Related topics + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 693f130feb..cffc594e00 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -1,313 +1,381 @@ --- -title: Policy CSP - KioskBrowser -description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. +title: KioskBrowser Policy CSP +description: Learn more about the KioskBrowser Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - KioskBrowser -These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). + + + + +## BlockedUrlExceptions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -## KioskBrowser policies + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrlExceptions +``` -
    -
    - KioskBrowser/BlockedUrlExceptions -
    -
    - KioskBrowser/BlockedUrls -
    -
    - KioskBrowser/DefaultURL -
    -
    - KioskBrowser/EnableEndSessionButton -
    -
    - KioskBrowser/EnableHomeButton -
    -
    - KioskBrowser/EnableNavigationButtons -
    -
    - KioskBrowser/RestartOnIdleTime -
    -
    +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrlExceptions +``` + + + +List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. + -
    - - -**KioskBrowser/BlockedUrlExceptions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of exceptions to the blocked website URLs (with wildcard support). This policy is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**KioskBrowser/BlockedUrls** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## BlockedUrls - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrls +``` -> [!div class = "checklist"] -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrls +``` + -
    - - - -List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character. + + +List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**KioskBrowser/DefaultURL** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DefaultURL - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/DefaultURL +``` -> [!div class = "checklist"] -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/DefaultURL +``` + -
    - - - + + Configures the default URL kiosk browsers to navigate on launch and restart. + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**KioskBrowser/EnableEndSessionButton** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnableEndSessionButton - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +``` -> [!div class = "checklist"] -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +``` + -
    + + +Enable/disable kiosk browser's end session button. + - - -Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user selects the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. + + +When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user selects the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**KioskBrowser/EnableHomeButton** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableHomeButton -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/EnableHomeButton +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/EnableHomeButton +``` + + + + Enable/disable kiosk browser's home button. + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**KioskBrowser/EnableNavigationButtons** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableNavigationButtons -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/EnableNavigationButtons +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/EnableNavigationButtons +``` + + + + Enable/disable kiosk browser's navigation buttons (forward/back). + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**KioskBrowser/RestartOnIdleTime** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestartOnIdleTime -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/RestartOnIdleTime +``` - - -Amount of time in minutes, the session is idle until the kiosk browser restarts in a fresh state. +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/RestartOnIdleTime +``` + + + +Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. + + + + The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-1440]` | +| Default Value | 0 | + -## Related topics + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 6e47698868..eeb195ac8a 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,85 +1,100 @@ --- -title: Policy CSP - LanmanWorkstation -description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server. +title: LanmanWorkstation Policy CSP +description: Learn more about the LanmanWorkstation Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LanmanWorkstation -
    + + + - -## LanmanWorkstation policies + +## EnableInsecureGuestLogons -
    -
    - LanmanWorkstation/EnableInsecureGuestLogons -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons +``` + - -**LanmanWorkstation/EnableInsecureGuestLogons** + + +This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. - +- If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this policy setting, the SMB client will reject insecure guest logons. - -
    +Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access." + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -This policy setting determines, if the SMB client will allow insecure guest sign in to an SMB server. + +**Allowed values**: -If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign in. +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -If you disable this policy setting, the SMB client will reject insecure guest sign in. + +**Group policy mapping**: -Insecure guest sign in are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign in are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication, and don't use insecure guest sign in by default. Since insecure guest sign in are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign in are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign in and configuring file servers to require authenticated access. +| Name | Value | +|:--|:--| +| Name | Pol_EnableInsecureGuestLogons | +| Friendly Name | Enable insecure guest logons | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | AllowInsecureGuestAuth | +| ADMX File Name | LanmanWorkstation.admx | + - - -ADMX Info: -- GP Friendly name: *Enable insecure guest logons* -- GP name: *Pol_EnableInsecureGuestLogons* -- GP path: *Network/Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* + + + - - -This setting supports a range of values between 0 and 1. + - - -
    + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 4e778754ce..b425e49931 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -1,135 +1,166 @@ --- -title: Policy CSP - Licensing -description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices. +title: Licensing Policy CSP +description: Learn more about the Licensing Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Licensing -
    + + + - -## Licensing policies + +## AllowWindowsEntitlementReactivation -
    -
    - Licensing/AllowWindowsEntitlementReactivation -
    -
    - Licensing/DisallowKMSClientOnlineAVSValidation -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Licensing/AllowWindowsEntitlementReactivation +``` + - -**Licensing/AllowWindowsEntitlementReactivation** + + +This policy setting controls whether OS Reactivation is blocked on a device. +Policy Options: +- Not Configured (default -- Windows registration and reactivation is allowed) +- Disabled (Windows registration and reactivation is not allowed) +- Enabled (Windows registration is allowed) + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disable Windows license reactivation on managed devices. | +| 1 (Default) | Enable Windows license reactivation on managed devices. | + -
    + +**Group policy mapping**: - - -Enables or Disable Windows license reactivation on managed devices. +| Name | Value | +|:--|:--| +| Name | AllowWindowsEntitlementReactivation | +| Friendly Name | Control Device Reactivation for Retail devices | +| Location | Computer Configuration | +| Path | Windows Components > Software Protection Platform | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform | +| Registry Value Name | AllowWindowsEntitlementReactivation | +| ADMX File Name | AVSValidationGP.admx | + - - -ADMX Info: -- GP Friendly name: *Control Device Reactivation for Retail devices* -- GP name: *AllowWindowsEntitlementReactivation* -- GP path: *Windows Components/Software Protection Platform* -- GP ADMX file name: *AVSValidationGP.admx* + + + - - -The following list shows the supported values: + -- 0 – Disable Windows license reactivation on managed devices. -- 1 (default) – Enable Windows license reactivation on managed devices. + +## DisallowKMSClientOnlineAVSValidation - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Licensing/DisallowKMSClientOnlineAVSValidation +``` + - -**Licensing/DisallowKMSClientOnlineAVSValidation** + + +This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. +- If you disable or do not configure this policy setting, KMS client activation data will be sent to Microsoft services when this device activates. +Policy Options: +- Not Configured (default -- data will be automatically sent to Microsoft) +- Disabled (data will be automatically sent to Microsoft) +- Enabled (data will not be sent to Microsoft) + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -
    + +**Group policy mapping**: - - -Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. +| Name | Value | +|:--|:--| +| Name | NoAcquireGT | +| Friendly Name | Turn off KMS Client Online AVS Validation | +| Location | Computer Configuration | +| Path | Windows Components > Software Protection Platform | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform | +| Registry Value Name | NoGenTicket | +| ADMX File Name | AVSValidationGP.admx | + - - -ADMX Info: -- GP Friendly name: *Turn off KMS Client Online AVS Validation* -- GP name: *NoAcquireGT* -- GP path: *Windows Components/Software Protection Platform* -- GP ADMX file name: *AVSValidationGP.admx* + + + - - -The following list shows the supported values: + -- 0 (default) – Disabled -- 1 – Enabled + + + - - -
    + +## Related articles - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 73346cab09..075a1bd389 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,2850 +1,3017 @@ --- -title: Policy CSP - LocalPoliciesSecurityOptions -description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. +title: LocalPoliciesSecurityOptions Policy CSP +description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 12/16/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LocalPoliciesSecurityOptions -
    + + +> [!NOTE] +> To find data formats (and other policy-related details), see [Policy DDF file](./configuration-service-provider-ddf.md). + - -## LocalPoliciesSecurityOptions policies + +## Accounts_BlockMicrosoftAccounts -
    -
    - LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts -
    -
    - LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus -
    - LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus -
    -
    - LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly -
    -
    - LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount -
    -
    - LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount -
    -
    - LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon -
    -
    - LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia -
    -
    - LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters -
    -
    - LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers -
    -
    - LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn -
    -
    - LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts +``` + + + + +This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can't add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users can't add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +- If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled (users will be able to use Microsoft accounts with Windows). | +| 1 | Enabled (users can't add Microsoft accounts). | +| 3 | Users can't add or log on with Microsoft accounts. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Accounts: Block Microsoft accounts | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Accounts_EnableAdministratorAccountStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus +``` + + + + +This security setting determines whether the local Administrator account is enabled or disabled > [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). +> If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default Disabled. + - -**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Accounts: Administrator account status | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - - -This policy setting prevents users from adding new Microsoft accounts on this computer. + + + -If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer. Switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. + -If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system. + +## Accounts_EnableGuestAccountStatus -If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus +``` + - - -GP Info: -- GP Friendly name: *Accounts: Block Microsoft accounts* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + +This security setting determines if the Guest account is enabled or disabled. Default Disabled - - -The following list shows the supported values: +> [!NOTE] +> If the Guest account is disabled and the security option Network Access Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. + -- 0 - disabled (users will be able to use Microsoft accounts with Windows). -- 1 - enabled (users can't add Microsoft accounts). + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Accounts: Guest account status | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - - -This setting allows the administrator to enable the local Administrator account. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly +``` + - - -GP Info: -- GP Friendly name: *Accounts: Enable Administrator Account Status* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - disabled (local Administrator account is disabled). -- 1 - enabled (local Administrator account is enabled). - - - - -
    - -**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting allows the administrator to enable the guest Administrator account. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Accounts: Enable Guest Account Status* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - disabled (local Administrator account is disabled). -- 1 - enabled (local Administrator account is enabled). - - - - -
    - - -**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard. - -Default: Enabled + + +Accounts Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default Enabled > [!WARNING] -> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers. -> -> If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services. +> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services -This setting doesn't affect sign in that use domain accounts. -It's possible for applications that use remote interactive sign in to bypass this setting. +> [!NOTE] +> This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting. + -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. + + + - - -GP Info: -- GP Friendly name: *Accounts: Limit local account use of blank passwords to console logon only* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + +**Description framework properties**: - - -Valid values: -- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. -- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | Accounts: Limit local account use of blank passwords to console logon only | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Accounts_RenameAdministratorAccount -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount +``` + - - -Accounts: Rename administrator account + + +Accounts: Rename administrator account This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator. + -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. + + + -Default: Administrator + +**Description framework properties**: -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Administrator | + - - -GP Info: -- GP Friendly name: *Accounts: Rename administrator account* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | Accounts: Rename administrator account | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + -
    + + + - -**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount** + - + +## Accounts_RenameGuestAccount -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Accounts: Rename guest account This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -Accounts: Rename guest account +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Guest | + -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. + +**Group policy mapping**: -Default: Guest +| Name | Value | +|:--|:--| +| Name | Accounts: Rename guest account | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. + + + - - -GP Info: -- GP Friendly name: *Accounts: Rename guest account* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + - - + +## Devices_AllowedToFormatAndEjectRemovableMedia -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -**LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon** + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia +``` + - + + +Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Devices: Allowed to format and eject removable media | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - - -Devices: Allow undock without having to sign in + + + -This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer. + -Default: Enabled + +## Devices_AllowUndockWithoutHavingToLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon +``` + + + + +Devices Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default Enabled > [!CAUTION] > Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow. | +| 0 | Block. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Devices: Allow undock without having to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters +``` + + + + +Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. +- If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. +- If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting does not affect the ability to add a local printer. This setting does not affect Administrators. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Devices: Prevent users from installing printer drivers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly +``` + + + + +Devices: Restrict CD-ROM access to locally logged-on user only This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Devices: Restrict CD-ROM access to locally logged-on user only | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked +``` + + + + +Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Do not display user information (3) Domain and user names only (4) + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | User display name, domain and user names. | +| 2 | User display name only. | +| 3 | Do not display user information. | +| 4 | Domain and user names only. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Display user information when the session is locked | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DoNotDisplayLastSignedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn +``` + + + + +Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled (username will be shown). | +| 1 | Enabled (username will not be shown). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Don't display last signed-in | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DoNotDisplayUsernameAtSignIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn +``` + + + + +Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled (username will be shown). | +| 1 (Default) | Enabled (username will not be shown). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Don't display username at sign-in | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DoNotRequireCTRLALTDEL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL +``` + + + + +Interactive logon: Do not require CTRL+ALT+DEL This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled (a user is not required to press CTRL+ALT+DEL to log on). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Do not require CTRL+ALT+DEL | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_MachineInactivityLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit +``` + + + + +Interactive logon: Machine inactivity limit. Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-599940]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Machine inactivity limit | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + +**Validate**: - - -GP Info: -- GP Friendly name: *Devices: Allow undock without having to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -- Administrators. -- Administrators and Interactive Users. - -Default: This policy isn't defined, and only Administrators have this ability. - - - -GP Info: -- GP Friendly name: *Devices: Allowed to format and eject removable media* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled -Default on workstations: Disabled - ->[!NOTE] ->This setting doesn't affect the ability to add a local printer. This setting doesn't affect Administrators. - - - -GP Info: -- GP Friendly name: *Devices: Prevent users from installing printer drivers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy isn't defined and CD-ROM access isn't restricted to the locally logged-on user. - - - -GP Info: -- GP Friendly name: *Devices: Restrict CD-ROM access to locally logged-on user only* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive Logon: Display user information when the session is locked - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Display user information when the session is locked* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 1 - User display name, domain and user names. -- 2 - User display name only. -- 3 - Don't display user information. - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Don't display last signed-in - -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. - -If this policy is enabled, the username won't be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Don't display last signed-in* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled (username will be shown). -- 1 - enabled (username won't be shown). - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Don't display username at sign-in - -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. - -If this policy is enabled, the username won't be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Don't display username at sign-in* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled (username will be shown). -- 1 - enabled (username won't be shown). - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Don't require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in. - -If this policy is enabled on a computer, a user isn't required to press CTRL+ALT+DEL to sign in. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users sign in ensures that users are communicating through a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8 / Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Do not require CTRL+ALT+DEL* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in). - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Machine inactivity limit - -Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: Not enforced - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Machine inactivity limit* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it's set to zero (0), the setting is disabled. + - - + -
    + +## InteractiveLogon_MessageTextForUsersAttemptingToLogOn - -**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Interactive logon: Message text for users attempting to log on This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -
    + +**Group policy mapping**: - - -Interactive logon: Message text for users attempting to sign in +| Name | Value | +|:--|:--| +| Name | Interactive logon: Message text for users attempting to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + -This security setting specifies a text message that is displayed to users when they sign in. + + + -This text is often used for legal reasons. For example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. + -Default: No message + +## InteractiveLogon_MessageTitleForUsersAttemptingToLogOn -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -GP Info: -- GP Friendly name: *Interactive logon: Message text for users attempting to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn +``` + - - + + +Interactive logon: Message title for users attempting to log on This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. + -
    + + + - -**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Interactive logon: Message title for users attempting to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## InteractiveLogon_SmartCardRemovalBehavior - - -Interactive logon: Message title for users attempting to sign in + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in. + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior +``` + -Default: No message - -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Message title for users attempting to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Smart card removal behavior - -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. - -The options are: - -- No Action -- Lock Workstation -- Force Logoff -- Disconnect if a Remote Desktop Services session - -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. - -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed. - -If you click Disconnect on a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation. + + +Interactive logon Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation > [!NOTE] -> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy isn't defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - -GP Info: -- GP Friendly name: *Interactive logon: Smart card removal behavior* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled - -> [!Note] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). - - - -GP Info: -- GP Friendly name: *Microsoft network client: Digitally sign communications (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled - -> [!Note] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -> -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -> For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). - - - -GP Info: -- GP Friendly name: *Microsoft network client: Digitally sign communications (if server agrees)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled - - - -GP Info: -- GP Friendly name: *Microsoft network client: Send unencrypted password to third-party SMB servers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -> [!WARNING] -> Starting in Windows 10, version 1803, this policy is deprecated. - -Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - -GP Info: -- GP Friendly name: *Microsoft network server: Amount of idle time required before suspending session* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client, unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled for member servers. Enabled for domain controllers. +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default This policy is not defined, which means that the system treats it as No action. On Windows Vista and above For this setting to work, the Smart Card Removal Policy service must be started. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No Action. | +| 1 | Lock Workstation. | +| 2 | Force Logoff. | +| 3 | Disconnect if a Remote Desktop Services session. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Smart card removal behavior | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## MicrosoftNetworkClient_DigitallySignCommunicationsAlways + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways +``` + + + + +Microsoft network client Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. +- If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default Disabled + +> [!IMPORTANT] +> For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client Digitally sign communications (if server agrees) > [!NOTE] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> -> Similarly, if client-side SMB signing is required, that client won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference . + - - -GP Info: -- GP Friendly name: *Microsoft network server: Digitally sign communications (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Microsoft network client: Digitally sign communications (always) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - - -Microsoft network server: Digitally sign communications (if client agrees) + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees +``` + -The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. + + +Microsoft network client Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. +- If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled > [!NOTE] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -> -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference . + - - -GP Info: -- GP Friendly name: *Microsoft network server: Digitally sign communications (if client agrees)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 (Default) | Enable. | +| 0 | Disable. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Microsoft network client: Digitally sign communications (if server agrees) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - - -Network access: Don't allow anonymous enumeration of SAM accounts + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -This security setting determines what other permissions will be granted for anonymous connections to the computer. + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers +``` + -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. + + +Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled. + -This security option allows more restrictions to be placed on anonymous connections as follows: + + + -Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No extra restrictions. Rely on default permissions. + +**Description framework properties**: -Default on workstations: Enabled -Default on server: Enabled +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network client: Send unencrypted password to third-party SMB servers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## MicrosoftNetworkServer_DigitallySignCommunicationsAlways + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways +``` + + + + +Microsoft network server Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. +- If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. +- If this setting is disabled, SMB packet signing is negotiated between the client and server. Default Disabled for member servers. Enabled for domain controllers + +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors + +> [!IMPORTANT] +> For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy Microsoft network server Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network server: Digitally sign communications (always) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees +``` + + + + +Microsoft network server Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. +- If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled on domain controllers only + +> [!IMPORTANT] +> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000 HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network server: Digitally sign communications (if client agrees) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_AllowAnonymousSIDOrNameTranslation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_AllowAnonymousSIDOrNameTranslation +``` + + + + +Network access: Allow anonymous SID/name translation This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation. +- If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user. Default on workstations and member servers: Disabled. Default on domain controllers running Windows Server 2008 or later: Disabled. Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Allow anonymous SID/name translation | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts +``` + + + + +Network access Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows Enabled Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled No additional restrictions. Rely on default permissions. Default on workstations Enabled. Default on serverEnabled > [!IMPORTANT] > This policy has no impact on domain controllers. - - - -GP Info: -- GP Friendly name: *Network access: Do not allow anonymous enumeration of SAM accounts* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network access: Don't allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled - - - -GP Info: -- GP Friendly name: *Network access: Do not allow anonymous enumeration of SAM accounts and shares* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -- Network access: Named pipes that can be accessed anonymously. -- Network access: Shares that can be accessed anonymously. -- Default: Enabled. - - - -GP Info: -- GP Friendly name: *Network access: Restrict anonymous access to Named Pipes and Shares* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - -GP Info: -- GP Friendly name: *Network access: Restrict clients allowed to make remote calls to SAM* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Allow Local System to use computer identity for NTLM. - -When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. - -When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) - - - -GP Info: -- GP Friendly name: *Network security: Allow Local System to use computer identity for NTLM* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - Disabled. -- 1 - Enabled (Allow Local System to use computer identity for NTLM). - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Network security: Allow PKU2U authentication requests to this computer to use online identities.* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities). - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Don't store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked. - -- Default on Windows Vista and above: Enabled -- Default on Windows XP: Disabled - - - -GP Info: -- GP Friendly name: *Network security: Do not store LAN Manager hash value on next password change* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logon. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -- Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -- Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -- Default: - -- windows XP: send LM and NTLM responses. - -- Windows Server 2003: Send NTLM response only. - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only. - - - -GP Info: -- GP Friendly name: *Network security: LAN Manager authentication level* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Minimum session security for NTLM SSP based (including secure RPC) clients. - -This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. -- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated. - -- Default: - -- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. - -- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. - - - -GP Info: -- GP Friendly name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. - -- Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated. - -- Default: - -- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. - -- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. - - - -GP Info: -- GP Friendly name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) servers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication, if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you don't configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions, the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or don't configure this policy setting, the server won't log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enabled. | +| 0 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Do not allow anonymous enumeration of SAM accounts | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares +``` + + + + +Network access: Do not allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enabled. | +| 0 (Default) | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Do not allow anonymous enumeration of SAM accounts and shares | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares +``` + + + + +Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable. | +| 0 | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Restrict anonymous access to Named Pipes and Shares | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM +``` + + + + +Network access: Restrict clients allowed to make remote calls to SAM This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be used. This policy is supported on at least Windows Server 2016. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Restrict clients allowed to make remote calls to SAM | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +``` + + + + +Network security Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. +- If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. +- If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008 + +> [!NOTE] +> Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. + + + + +- When a service connects with the device identity, signing and encryption are supported to provide data protection. +- When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow. | +| 0 | Block. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Allow Local System to use computer identity for NTLM | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_AllowPKU2UAuthenticationRequests + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests +``` + + + + +Network security: Allow PKU2U authentication requests to this computer to use online identities. This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Block. | +| 1 (Default) | Allow. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Allow PKU2U authentication requests to this computer to use online identities. | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange + +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange +``` + + + + +Network security Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above Enabled Default on Windows XP Disabled + +> [!IMPORTANT] +> Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable. | +| 0 | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Do not store LAN Manager hash value on next password change | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_ForceLogoffWhenLogonHoursExpire + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_ForceLogoffWhenLogonHoursExpire +``` + + + + +Network security Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default Enabled + +> [!NOTE] +> This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Force logoff when logon hours expire | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_LANManagerAuthenticationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel +``` + + + + +Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows Send LM and NTLM responses Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication) + +> [!IMPORTANT] +> This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default Windows 2000 and windows XP send LM and NTLM responses Windows Server 2003 Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 Send NTLMv2 response only + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Send LM and NTLM responses. | +| 1 | Send LM and NTLM-use NTLMv2 session security if negotiated. | +| 2 | Send LM and NTLM responses only. | +| 3 (Default) | Send LM and NTLMv2 responses only. | +| 4 | Send LM and NTLMv2 responses only. Refuse LM. | +| 5 | Send LM and NTLMv2 responses only. Refuse LM and NTLM. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: LAN Manager authentication level | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients +``` + + + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 536870912 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | None. | +| 524288 | Require NTLMv2 session security. | +| 536870912 (Default) | Require 128-bit encryption. | +| 537395200 | Require NTLM and 128-bit encryption. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers +``` + + + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 536870912 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | None. | +| 524288 | Require NTLMv2 session security. | +| 536870912 (Default) | Require 128-bit encryption. | +| 537395200 | Require NTLM and 128-bit encryption. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication +``` + + + + +Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. +- If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic +``` + + + + +Network security Restrict NTLM Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2 > [!NOTE] > Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Disable. | +| 1 | Enable auditing for domain accounts. | +| 2 | Enable auditing for all accounts. | + -
    + +**Group policy mapping**: - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic** +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Audit Incoming NTLM Traffic | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic +``` + -
    - - - -Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or don't configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain sign in and display an NTLM blocked error, but allow local account sign in. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. + + +Network security Restrict NTLM Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2 > [!NOTE] > Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Incoming NTLM traffic* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Allow all. | +| 1 | Deny all domain accounts. | +| 2 | Deny all accounts. | + -
    + +**Group policy mapping**: - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers** +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Incoming NTLM traffic | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers +``` + -
    - - - -Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or don't configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This logging allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer can't authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. + + +Network security Restrict NTLM Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security Restrict NTLM Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2 > [!NOTE] > Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Shutdown: Allow system to be shut down without having to sign in - -This security setting determines whether a computer can be shut down without having to sign in to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -- Default on workstations: Enabled. -- Default on servers: Disabled. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Shutdown: Allow system to be shut down without having to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (allow system to be shut down without having to sign in). - - - - -
    - - -**LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they aren't used. On a running system, this pagefile is opened exclusively by the operating system, and it's well protected. However, systems that are configured to allow booting to other operating systems might have to ensure that the system pagefile is wiped clean when this system shuts down. This cleaning ensures that sensitive information from process memory that might go into the pagefile isn't available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled - - - -GP Info: -- GP Friendly name: *Shutdown: Clear virtual memory pagefile* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -Disabled: (Default) - -The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop). - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - - > [!NOTE] - > Use this option only in the most constrained environments. - -- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -- 2 - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -- 3 - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -- 4 - Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Behavior of the elevation prompt for standard users - -This policy setting controls the behavior of the elevation prompt for standard users. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Behavior of the elevation prompt for standard users* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user, may choose this setting to reduce help desk calls. -- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -- Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -- Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - -GP Info: -- GP Friendly name: *User Account Control: Detect application installations and prompt for elevation* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run, by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: -- 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run. -- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Only elevate executables that are signed and validated* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls, whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations: - -- .\Program Files\, including subfolders -- .\Windows\system32\ -- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow all. | +| 1 | Deny all domain accounts. | +| 2 | Deny all accounts. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn +``` + + + + +Shutdown: Allow system to be shut down without having to log on This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. Default on workstations: Enabled. Default on servers: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled (allow system to be shut down without having to log on). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Shutdown: Allow system to be shut down without having to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Shutdown_ClearVirtualMemoryPageFile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile +``` + + + + +Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. +- If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Shutdown: Clear virtual memory pagefile | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_AllowUIAccessApplicationsToPromptForElevation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation +``` + + + + +User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled (allow UIAccess applications to prompt for elevation without using the secure desktop). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_BehaviorOfTheElevationPromptForAdministrators + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators +``` + + + + +User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are - Elevate without prompting Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials > [!NOTE] -> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: -- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system. -- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Only elevate UIAccess applications that are installed in secure locations* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: -- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. - - > [!NOTE] - > If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced. - -- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately, to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Run all administrators in Admin Approval Mode* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: -- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. -- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Switch to the secure desktop when prompting for elevation* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - -GP Info: -- GP Friendly name: *User Account Control: Admin Approval Mode for the Built-in Administrator account* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Virtualize file and registry write failures to per-user locations* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - Disabled: Applications that write data to protected locations fail. -- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - - - -
    - - - -## Related topics +> Use this option only in the most constrained environments. - Prompt for credentials on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - Prompt for consent on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - Prompt for credentials When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - Prompt for consent When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - Prompt for consent for non-Windows binaries (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 5 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Elevate without prompting. | +| 1 | Prompt for credentials on the secure desktop. | +| 2 | Prompt for consent on the secure desktop. | +| 3 | Prompt for credentials. | +| 4 | Prompt for consent. | +| 5 (Default) | Prompt for consent for non-Windows binaries. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers +``` + + + + +User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Automatically deny elevation requests. | +| 1 | Prompt for credentials on the secure desktop. | +| 3 (Default) | Prompt for credentials. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Behavior of the elevation prompt for standard users | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_DetectApplicationInstallationsAndPromptForElevation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation +``` + + + + +User Account Control: Detect application installations and prompt for elevation This policy setting controls the behavior of application installation detection for the computer. The options are: Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable. | +| 0 | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Detect application installations and prompt for elevation | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated +``` + + + + +User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled: Does not enforce validation. | +| 1 | Enabled: Enforces validation. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Only elevate executables that are signed and validated | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations +``` + + + + +User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ - ...\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled: Application runs with UIAccess integrity even if it does not reside in a secure location. | +| 1 (Default) | Enabled: Application runs with UIAccess integrity only if it resides in secure location. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Only elevate UIAccess applications that are installed in secure locations | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_RunAllAdministratorsInAdminApprovalMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode +``` + + + + +User Account Control Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are - Enabled (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - Disabled Admin Approval Mode and all related UAC policy settings are disabled + +> [!NOTE] +> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Run all administrators in Admin Approval Mode | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation +``` + + + + +User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Switch to the secure desktop when prompting for elevation | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_UseAdminApprovalMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode +``` + + + + +User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Admin Approval Mode for the Built-in Administrator account | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations +``` + + + + +User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - Disabled: Applications that write data to protected locations fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Virtualize file and registry write failures to per-user locations | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 10e2076e07..f2cfa06fb3 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -1,65 +1,142 @@ --- -title: Policy CSP - LocalUsersAndGroups -description: Policy CSP - LocalUsersAndGroups +title: LocalUsersAndGroups Policy CSP +description: Learn more about the LocalUsersAndGroups Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LocalUsersAndGroups -
    + + + - -## LocalUsersAndGroups policies + +## Configure -
    -
    - LocalUsersAndGroups/Configure -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure +``` + - -**LocalUsersAndGroups/Configure** + + +This Setting allows an administrator to manage local groups on a Device. Possible settings: - +1. Update Group Membership Update a group and add and/or remove members though the 'U' action. When using Update, existing group members that are not specified in the policy remain untouched. +2. Replace Group Membership Restrict a group by replacing group membership through the 'R' action. When using Replace, existing group membership is replaced by the list of members specified in the add member section. This option works in the same way as a Restricted Group and any group members that are not specified in the policy are removed. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. +> [!CAUTION] +> If the same group is configured with both Replace and Update, then Replace will win. + + + > [!NOTE] -> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. +> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. > -> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersAndGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +
    +
    + Expand to see schema XML + +```xml + + + + + + + + + + + + Group Configuration Action + + + + + + + + Group Member to Add + + + + + + + + Group Member to Remove + + + + + + + + Group property to configure + + + + + + + + + + + + + + + + Local Group Configuration + + + + + + +``` + +
    + + + + +**Examples**: Here is an example of the policy definition XML for group configuration: @@ -77,32 +154,26 @@ where: - ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. - ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: - - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. - - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. + - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. + - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting. - ``: Specifies the SID or name of the member to configure. - ``: Specifies the SID or name of the member to remove from the specified group. > [!NOTE] - > When specifying member names of the user accounts, you must use following format – AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk". + > When specifying member names of the user accounts, you must use following format - AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk". For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy. For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. > [!IMPORTANT] +> > - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. > - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. > - `` is not valid for the R (Restrict) action and will be ignored if present. > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. - - - - - -**Examples** - -Example 1: Azure Active Directory focused. +**Example 1**: Azure Active Directory focused. The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. @@ -116,12 +187,11 @@ The following example updates the built-in administrators group with the SID **S ``` -Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. +**Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] -> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. +> When using the 'R' replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. -Example: ```xml @@ -132,7 +202,7 @@ Example: ``` -Example 3: Update action for adding and removing group members on a hybrid joined machine. +**Example 3**: Update action for adding and removing group members on a hybrid joined machine. The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. @@ -147,16 +217,8 @@ The following example shows how you can update a local group (**Administrators** ``` - - - - - -
    - > [!NOTE] -> -> When Azure Active Directory group SID’s are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: +> When Azure Active Directory group SID's are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: > > - Administrators > - Users @@ -164,7 +226,12 @@ The following example shows how you can update a local group (**Administrators** > - Power Users > - Remote Desktop Users > - Remote Management Users + + + + + ## FAQs This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. @@ -208,8 +275,7 @@ If you specify both R and U in the same XML, the R (Restrict) action takes prece After a policy is applied on the client device, you can investigate the event log to review the result: 1. Open Event Viewer (**eventvwr.exe**). -2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise- -Diagnostics-Provider** > **Admin**. +2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostics-Provider** > **Admin**. 3. Search for the `LocalUsersAndGroups` string to review the relevant details. ### How can I troubleshoot Name/SID lookup APIs? @@ -220,7 +286,6 @@ To troubleshoot Name/SID lookup APIs: ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force - Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force ``` @@ -230,73 +295,12 @@ To troubleshoot Name/SID lookup APIs: ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force - Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force ``` + -```xml - - - - - - - - - - - - Group Configuration Action - - - - - - - - Group Member to Add - - - - - - - - Group Member to Remove - - - - - - - - Group property to configure - - - - - - - - - - - - - - - - Local Group Configuration - - - - - - -``` + - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index fd60ffcbaa..d622ee011f 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -1,84 +1,98 @@ --- -title: Policy CSP - LockDown -description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch. +title: LockDown Policy CSP +description: Learn more about the LockDown Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LockDown -
    + + + - -## LockDown policies + +## AllowEdgeSwipe -
    -
    - LockDown/AllowEdgeSwipe -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LockDown/AllowEdgeSwipe +``` + - -**LockDown/AllowEdgeSwipe** + + +- If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge. - +- If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen edges. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the user to invoke any system user interface by swiping in from any screen edge using touch. + + The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied, and then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange, that will also be disabled. + - - -ADMX Info: -- GP Friendly name: *Allow edge swipe* -- GP name: *AllowEdgeSwipe* -- GP path: *Windows Components/Edge UI* -- GP ADMX file name: *EdgeUI.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 - disallow edge swipe. -- 1 (default, not configured) - allow edge swipe. + +**Allowed values**: - - -
    +| Value | Description | +|:--|:--| +| 0 | Disallow edge swipe. | +| 1 (Default) | Allow edge swipe. | + - + +**Group policy mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | AllowEdgeSwipe | +| Friendly Name | Allow edge swipe | +| Location | Computer and User Configuration | +| Path | Windows Components > Edge UI | +| Registry Key Name | Software\Policies\Microsoft\Windows\EdgeUI | +| Registry Value Name | AllowEdgeSwipe | +| ADMX File Name | EdgeUI.admx | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md index 89702a9f64..44b1d9a8ae 100644 --- a/windows/client-management/mdm/policy-csp-lsa.md +++ b/windows/client-management/mdm/policy-csp-lsa.md @@ -1,131 +1,167 @@ --- -title: Policy CSP - LocalSecurityAuthority -description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS). -ms.author: vinpa +title: LocalSecurityAuthority Policy CSP +description: Learn more about the LocalSecurityAuthority Area in Policy CSP. author: vinaypamnani-msft -ms.reviewer: manager: aaroncz -ms.topic: reference +ms.author: vinpa +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -ms.localizationpriority: medium -ms.date: 08/26/2022 +ms.topic: reference --- -# Policy CSP - LocalSecurity Authority + - -
    - - -## LocalSecurityAuthority policies - -
    -
    - LocalSecurityAuthority/AllowCustomSSPsAPs -
    -
    - LocalSecurityAuthority/ConfigureLsaProtectedProcess -
    -
    + +# Policy CSP - LocalSecurityAuthority > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowCustomSSPsAPs - -**LocalSecurityAuthority/AllowCustomSSPsAPs** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/AllowCustomSSPsAPs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy controls the configuration under which LSASS loads custom SSPs and APs. - -
    +- If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable this setting, LSA does not load custom SSPs and APs. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs). +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you disable this policy setting, LSASS will block custom SSPs and APs from loading. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowCustomSSPsAPs | +| Friendly Name | Allow Custom SSPs and APs to be loaded into LSASS | +| Location | Computer Configuration | +| Path | System > Local Security Authority | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowCustomSSPsAPs | +| ADMX File Name | LocalSecurityAuthority.admx | + - -ADMX Info: -- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS* -- GP name: *AllowCustomSSPsAPs* -- GP path: *System/Local Security Authority* -- GP ADMX file name: *LocalSecurityAuthority.admx* + + + - - + -
    + +## ConfigureLsaProtectedProcess - -**Kerberos/ConfigureLsaProtectedProcess** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy controls the configuration under which LSASS is run. - -
    +- If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration is not UEFI locked. This can be overridden if the policy is configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you configure and set this policy setting to "Disabled", LSA will not run as a protected process. -> [!div class = "checklist"] -> * Device +- If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked. -
    +- If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked. + - - -This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process. + + + -If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process. + +**Description framework properties**: -If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable. + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. Default value. LSA will not run as protected process. | +| 1 | Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked. | +| 2 | Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked. | + - -ADMX Info: -- GP Friendly name: *Configure LSASS to run as a protected process* -- GP name: *ConfigureLsaProtectedProcess* -- GP path: *System/Local Security Authority* -- GP ADMX file name: *LocalSecurityAuthority.admx* + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureLsaProtectedProcess | +| Friendly Name | Configures LSASS to run as a protected process | +| Location | Computer Configuration | +| Path | System > Local Security Authority | +| Registry Key Name | System\CurrentControlSet\Control\Lsa | +| ADMX File Name | LocalSecurityAuthority.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index be48625372..60f394302c 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -1,132 +1,145 @@ --- -title: Policy CSP - Maps -description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections. +title: Maps Policy CSP +description: Learn more about the Maps Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Maps -
    + + + - -## Maps policies + +## AllowOfflineMapsDownloadOverMeteredConnection -
    -
    - Maps/AllowOfflineMapsDownloadOverMeteredConnection -
    -
    - Maps/EnableOfflineMapsAutoUpdate -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Maps/AllowOfflineMapsDownloadOverMeteredConnection +``` + - -**Maps/AllowOfflineMapsDownloadOverMeteredConnection** + + +Allows the download and update of map data over metered connections. After the policy is applied, you can verify the settings in the user interface in System > Offline Maps. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disabled. Force disable auto-update over metered connection. | +| 1 | Enabled. Force enable auto-update over metered connection. | +| 65535 (Default) | Not configured. User's choice. | + -
    + + + - - -Allows the download and update of map data over metered connections. + -After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + +## EnableOfflineMapsAutoUpdate - - -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -- 0 – Disabled. Force disable auto-update over metered connection. -- 1 – Enabled. Force enable auto-update over metered connection. -- 65535 (default) – Not configured. User's choice. + +```Device +./Device/Vendor/MSFT/Policy/Config/Maps/EnableOfflineMapsAutoUpdate +``` + - - + + +Disables the automatic download and update of map data. After the policy is applied, you can verify the settings in the user interface in System > Offline Maps. + -
    + + + - -**Maps/EnableOfflineMapsAutoUpdate** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. Force off auto-update. | +| 1 | Enabled. Force on auto-update. | +| 65535 (Default) | Not configured. User's choice. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | TurnOffAutoUpdate | +| Friendly Name | Turn off Automatic Download and Update of Map Data | +| Location | Computer Configuration | +| Path | Windows Components > Maps | +| Registry Key Name | Software\Policies\Microsoft\Windows\Maps | +| Registry Value Name | AutoDownloadAndUpdateMapData | +| ADMX File Name | WinMaps.admx | + -
    + + + - - -Disables the automatic download and update of map data. + -After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + + + - - -ADMX Info: -- GP Friendly name: *Turn off Automatic Download and Update of Map Data* -- GP name: *TurnOffAutoUpdate* -- GP path: *Windows Components/Maps* -- GP ADMX file name: *WinMaps.admx* + - - -The following list shows the supported values: +## Related articles -- 0 – Disabled. Force off auto-update. -- 1 – Enabled. Force on auto-update. -- 65535 (default) – Not configured. User's choice. - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index a1ced538a9..26fdcc2171 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -1,119 +1,129 @@ --- -title: Policy CSP - MemoryDump -description: Use the Policy CSP +title: MemoryDump Policy CSP +description: Learn more about the MemoryDump Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - MemoryDump -
    + + + - -## MemoryDump policies + +## AllowCrashDump -
    -
    - MemoryDump/AllowCrashDump -
    -
    - MemoryDump/AllowLiveDump -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump +``` + - -**MemoryDump/AllowCrashDump** + + +This policy setting decides if crash dump collection on the machine is allowed or not. Supported values: 0 - Disable crash dump collection. 1 (default) - Allow crash dump collection. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disable crash dump collection. | +| 1 (Default) | Allow crash dump collection. | + -
    + + + - - -This policy setting decides if crash dump collection on the machine is allowed or not. + - - -The following list shows the supported values: + +## AllowLiveDump -- 0 - Disable crash dump collection. -- 1 (default) - Allow crash dump collection. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump +``` + -
    + + +This policy setting decides if live dump collection on the machine is allowed or not. Supported values: 0 - Disable live dump collection. 1 (default) - Allow live dump collection. + - -**MemoryDump/AllowLiveDump** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Disable live dump collection. | +| 1 (Default) | Allow live dump collection. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting decides if crash dump collection on the machine is allowed or not. + + + - + - -The following list shows the supported values: +## Related articles -- 0 - Disable crash dump collection. -- 1 (default) - Allow crash dump collection. - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index 167c581829..dc279d3c41 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,83 +1,194 @@ --- -title: Policy CSP - Messaging -description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging. +title: Messaging Policy CSP +description: Learn more about the Messaging Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Messaging -
    + + + - -## Messaging policies + +## AllowMessageSync -
    -
    - Messaging/AllowMessageSync -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Messaging/AllowMessageSync +``` + - -**Messaging/AllowMessageSync** + + +This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Disable this feature to avoid information being stored on servers outside of your organization's control. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Message sync is not allowed and cannot be changed by the user. | +| 1 (Default) | Message sync is allowed. The user can change this setting. | + - - -Enables text message backup and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Allow Message Service Cloud Sync* -- GP name: *AllowMessageSync* -- GP path: *Windows Components/Messaging* -- GP ADMX file name: *messaging.admx* +| Name | Value | +|:--|:--| +| Name | AllowMessageSync | +| Friendly Name | Allow Message Service Cloud Sync | +| Location | Computer Configuration | +| Path | Windows Components > Messaging | +| Registry Key Name | Software\Policies\Microsoft\Windows\Messaging | +| Registry Value Name | AllowMessageSync | +| ADMX File Name | messaging.admx | + - - -The following list shows the supported values: + + + -- 0 - message sync isn't allowed and can't be changed by the user. -- 1 - message sync is allowed. The user can change this setting. + - - + +## AllowMMS -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Messaging/AllowMMS +``` + -## Related topics + + +This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow. | +| 0 | Block. | + + + + + + + + + +## AllowRCS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Messaging/AllowRCS +``` + + + + +This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow. | +| 0 | Block. | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index dc083daf3c..6f83800c56 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,782 +1,1060 @@ --- -title: Policy CSP - MixedReality -description: Policy CSP - MixedReality +title: MixedReality Policy CSP +description: Learn more about the MixedReality Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.reviewer: -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - MixedReality -
    +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## MixedReality policies + + +These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices. + -
    -
    - MixedReality/AADGroupMembershipCacheValidityInDays -
    -
    - MixedReality/AllowCaptivePortalBeforeLogon -
    -
    - MixedReality/AllowLaunchUriInSingleAppKiosk -
    -
    - MixedReality/AutoLogonUser -
    -
    - MixedReality/BrightnessButtonDisabled -
    -
    - MixedReality/ConfigureMovingPlatform -
    -
    - MixedReality/ConfigureNtpClient -
    -
    - MixedReality/DisallowNetworkConnectivityPassivePolling -
    -
    - MixedReality/FallbackDiagnostics -
    -
    - MixedReality/HeadTrackingMode -
    -
    - MixedReality/ManualDownDirectionDisabled -
    -
    - MixedReality/MicrophoneDisabled -
    -
    - MixedReality/NtpClientEnabled -
    -
    - MixedReality/SkipCalibrationDuringSetup -
    -
    - MixedReality/SkipTrainingDuringSetup -
    -
    - MixedReality/VisitorAutoLogon -
    -
    - MixedReality/VolumeButtonDisabled -
    -
    + +## AADGroupMembershipCacheValidityInDays -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -**MixedReality/AADGroupMembershipCacheValidityInDays** + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays +``` + - - -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + +This policy controls for how many days, AAD group membership cache is allowed to be used for Assigned Access configurations targeting AAD groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions. + + + Steps to use this policy correctly: -1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). -1. Create a custom OMA URI-based device configuration that sets this policy value to chosen number of days (> 0) and assign it to HoloLens devices. - 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays - 1. The value can be between min / max allowed. -1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in, when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. -1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they're a member of Azure AD group to which Kiosk configuration is targeted. +1. Create a device configuration profile for kiosk, which targets Azure AD groups. Assign it to the HoloLens devices. +1. Create a custom OMA URI-based device configuration. Set this policy value to the chosen number of days greater than zero (`0`). Then assign the configuration to the HoloLens devices. + - The URI value should be entered in OMA-URI text box as `./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays` + - The value can be any integer in the allowed range. +1. Enroll the HoloLens devices. Verify that both configurations apply to the device. +1. When internet is available, sign in as an Azure AD user. Once the user signs-in, and Azure AD group membership is confirmed successfully, the cache will be created. +1. You can now take the HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. +1. Steps 4 and 5 can be repeated for any other Azure AD user. The key point is that any Azure AD user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of an Azure AD group to which the kiosk configuration is targeted. > [!NOTE] -> Until step 4 is performed for a Azure AD, user will experience failure behavior mentioned similar to “disconnected” environments. +> Until you do step 4 for an Azure AD user, the user will experience failure behavior similar to a disconnected environment. + - -
    + +**Description framework properties**: - -**MixedReality/AllowCaptivePortalBeforeLogon** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-60]` | +| Default Value | 0 | + - + + + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + +## AllowCaptivePortalBeforeLogon + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon +``` + -> [!div class = "checklist"] -> * Device + + +This policy controls whether the device will display the captive portal flow on the HoloLens sign in screen's network selection page when a captive portal network is detected. Displaying the captive portal flow is disabled by default to reduce the potential of gaining unauthorized access to the device through the browser. + -
    + + +This opt-in policy can help with the setup of new devices in new areas or new users. The captive portal allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. + - -This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. + +**Description framework properties**: -MixedReality/AllowCaptivePortalBeforeLogon +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon` + +**Allowed values**: -Int value +| Value | Description | +|:--|:--| +| 0 (Default) | Displaying captive portal is not allowed. | +| 1 | Displaying captive portal is allowed. | + -- 0: (Default) Off -- 1: On + + + - + - + +## AllowLaunchUriInSingleAppKiosk - -**MixedReality/AllowLaunchUriInSingleAppKiosk** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk +``` + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + +By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Enable this policy to allow for other apps to be launched within a single app kiosk. This behavior may be useful if you want to launch the Settings app to calibrate your device or change your Wi-Fi. -> [!div class = "checklist"] -> * Device +For more information on the Launcher API, see [Launcher Class (Windows.System) - Windows UWP applications](/uwp/api/windows.system.launcher). + -
    + +**Description framework properties**: - -This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-Fi. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. + +**Allowed values**: -The OMA-URI of policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk` +| Value | Description | +|:--|:--| +| 0 (Default) | Applications are not allowed to be launched with Launcher API, when in single app kiosk mode. | +| 1 | Applications are allowed to be launched with Launcher API, when in single app kiosk mode. | + -Bool value + + + - + - + +## AutoLogonUser - -**MixedReality/AutoLogonUser** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser +``` + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + +This policy controls whether a user will be automatically logged on. When the policy is set to a non-empty value, it specifies the email address of the auto-logon user. The specified user must logon to the device at least once to enable auto-logon. + - -This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign-in. + + +Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. In this case, you can pick up a device and immediately use remote assist. It also allows you to rapidly distribute HoloLens devices and have users speed up sign-in. -When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must sign in to the device at least once to enable autologon. +The string value is the email address of the user to automatically sign in. -The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser` - - -Supported value is String. - -- User with the same email address will have autologon enabled. - -On a device where this policy is configured, the user specified in the policy will need to sign in at least once. Subsequent reboots of the device after the first sign-in will have the specified user automatically signed in. Only a single autologon user is supported. Once enabled, the automatically signed-in user won't be able to sign out manually. To sign in as a different user, the policy must first be disabled. +On a device where you configure this policy, the user specified in the policy needs to sign in at least once. Subsequent reboots of the device after the first sign-in will have the specified user automatically signed in. Only a single auto-logon user is supported. Once enabled, the automatically signed-in user can't manually sign out. To sign in as a different user, first disable this policy. > [!NOTE] > -> - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior. -> - Auto-logon is only supported for Microsoft account and Azure Active Directory users. +> - Some events such as major OS updates may require the specified user to sign in to the device again to resume auto-logon behavior. +> - Auto-logon is only supported for Microsoft accounts and Azure Active Directory (Azure AD) users. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting controls, for how many days Azure AD group membership cache is allowed to be used for the Assigned Access configurations, targeting Azure AD groups for signed in user. Once this policy setting is set, only then cache is used, otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions. + +## AutomaticDisplayAdjustment - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AutomaticDisplayAdjustment +``` + - -Supported value is Integer. + + +This policy controls if the HoloLens displays will be automatically adjusted for your eyes to improve hologram visual quality when an user wears the device. When this feature is enabled, a new user upon wearing the device will not be prompted to calibrate and yet the displays will be adjusted to suite them automatically. However if an immersive application is launched that depends on eye tracking interactions, the user will be prompted to perform the calibration. + -Supported values are 0-60. The default value is 0 (day) and maximum value is 60 (days). + + + - - -
    + +**Description framework properties**: - -**MixedReality/BrightnessButtonDisabled** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BrightnessButtonDisabled -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/BrightnessButtonDisabled +``` + + + + This policy setting controls if pressing the brightness button changes the brightness or not. It only impacts brightness on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes. + - + + + - - + +**Description framework properties**: - -Supported values is Boolean. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The following list shows the supported values: + +**Allowed values**: -- 0 - False (Default) -- 1 - True +| Value | Description | +|:--|:--| +| 0 (Default) | Brightness can be changed with press of brightness button. | +| 1 | Brightness cannot be changed with press of brightness button. | + - - -
    + + + - -**MixedReality/ConfigureMovingPlatform** + - + +## ConfigureMovingPlatform -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureMovingPlatform +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it's turned off / on or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. Please refer to HoloLens 2 Moving Platform Mode for background information. + -> [!div class = "checklist"] -> * Device + + +For more information, see [Moving platform mode on low dynamic motion moving platforms](/hololens/hololens2-moving-platform). + -
    + +**Description framework properties**: - - -This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system. | +| 1 | Moving platform is disabled and cannot be changed by user. | +| 2 | Moving platform is enabled and cannot be changed by user. | + - -Supported value is Integer. + + + -- 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system. -- 1 Force off - Moving platform is disabled and can't be changed by user. -- 2 Force on - Moving platform is enabled and can't be changed by user. + - - -
    + +## ConfigureNtpClient - -**MixedReality/ConfigureNtpClient** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureNtpClient +``` + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + +This policy setting specifies a set of parameters for controlling the Windows NTP Client. - -
    +- If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. -> [!div class = "checklist"] -> * Device +NtpServer +The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where "flags" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is "time.windows.com,0x09". -
    +Type +This value controls the authentication that W32time uses. The default value is NT5DS. - - +CrossSiteSyncFlags +This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal). -You may want to configure a different time server for your device fleet. IT admins can use this policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy. +ResolvePeerBackoffMinutes +This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. -This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters. +ResolvePeerBackoffMaxTimes +This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. + +SpecialPollInterval +This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. + +EventLogFlags +This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. + + + + +**More information**: + +You may want to configure a different time server for your device fleet. You can use this policy to configure certain aspects of the NTP client. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. + +For more information, see [ADMX_W32Time Policy CSP - W32Time_Policy_Configure_NTPClient](policy-csp-admx-w32time.md#w32time_policy_configure_ntpclient). > [!NOTE] -> This feature requires enabling[NtpClientEnabled](#mixedreality-ntpclientenabled) as well. +> This policy also requires enabling [NtpClientEnabled](#ntpclientenabled). +> +> After you enable this policy, restart the device for the changes to apply. + -- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureNtpClient` + +**Description framework properties**: -> [!NOTE] -> Reboot is required for these policies to take effect. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_CONFIGURE_NTPCLIENT | +| Friendly Name | Configure Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| ADMX File Name | W32Time.admx | + -- Data Type: String -- Value: + + +**Example**: + +The following XML string is an example of the value for this policy: + +```xml + + + + + + + + ``` - + + + + + +## DisallowNetworkConnectivityPassivePolling + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/DisallowNetworkConnectivityPassivePolling ``` + - - -
    + + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. This policy allows IT admins to disable NCSI passive polling. Value type is integer. + - -**MixedReality/DisallowNetworkConnectivityPassivePolling** + + +Windows Network Connectivity Status Indicator may get a false positive internet-capable signal from passive polling. That behavior may result in the Wi-Fi adapter unexpectedly resetting when the device connects to an intranet-only access point. When you enable this policy, you can avoid unexpected network interruptions caused by false positive NCSI passive polling. + - + +**Description framework properties**: -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. | +| 1 | Not allowed. | + -> [!div class = "checklist"] -> * Device + + + -
    + - -Windows Network Connectivity Status Indicator may get false positive Internet capable signal from passive polling. That may result in unexpected Wi-Fi adapter reset when device connects to an intranet only access point. Enabling this policy would avoid unexpected network interruptions caused by false positive NCSI passive polling. + +## EyeTrackingCalibrationPrompt -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/DisallowNetworkConnectivityPassivePolling` + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -- Bool value + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/EyeTrackingCalibrationPrompt +``` + - + + +This policy controls when a new person uses HoloLens device, if HoloLens should automatically ask to run eye calibration. + - -
    + + + - -**MixedReality/FallbackDiagnostics** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## FallbackDiagnostics - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/FallbackDiagnostics +``` + + + + This policy setting controls, when and if diagnostic logs can be collected using specific button combination on HoloLens. + - + + + - - + +**Description framework properties**: - -Supporting value is Integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + -The following list shows the supported values: + +**Allowed values**: -- 0 - Disabled. -- 1 - Enabled for device owners. -- 2 - Enabled for all (Default). +| Value | Description | +|:--|:--| +| 0 | Not allowed. Diagnostic logs cannot be collected by pressing the button combination. | +| 1 | Allowed for device owners only. Diagnostics logs can be collected by pressing the button combination only if signed-in user is considered as device owner. | +| 2 (Default) | Allowed for all users. Diagnostic logs can be collected by pressing the button combination. | + - - -
    + + + - -**MixedReality/HeadTrackingMode** + - + +## HeadTrackingMode -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/HeadTrackingMode +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy configures behavior of HUP to determine, which algorithm to use for head tracking. It requires a reboot for the policy to take effect. + - + + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| `0` (Default) | Feature - Default feature based / SLAM-based tracker. | +| `1` | Constellation - LR constellation based tracker. | + - -Supporting value is Boolean. + +**Description framework properties**: -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 0 | + -- 0 - Feature – Default feature based / SLAM-based tracker (Default). -- 1 - Constellation – LR constellation based tracker. + + + - - -
    + - -**MixedReality/ManualDownDirectionDisabled** + +## ManualDownDirectionDisabled - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/ManualDownDirectionDisabled +``` + + + This policy controls whether the user can change down direction manually or not. If no down direction is set by the user, then an automatically calculated down direction is used by the system. This policy has no dependency on ConfigureMovingPlatform policy and they can be set independently. + -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ManualDownDirectionDisabled` + + +When the system automatically determines the down direction, it's using the measured gravity vector. + - + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Supported values: + +**Allowed values**: -- **False (Default)** - User can manually change down direction if they desire, otherwise down direction will be determined automatically based on the measured gravity vector. -- **True** - User can’t manually change down direction and down direction will be always determined automatically based on the measured gravity vector. +| Value | Description | +|:--|:--| +| 0 (Default) | User is allowed to manually change down direction. | +| 1 | User is not allowed to manually change down direction. | + - + + + - -**MixedReality/MicrophoneDisabled** + - + +## MicrophoneDisabled -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/MicrophoneDisabled +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether microphone on HoloLens 2 is disabled or not. + - + + + - - + +**Description framework properties**: - -Supporting value is Boolean. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The following list shows the supported values: + +**Allowed values**: -- 0 - False (Default) -- 1 - True +| Value | Description | +|:--|:--| +| 0 (Default) | Microphone can be used for voice. | +| 1 | Microphone cannot be used for voice. | + - + + + - -**MixedReality/NtpClientEnabled** + - + +## NtpClientEnabled -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/NtpClientEnabled +``` + + + This policy setting specifies whether the Windows NTP Client is enabled. -- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/NtpClientEnabled` - +Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. - - +- If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. - -- Data Type: String -- Value `` +- If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. + - + + +For more information, see the [ConfigureNtpClient](#configurentpclient) policy. + - -
    + +**Description framework properties**: - -**MixedReality/SkipCalibrationDuringSetup** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_ENABLE_NTPCLIENT | +| Friendly Name | Enable Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| Registry Value Name | Enabled | +| ADMX File Name | W32Time.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +**Example**: -> [!div class = "checklist"] -> * Device +The following example XML string shows the value to enable this policy: -
    +```xml + +``` + - -Skips the calibration experience on HoloLens 2 devices when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to calibrate their device from the Settings app. + -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringSetup` + +## SkipCalibrationDuringSetup -- Bool value + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringSetup +``` + - -
    + + +This policy configures whether the device will take the user through the eye tracking calibration process during device setup and first time user setup. If this policy is enabled, the device will not show the eye tracking calibration process during device setup and first time user setup. **Note** that until the user goes through the calibration process, eye tracking will not work on the device. If an app requires eye tracking and the user has not gone through the calibration process, the user will be prompted to do so. + - -**MixedReality/SkipTrainingDuringSetup** + + +> [!NOTE] +> The user will still be able to calibrate their device from the Settings app. + - + +**Description framework properties**: -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | Eye tracking calibration process will be shown during device setup and first time user setup. | +| 1 | Eye tracking calibration process will not be shown during device setup and first time user setup. | + + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## SkipTrainingDuringSetup -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -On HoloLens 2 devices, skips the training experience of interactions with the humming bird and start menu training when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to learn these movement controls from the Tips app. + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringSetup +``` + -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringSetup` + + +This policy configures whether the device will take the user through a training process during device setup and first time user setup. If this policy is enabled, the device will not show the training process during device setup and first time user setup. If the user wishes to go through that training process, the user can launch the Tips app. + -- Bool value + + +It skips the training experience of interactions with the hummingbird and Start menu training. The user will still be able to learn these movement controls from the Tips app. + - + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**MixedReality/VolumeButtonDisabled** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Training process will be shown during device setup and first time user setup. | +| 1 | Training process will not be shown during device setup and first time user setup. | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## VisitorAutoLogon -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/VisitorAutoLogon +``` + - - -This policy setting controls if pressing the volume button changes the volume or not. It only impacts volume on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes. - - - - - - - -Supporting value is Boolean. - -The following list shows the supported values: - -- 0 - False (Default) -- 1 - True - - - -
    - - -**MixedReality/VisitorAutoLogon** - - - -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in, if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in, if no other user has logged in on the device before. + - + + + - - + +**Description framework properties**: - -Supported value is Boolean. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The following list shows the supported values: + +**Allowed values**: -- 0 Disabled (Default) -- 1 Enabled +| Value | Description | +|:--|:--| +| 0 (Default) | Visitor user will not be signed in automatically. | +| 1 | Visitor user will be signed in automatically. | + - - -
    + + + - + -## Related topics + +## VolumeButtonDisabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/VolumeButtonDisabled +``` + + + + +This policy setting controls if pressing the volume button changes the volume or not. It only impacts volume on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Volume can be changed with press of the volume button. | +| 1 | Volume cannot be changed with press of the volume button. | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index 690864628e..98481bddc4 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -1,299 +1,342 @@ --- -title: Policy CSP - MSSecurityGuide -description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable. +title: MSSecurityGuide Policy CSP +description: Learn more about the MSSecurityGuide Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - MSSecurityGuide - -
    - - -## MSSecurityGuide policies - -
    -
    - MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon -
    -
    - MSSecurityGuide/ConfigureSMBV1ClientDriver -
    -
    - MSSecurityGuide/ConfigureSMBV1Server -
    -
    - MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection -
    -
    - MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications -
    -
    - MSSecurityGuide/WDigestAuthentication -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## ApplyUACRestrictionsToLocalAccountsOnNetworkLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SecGuide_0201_LATFP | +| ADMX File Name | SecGuide.admx | + + + + + + + + + +## ConfigureSMBV1ClientDriver + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SecGuide_0002_SMBv1_ClientDriver | +| ADMX File Name | SecGuide.admx | + + + + + + + + + +## ConfigureSMBV1Server + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1Server +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SecGuide_0001_SMBv1_Server | +| ADMX File Name | SecGuide.admx | + + + + + + + + + +## EnableStructuredExceptionHandlingOverwriteProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SecGuide_0102_SEHOP | +| ADMX File Name | SecGuide.admx | + + + + + + + + + +## TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SecGuide_0101_WDPUA | +| ADMX File Name | SecGuide.admx | + - -**MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon** + + + - + + + +## WDigestAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/WDigestAuthentication +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SecGuide_0202_WDigestAuthn | +| ADMX File Name | SecGuide.admx | + - -ADMX Info: -- GP name: *Pol_SecGuide_0201_LATFP* -- GP ADMX file name: *SecGuide.admx* + + + - - + -
    + + + - -**MSSecurityGuide/ConfigureSMBV1ClientDriver** + - +## Related articles -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - - -ADMX Info: -- GP name: *Pol_SecGuide_0002_SMBv1_ClientDriver* -- GP ADMX file name: *SecGuide.admx* - - - - -
    - - -**MSSecurityGuide/ConfigureSMBV1Server** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - - -ADMX Info: -- GP name: *Pol_SecGuide_0001_SMBv1_Server* -- GP ADMX file name: *SecGuide.admx* - - - - -
    - - -**MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - - -ADMX Info: -- GP name: *Pol_SecGuide_0102_SEHOP* -- GP ADMX file name: *SecGuide.admx* - - - - -
    - - -**MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - -ADMX Info: -- GP name: *Pol_SecGuide_0101_WDPUA* -- GP ADMX file name: *SecGuide.admx* - - - - -
    - - -**MSSecurityGuide/WDigestAuthentication** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - -ADMX Info: -- GP name: *Pol_SecGuide_0202_WDigestAuthn* -- GP ADMX file name: *SecGuide.admx* - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index c7e71ee0cf..c164d07e12 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,10 +1,10 @@ --- title: MSSLegacy Policy CSP -description: Learn more about the MSSLegacy Area in Policy CSP +description: Learn more about the MSSLegacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - MSSLegacy > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,7 +41,7 @@ ms.topic: reference - + @@ -61,7 +59,16 @@ Allow ICMP redirects to override OSPF generated routes. - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_EnableICMPRedirect | +| ADMX File Name | mss-legacy.admx | @@ -86,7 +93,7 @@ Allow ICMP redirects to override OSPF generated routes. - + @@ -104,7 +111,16 @@ Allow the computer to ignore NetBIOS name release requests except from WINS serv - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_NoNameReleaseOnDemand | +| ADMX File Name | mss-legacy.admx | @@ -129,7 +145,7 @@ Allow the computer to ignore NetBIOS name release requests except from WINS serv - + @@ -147,7 +163,16 @@ IP source routing protection level (protects against packet spoofing). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_DisableIPSourceRouting | +| ADMX File Name | mss-legacy.admx | @@ -172,7 +197,7 @@ IP source routing protection level (protects against packet spoofing). - + @@ -190,7 +215,16 @@ IPv6 source routing protection level (protects against packet spoofing). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_DisableIPSourceRoutingIPv6 | +| ADMX File Name | mss-legacy.admx | diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 8893e13ac4..ee17cf4ab6 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -1,101 +1,99 @@ --- -title: Policy CSP - Multitasking -description: Policy CSP - Multitasking +title: Multitasking Policy CSP +description: Learn more about the Multitasking Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/30/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Multitasking -
    + + + - -## Multitasking policies + +## BrowserAltTabBlowout -
    -
    - Multitasking/BrowserAltTabBlowout -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/Multitasking/BrowserAltTabBlowout +``` + - -**Multitasking/BrowserAltTabBlowout** + + +Configures the inclusion of Microsoft Edge tabs into Alt-Tab. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +> [!WARNING] +> This policy is currently in preview mode only. It may be used for testing purposes, but shouldn't be used in a production environment at this time. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -> [!Warning] -> This policy is currently in preview mode only and will be supported in future releases. It may be used for testing purposes, but should not be used in a production environment at this time. - -This policy controls the inclusion of Edge tabs into Alt+Tab. - -Enabling this policy restricts the number of Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Edge tabs, only the five most recent tabs, only the three most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior. +Enabling this policy restricts the number of Microsoft Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Microsoft Edge tabs, only the five most recent tabs, only the three most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior. This policy only applies to the Alt+Tab switcher. When the policy isn't enabled, the feature respects the user's setting in the Settings app. - + -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure the inclusion of Edge tabs into Alt-Tab* -- GP name: *BrowserAltTabBlowout* -- GP path: *Windows Components/Multitasking* -- GP ADMX file name: *Multitasking.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 1 (Default) | Open windows and all tabs in Microsoft Edge. | +| 2 | Open windows and 5 most recent tabs in Microsoft Edge. | +| 3 | Open windows and 3 most recent tabs in Microsoft Edge. | +| 4 | Open windows only. | + -- 1 - Open windows and all tabs in Edge. -- 2 - Open windows and five most recent tabs in Edge. -- 3 - Open windows and three most recent tabs in Edge. -- 4 - Open windows only. + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | MultiTaskingAltTabFilter | +| Path | multitasking > AT > WindowsComponents > MULTITASKING | +| Element Name | AltTabFilterDropdown | + -
    + + + - + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 9acf0b9394..2805dfa3b0 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -1,410 +1,501 @@ --- -title: Policy CSP - NetworkIsolation -description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected. +title: NetworkIsolation Policy CSP +description: Learn more about the NetworkIsolation Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - NetworkIsolation -
    + + + - -## NetworkIsolation policies + +## EnterpriseCloudResources -
    -
    - NetworkIsolation/EnterpriseCloudResources -
    -
    - NetworkIsolation/EnterpriseIPRange -
    -
    - NetworkIsolation/EnterpriseIPRangesAreAuthoritative -
    -
    - NetworkIsolation/EnterpriseInternalProxyServers -
    -
    - NetworkIsolation/EnterpriseNetworkDomainNames -
    -
    - NetworkIsolation/EnterpriseProxyServers -
    -
    - NetworkIsolation/EnterpriseProxyServersAreAuthoritative -
    -
    - NetworkIsolation/NeutralResources -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseCloudResources +``` + - -**NetworkIsolation/EnterpriseCloudResources** + + +Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, ``|``|``,``|``|``,``|. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_EnterpriseCloudResources | +| Friendly Name | Enterprise resource domains hosted in the cloud | +| Element Name | Enterprise cloud resources | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + -
    + + + - - -Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. + - - -ADMX Info: -- GP Friendly name: *Enterprise resource domains hosted in the cloud* -- GP name: *WF_NetIsolation_EnterpriseCloudResources* -- GP element: *WF_NetIsolation_EnterpriseCloudResourcesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + +## EnterpriseInternalProxyServers - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseInternalProxyServers +``` + - -**NetworkIsolation/EnterpriseIPRange** + + +This is the comma-separated list of internal proxy servers. For example 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59. These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the EnterpriseCloudResources policy to force traffic to the matched cloud resources through these proxies. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Intranet_Proxies | +| Friendly Name | Intranet proxy servers for apps | +| Element Name | Type a proxy server IP address for the intranet | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + -
    + + + - - -Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. These ranges are a comma-separated list of IPv4 and IPv6 ranges. + - - -ADMX Info: -- GP Friendly name: *Private network ranges for apps* -- GP name: *WF_NetIsolation_PrivateSubnet* -- GP element: *WF_NetIsolation_PrivateSubnetBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + +## EnterpriseIPRange - - -For example: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -``` syntax + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRange +``` + + + + +Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_PrivateSubnet | +| Friendly Name | Private network ranges for apps | +| Element Name | Private subnets | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + + + + + +**Example of IP ranges**: + +```syntax 10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255, 192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff, 2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff, 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ``` + - - + -
    + +## EnterpriseIPRangesAreAuthoritative - -**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This setting does not apply to desktop apps. - -
    +Turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this policy setting, it turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts within the address ranges configured via Group Policy will be classified as private. -> [!div class = "checklist"] -> * Device +- If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts in the domain corporate environment. -
    +For more information see: + - - -Integer value that tells the client to accept the configured list and not to use heuristics to attempt and find other subnets. + + + - - -ADMX Info: -- GP Friendly name: *Subnet definitions are authoritative* -- GP name: *WF_NetIsolation_Authoritative_Subnet* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**NetworkIsolation/EnterpriseInternalProxyServers** +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Authoritative_Subnet | +| Friendly Name | Subnet definitions are authoritative | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| Registry Value Name | DSubnetsAuthoritive | +| ADMX File Name | NetworkIsolation.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## EnterpriseNetworkDomainNames -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -This list is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They're considered to be enterprise network locations. The proxies are only used in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseNetworkDomainNames +``` + - - -ADMX Info: -- GP Friendly name: *Intranet proxy servers for apps* -- GP name: *WF_NetIsolation_Intranet_Proxies* -- GP element: *WF_NetIsolation_Intranet_ProxiesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* - - - - -
    - - -**NetworkIsolation/EnterpriseNetworkDomainNames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This is a list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". + + +This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example contoso. sharepoint. com, Fabrikam. com > [!NOTE] -> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. +> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. Here are the steps to create canonical domain namesTransform the ASCII characters (A-Z only) to lower case. For example, Microsoft. COM -> microsoft. com. Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags. Call IdnToUnicode with no flags set (dwFlags = 0). + -Here are the steps to create canonical domain names: + + -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). +For more information, see the following APIs: - - +- [IdnToAscii function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntoascii) +- [IdnToUnicode function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntounicode) + -
    + +**Description framework properties**: - -**NetworkIsolation/EnterpriseProxyServers** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## EnterpriseProxyServers - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServers +``` + -
    + + +This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59. + - - -This list is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". + + + - - -ADMX Info: -- GP Friendly name: *Internet proxy servers for apps* -- GP name: *WF_NetIsolation_Domain_Proxies* -- GP element: *WF_NetIsolation_Domain_ProxiesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + -
    + +**Group policy mapping**: - -**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Domain_Proxies | +| Friendly Name | Internet proxy servers for apps | +| Element Name | Domain Proxies | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## EnterpriseProxyServersAreAuthoritative - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative +``` + -
    + + +This setting does not apply to desktop apps. - - -Integer value that tells the client to accept the configured list of proxies and not try to detect other work proxies. +Turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. - - -ADMX Info: -- GP Friendly name: *Proxy definitions are authoritative* -- GP name: *WF_NetIsolation_Authoritative_Proxies* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* +- If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies. - - +- If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses. -
    +For more information see: + - -**NetworkIsolation/NeutralResources** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Authoritative_Proxies | +| Friendly Name | Proxy definitions are authoritative | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| Registry Value Name | DProxiesAuthoritive | +| ADMX File Name | NetworkIsolation.admx | + - - -List of domain names that can be used for work or personal resource. + + + - - -ADMX Info: -- GP Friendly name: *Domains categorized as both work and personal* -- GP name: *WF_NetIsolation_NeutralResources* -- GP element: *WF_NetIsolation_NeutralResourcesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + - - -
    + +## NeutralResources + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/NeutralResources +``` + -## Related topics + + +List of domain names that can used for work or personal resource. + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_NeutralResources | +| Friendly Name | Domains categorized as both work and personal | +| Element Name | Neutral resources | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 27b86f10fb..44eecc6ae9 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,112 +1,124 @@ --- -title: Policy CSP - NetworkListManager -description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. +title: NetworkListManager Policy CSP +description: Learn more about the NetworkListManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 12/16/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - NetworkListManager -
    + + + - -## NetworkListManager policies + +## AllowedTlsAuthenticationEndpoints -
    -
    - NetworkListManager/AllowedTlsAuthenticationEndpoints -
    -
    - NetworkListManager/ConfiguredTLSAuthenticationNetworkName -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkListManager/AllowedTlsAuthenticationEndpoints +``` + - -**NetworkListManager/AllowedTlsAuthenticationEndpoints** + + +List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - -This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. - -When entering a list of TLS endpoints in Microsoft Intune, you must follow this format, even in the UI: +When entering a list of TLS endpoints in Microsoft Intune, use the following format, even in the UI: `` -- The HTTPS endpoint must not have any more authentication checks, such as login or multi-factor authentication. +- The HTTPS endpoint must not have any more authentication checks, such as sign-in or multi-factor authentication. -- The HTTPS endpoint must be an internal address not accessible from outside the corporate network. +- The HTTPS endpoint must be an internal address not accessible from outside the organizational network. - The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. - A certificate shouldn't be a public certificate. + + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**NetworkListManager/ConfiguredTLSAuthenticationNetworkName** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConfiguredTlsAuthenticationNetworkName - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkListManager/ConfiguredTlsAuthenticationNetworkName +``` + -> [!div class = "checklist"] -> * Machine + + +The string will be used to name the network authenticated against one of the endpoints listed in AllowedTlsAuthenticationEndpoints policy + -
    + + - - -This policy setting provides the string that is to be used to name a network. That network is authenticated against one of the endpoints that are listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an _Always On_ VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute. +This policy setting provides the string that names a network. If this setting is used for Trusted Network Detection in an Always On VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute. + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + ## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 280fdbcd41..7fa317d7de 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,86 +1,98 @@ --- -title: Policy CSP - NewsAndInterests -description: Learn how Policy CSP - NewsandInterests contains a list of news and interests. +title: NewsAndInterests Policy CSP +description: Learn more about the NewsAndInterests Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - NewsAndInterests -
    + + + - -## NewsAndInterests policies + +## AllowNewsAndInterests -
    -
    - NewsAndInterests/AllowNewsAndInterests -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/AllowNewsAndInterests +``` + - -**NewsAndInterests/AllowNewsAndInterests** + + +This policy specifies whether the widgets feature is allowed on the device. +Widgets will be turned on by default unless you change this in your settings. +If you turned this feature on before, it will stay on automatically unless you turn it off. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| +This policy applies to the entire widgets experience, including content on the taskbar. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + +**Group policy mapping**: - -This policy specifies whether to allow the entire widgets experience, including the content on taskbar. +| Name | Value | +|:--|:--| +| Name | AllowNewsAndInterests | +| Friendly Name | Allow widgets | +| Location | Computer Configuration | +| Path | Windows Components > Widgets | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Dsh | +| Registry Value Name | AllowNewsAndInterests | +| ADMX File Name | NewsAndInterests.admx | + - + + + - + -The following are the supported values: + + + -- 1 - Default - Allowed. -- 0 - Not allowed. + - - - -ADMX Info: -- GP Friendly name: *Specifies whether to allow the entire widgets experience, including the content on taskbar*. -- GP name: *AllowNewsAndInterests* -- GP path: *Network/NewsandInterests* -- GP ADMX file name: *NewsandInterests.admx* - - - - -
    - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 3025afae1b..1e4d224152 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,293 +1,313 @@ --- -title: Policy CSP - Notifications -description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. +title: Notifications Policy CSP +description: Learn more about the Notifications Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Notifications -
    + + + - -## Notifications policies + +## DisallowCloudNotification -
    -
    - Notifications/DisallowCloudNotification -
    -
    - Notifications/DisallowNotificationMirroring -
    -
    - Notifications/DisallowTileNotification -
    -
    - Notifications/WnsEndpoint -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Notifications/DisallowCloudNotification +``` + -
    + + +This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. - -**Notifications/DisallowCloudNotification** +- If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs. - +- If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting blocks application from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). - -If you enable this policy setting, applications and system features won't be able to receive notifications from the network from WNS or via notification polling APIs. - -If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application. - -If you disable or don't configure this policy setting, the client computer will connect to WNS at user sign in, and applications will be allowed to use periodic (polling) notifications. +- If you disable or do not configure this policy setting, the client computer will connect to WNS at user login and applications will be allowed to poll for tile notification updates in the background. No reboots or service restarts are required for this policy setting to take effect. + + + + + +For more information on application services to update tiles, see [Periodic notification overview](/windows/apps/design/shell/tiles-and-notifications/periodic-notification-overview). > [!WARNING] -> This policy is designed for zero exhaust. This policy may cause some MDM processes to break because WNS notification is used by the MDM server to send real time tasks to the device, such as remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work and some time-sensitive actions such as remote wipe when the device is stolen or unenrollment when the device is compromised will not work. +> This policy is designed for zero exhaust. This policy may cause some MDM processes to break. The MDM server uses WNS notifications to send real time tasks to the device. Some example tasks include remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work. Some time-sensitive actions also won't work, such as remote wipe or unenrollment. You would use these time-sensitive actions when the device is stolen or compromised. - - -ADMX Info: -- GP Friendly name: *Turn off notifications network usage* -- GP name: *NoCloudNotification* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* +To validate the configuration: - - -This setting supports a range of values between 0 and 1. +1. Enable this policy. +1. Restart the computer. +1. Make sure that you can't receive a notification from an app like Facebook when the app isn't running. + - - -Validation: -1. Enable policy. -2. Reboot machine. -3. Ensure that you can't receive a notification from Facebook app while FB app isn't running. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Notifications/DisallowNotificationMirroring** +| Value | Description | +|:--|:--| +| 0 (Default) | Enable cloud notification. | +| 1 | Disable cloud notification. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoCloudNotification | +| Friendly Name | Turn off notifications network usage | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoCloudApplicationNotification | +| ADMX File Name | WPN.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisallowNotificationMirroring -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -Boolean value that turns off notification mirroring. + +```User +./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring +``` + -For each user signed in to the device, if you enable this policy (set value to 1), the app and system notifications received by this user on this device won't get mirrored to other devices of the same signed-in user. If you disable or don't configure this policy (set value to 0), the notifications received by this user on this device will be mirrored to other devices of the same signed-in user. This feature can be turned off by apps that don't want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. + + +This policy setting turns off notification mirroring. -No reboot or service restart is required for this policy to take effect. +- If you enable this policy setting, notifications from applications and system will not be mirrored to your other devices. - - -ADMX Info: -- GP Friendly name: *Turn off notification mirroring* -- GP name: *NoNotificationMirroring* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* - - - -The following list shows the supported values: - -- 0 (default) – enable notification mirroring. -- 1 - disable notification mirroring. - - - - -
    - - -**Notifications/DisallowTileNotification** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off tile notifications. - -If you enable this policy setting, applications and system features won't be able to update their tiles and tile badges in the Start screen. - -If you disable or don't configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. +- If you disable or do not configure this policy setting, notifications will be mirrored, and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. + - - -ADMX Info: -- GP Friendly name: *Turn off tile notifications* -- GP name: *NoTileNotification* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* + + - - -This setting supports a range of values between 0 and 1. +This feature can be turned off by apps that don't want to participate in notification mirroring. This feature can also be turned off by the user in the Cortana settings page. + - - -Validation: -1. Enable policy. -2. Reboot machine. -3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile). + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Notifications/WnsEndpoint** + +**Allowed values**: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    +| Value | Description | +|:--|:--| +| 0 (Default) | Enable notification mirroring. | +| 1 | Disable notification mirroring. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoNotificationMirroring | +| Friendly Name | Turn off notification mirroring | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | DisallowNotificationMirroring | +| ADMX File Name | WPN.admx | + -> [!div class = "checklist"] -> * Machine + + + -
    + - - -This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. + +## DisallowTileNotification -If you disable or don't configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Notifications/DisallowTileNotification +``` + + + + +This policy setting turns off tile notifications. + +- If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen. + +- If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NoTileNotification | +| Friendly Name | Turn off tile notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoTileApplicationNotification | +| ADMX File Name | WPN.admx | + + + + + + + + + +## WnsEndpoint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Notifications/WnsEndpoint +``` + + + + +FQDN for the WNS endpoint + + + + + +This policy setting determines which Windows Notification Service (WNS) endpoint will be used to connect for Windows push notifications. + +If you disable or don't configure this setting, the push notifications will connect to the default endpoint of `client.wns.windows.com`. > [!NOTE] -> Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings. +> Make sure the proper WNS FQDNs, VIPs, IPs and ports are also allowed through the firewall. + - - -ADMX Info: -- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint* -- GP name: *WnsEndpoint* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* + +**Description framework properties**: - - -If the policy isn't specified, we'll default our connection to client.wns.windows.com. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | WnsEndpoint_Policy | +| Friendly Name | Enables group policy for the WNS FQDN | +| Element Name | FQDN for WNS | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| ADMX File Name | WPN.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 03b40b79a6..1af9f3391f 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,1379 +1,1449 @@ --- -title: Policy CSP - Power -description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. +title: Power Policy CSP +description: Learn more about the Power Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Power -
    - - - -## Power policies - -
    -
    - Power/AllowHibernate -
    -
    - Power/AllowStandbyStatesWhenSleepingOnBattery -
    -
    - Power/AllowStandbyWhenSleepingPluggedIn -
    -
    - Power/DisplayOffTimeoutOnBattery -
    -
    - Power/DisplayOffTimeoutPluggedIn -
    -
    - Power/EnergySaverBatteryThresholdOnBattery -
    -
    - Power/EnergySaverBatteryThresholdPluggedIn -
    -
    - Power/HibernateTimeoutOnBattery -
    -
    - Power/HibernateTimeoutPluggedIn -
    -
    - Power/RequirePasswordWhenComputerWakesOnBattery -
    -
    - Power/RequirePasswordWhenComputerWakesPluggedIn -
    -
    - Power/SelectLidCloseActionOnBattery -
    -
    - Power/SelectLidCloseActionPluggedIn -
    -
    - Power/SelectPowerButtonActionOnBattery -
    -
    - Power/SelectPowerButtonActionPluggedIn -
    -
    - Power/SelectSleepButtonActionOnBattery -
    -
    - Power/SelectSleepButtonActionPluggedIn -
    -
    - Power/StandbyTimeoutOnBattery -
    -
    - Power/StandbyTimeoutPluggedIn -
    -
    - Power/TurnOffHybridSleepOnBattery -
    -
    - Power/TurnOffHybridSleepPluggedIn -
    -
    - Power/UnattendedSleepTimeoutOnBattery -
    -
    - Power/UnattendedSleepTimeoutPluggedIn -
    -
    - > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowHibernate - -**Power/AllowHibernate** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoYes
    BusinessNoYes
    EnterpriseNoYes
    EducationNoYes
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate +``` + - -
    + + +This policy setting decides if hibernate on the machine is allowed or not. Supported values: 0 - Disable hibernate. 1 (default) - Allow hibernate. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | Disable hibernate. | +| 1 (Default) | Allow hibernate. | + - -ADMX Info: -- GP Friendly name: *Decides if hibernate on the machine is allowed or not* -- GP name: *AllowHibernate* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - + -
    + +## AllowStandbyStatesWhenSleepingOnBattery - -**Power/AllowStandbyStatesWhenSleepingOnBattery** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyStatesWhenSleepingOnBattery +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or don't configure this policy setting, Windows uses standby states to put the computer in a sleep state. +- If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) aren't allowed. +- If you disable this policy setting, standby states (S1-S3) are not allowed. + - + + + - -ADMX Info: -- GP Friendly name: *Allow standby states (S1-S3) when sleeping (on battery)* -- GP name: *AllowStandbyStatesDC_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/AllowStandbyWhenSleepingPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowStandbyStatesDC_2 | +| Friendly Name | Allow standby states (S1-S3) when sleeping (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowStandbyWhenSleepingPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyWhenSleepingPluggedIn +``` + - - + + This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or don't configure this policy setting, Windows uses standby states to put the computer in a sleep state. +- If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) aren't allowed. +- If you disable this policy setting, standby states (S1-S3) are not allowed. + - + + + - -ADMX Info: -- GP Friendly name: *Allow standby states (S1-S3) when sleeping (plugged in)* -- GP name: *AllowStandbyStatesAC_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/DisplayOffTimeoutOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowStandbyStatesAC_2 | +| Friendly Name | Allow standby states (S1-S3) when sleeping (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + -Added to HoloLens 2 in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2). + - -
    + +## DisplayOffTimeoutOnBattery - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/DisplayOffTimeoutOnBattery +``` + -
    - - - + + This policy setting allows you to specify the period of inactivity before Windows turns off the display. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display (on battery)* -- GP name: *VideoPowerDownTimeOutDC_2* -- GP path: *System/Power Management/Video and Display Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/DisplayOffTimeoutPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VideoPowerDownTimeOutDC_2 | +| Friendly Name | Turn off the display (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisplayOffTimeoutPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/DisplayOffTimeoutPluggedIn +``` + - - + + This policy setting allows you to specify the period of inactivity before Windows turns off the display. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display (plugged in)* -- GP name: *VideoPowerDownTimeOutAC_2* -- GP path: *System/Power Management/Video and Display Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/EnergySaverBatteryThresholdOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VideoPowerDownTimeOutAC_2 | +| Friendly Name | Turn off the display (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnergySaverBatteryThresholdOnBattery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/EnergySaverBatteryThresholdOnBattery +``` + + + This policy setting allows you to specify battery charge level at which Energy Saver is turned on. +- If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. +- If you disable or do not configure this policy setting, users control this setting. + -If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + + + -If you disable or don't configure this policy setting, users control this setting. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Energy Saver Battery Threshold (on battery)* -- GP name: *EsBattThresholdDC* -- GP element: *EnterEsBattThreshold* -- GP path: *System/Power Management/Energy Saver Settings* -- GP ADMX file name: *power.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + - - -Supported values: 0-100. The default is 70. - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | EsBattThresholdDC | +| Friendly Name | Energy Saver Battery Threshold (on battery) | +| Element Name | Energy Saver Battery Threshold (percent) | +| Location | Computer Configuration | +| Path | System > Power Management > Energy Saver Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD4 | +| ADMX File Name | Power.admx | + - - + + + -
    + - -**Power/EnergySaverBatteryThresholdPluggedIn** + +## EnergySaverBatteryThresholdPluggedIn - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/EnergySaverBatteryThresholdPluggedIn +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify battery charge level at which Energy Saver is turned on. +- If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. +- If you disable or do not configure this policy setting, users control this setting. + -If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + + + -If you disable or don't configure this policy setting, users control this setting. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Energy Saver Battery Threshold (plugged in)* -- GP name: *EsBattThresholdAC* -- GP element: *EnterEsBattThreshold* -- GP path: *System/Power Management/Energy Saver Settings* -- GP ADMX file name: *power.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + - - -Supported values: 0-100. The default is 70. - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | EsBattThresholdAC | +| Friendly Name | Energy Saver Battery Threshold (plugged in) | +| Element Name | Energy Saver Battery Threshold (percent) | +| Location | Computer Configuration | +| Path | System > Power Management > Energy Saver Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD4 | +| ADMX File Name | Power.admx | + - - + + + -
    + - -**Power/HibernateTimeoutOnBattery** + +## HibernateTimeoutOnBattery - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutOnBattery +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system hibernate timeout (on battery)* -- GP name: *DCHibernateTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/HibernateTimeoutPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCHibernateTimeOut_2 | +| Friendly Name | Specify the system hibernate timeout (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364 | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HibernateTimeoutPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutPluggedIn +``` + - - + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system hibernate timeout (plugged in)* -- GP name: *ACHibernateTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/RequirePasswordWhenComputerWakesOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACHibernateTimeOut_2 | +| Friendly Name | Specify the system hibernate timeout (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364 | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequirePasswordWhenComputerWakesOnBattery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesOnBattery +``` + - - + + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or don't configure this policy setting, the user is prompted for a password when the system resumes from sleep. +- If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. -If you disable this policy setting, the user isn't prompted for a password when the system resumes from sleep. +- If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + - + + + - -ADMX Info: -- GP Friendly name: *Require a password when a computer wakes (on battery)* -- GP name: *DCPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/RequirePasswordWhenComputerWakesPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCPromptForPasswordOnResume_2 | +| Friendly Name | Require a password when a computer wakes (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequirePasswordWhenComputerWakesPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesPluggedIn +``` + - - + + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or don't configure this policy setting, the user is prompted for a password when the system resumes from sleep. - -If you disable this policy setting, the user isn't prompted for a password when the system resumes from sleep. - - - - -ADMX Info: -- GP Friendly name: *Require a password when a computer wakes (plugged in)* -- GP name: *ACPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - -
    - - -**Power/SelectLidCloseActionOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the lid switch action (on battery)* -- GP name: *DCSystemLidAction_2* -- GP element: *SelectDCSystemLidAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported lid close switch actions (on battery): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectLidCloseActionPluggedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the lid switch action (plugged in)* -- GP name: *ACSystemLidAction_2* -- GP element: *SelectACSystemLidAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported lid close switch actions (plugged in): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectPowerButtonActionOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Power button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Power button action (on battery)* -- GP name: *DCPowerButtonAction_2* -- GP element: *SelectDCPowerButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Power button actions (on battery): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectPowerButtonActionPluggedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Power button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Power button action (plugged in)* -- GP name: *ACPowerButtonAction_2* -- GP element: *SelectACPowerButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Power button actions (plugged in): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectSleepButtonActionOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Sleep button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Sleep button action (on battery)* -- GP name: *DCSleepButtonAction_2* -- GP element: *SelectDCSleepButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Sleep button actions (on battery): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectSleepButtonActionPluggedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Sleep button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Sleep button action (plugged in)* -- GP name: *ACSleepButtonAction_2* -- GP element: *SelectACSleepButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Sleep button actions (plugged in): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/StandbyTimeoutOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. + +- If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ACPromptForPasswordOnResume_2 | +| Friendly Name | Require a password when a computer wakes (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectLidCloseActionOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectLidCloseActionOnBattery +``` + + + + +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DCSystemLidAction_2 | +| Friendly Name | Select the lid switch action (on battery) | +| Element Name | Lid Switch Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectLidCloseActionPluggedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectLidCloseActionPluggedIn +``` + + + + +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ACSystemLidAction_2 | +| Friendly Name | Select the lid switch action (plugged in) | +| Element Name | Lid Switch Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectPowerButtonActionOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectPowerButtonActionOnBattery +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DCPowerButtonAction_2 | +| Friendly Name | Select the Power button action (on battery) | +| Element Name | Power Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectPowerButtonActionPluggedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectPowerButtonActionPluggedIn +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ACPowerButtonAction_2 | +| Friendly Name | Select the Power button action (plugged in) | +| Element Name | Power Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectSleepButtonActionOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectSleepButtonActionOnBattery +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DCSleepButtonAction_2 | +| Friendly Name | Select the Sleep button action (on battery) | +| Element Name | Sleep Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9EB | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectSleepButtonActionPluggedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectSleepButtonActionPluggedIn +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ACSleepButtonAction_2 | +| Friendly Name | Select the Sleep button action (plugged in) | +| Element Name | Sleep Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9EB | +| ADMX File Name | Power.admx | + + + + + + + + + +## StandbyTimeoutOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutOnBattery +``` + + + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system sleep timeout (on battery)* -- GP name: *DCStandbyTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/StandbyTimeoutPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCStandbyTimeOut_2 | +| Friendly Name | Specify the system sleep timeout (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## StandbyTimeoutPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutPluggedIn +``` + - - + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system sleep timeout (plugged in)* -- GP name: *ACStandbyTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**Power/TurnOffHybridSleepOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACStandbyTimeOut_2 | +| Friendly Name | Specify the system sleep timeout (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOffHybridSleepOnBattery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/TurnOffHybridSleepOnBattery +``` + - - + + This policy setting allows you to turn off hybrid sleep. -If you set this policy setting to 0, a hiberfile isn't generated when the system transitions to sleep (Stand By). +- If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). -If you set this policy setting to 1 or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - - -ADMX Info: -- GP Friendly name: *Turn off hybrid sleep (on battery)* -- GP name: *DCStandbyWithHiberfileEnable_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - + +**Description framework properties**: -The following are the supported values for Hybrid sleep (on battery): -- 0 - no hibernation file for sleep (default). -- 1 - hybrid sleep. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | . | +| 1 | Hybrid sleep. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DCStandbyWithHiberfileEnable_2 | +| Friendly Name | Turn off hybrid sleep (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + - -**Power/TurnOffHybridSleepPluggedIn** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TurnOffHybridSleepPluggedIn - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/TurnOffHybridSleepPluggedIn +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn off hybrid sleep. -If you set this policy setting to 0, a hiberfile isn't generated when the system transitions to sleep (Stand By). +- If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). -If you set this policy setting to 1 or don't configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. + - - -ADMX Info: -- GP Friendly name: *Turn off hybrid sleep (plugged in)* -- GP name: *ACStandbyWithHiberfileEnable_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - + +**Description framework properties**: -The following are the supported values for Hybrid sleep (plugged in): -- 0 - no hibernation file for sleep (default). -- 1 - hybrid sleep. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | . | +| 1 | Hybrid sleep. | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | ACStandbyWithHiberfileEnable_2 | +| Friendly Name | Turn off hybrid sleep (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + - -**Power/UnattendedSleepTimeoutOnBattery** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## UnattendedSleepTimeoutOnBattery - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/UnattendedSleepTimeoutOnBattery +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + -
    + + + - - -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user isn't present at the computer. + +**Description framework properties**: -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows doesn't automatically transition to sleep. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + -If you disable or don't configure this policy setting, users control this setting. + +**Group policy mapping**: -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +| Name | Value | +|:--|:--| +| Name | UnattendedSleepTimeOutDC | +| Friendly Name | Specify the unattended sleep timeout (on battery) | +| Element Name | Unattended Sleep Timeout (seconds) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 | +| ADMX File Name | Power.admx | + - - -ADMX Info: -- GP Friendly name: *Specify the unattended sleep timeout (on battery)* -- GP name: *UnattendedSleepTimeOutDC* -- GP element: *EnterUnattendedSleepTimeOut* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - -Default value for unattended sleep timeout (on battery): -300 - - + - - + +## UnattendedSleepTimeoutPluggedIn - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/UnattendedSleepTimeoutPluggedIn +``` + - -**Power/UnattendedSleepTimeoutPluggedIn** + + +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | UnattendedSleepTimeOutAC | +| Friendly Name | Specify the unattended sleep timeout (plugged in) | +| Element Name | Unattended Sleep Timeout (seconds) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 | +| ADMX File Name | Power.admx | + -
    + + + - - -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user isn't present at the computer. + -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows doesn't automatically transition to sleep. + + + -If you disable or don't configure this policy setting, users control this setting. + -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - -ADMX Info: -- GP Friendly name: *Specify the unattended sleep timeout (plugged in)* -- GP name: *UnattendedSleepTimeOutAC* -- GP element: *EnterUnattendedSleepTimeOut* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - -Default value for unattended sleep timeout (plugged in): -300 - - - - - - - - -
    - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 7cb6c243fb..d6abd1659d 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,1001 +1,1151 @@ --- -title: Policy CSP - Printers -description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. +title: Printers Policy CSP +description: Learn more about the Printers Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Printers - -
    - - -## Printers policies - -
    -
    - Printers/ApprovedUsbPrintDevices -
    -
    - Printers/ApprovedUsbPrintDevicesUser -
    -
    - Printers/ConfigureCopyFilesPolicy -
    -
    - Printers/ConfigureDriverValidationLevel -
    -
    - Printers/ConfigureIppPageCountsPolicy -
    -
    - Printers/ConfigureRedirectionGuardPolicy -
    -
    - Printers/ConfigureRpcConnectionPolicy -
    -
    - Printers/ConfigureRpcListenerPolicy -
    -
    - Printers/ConfigureRpcTcpPort -
    -
    - Printers/EnableDeviceControl -
    -
    - Printers/EnableDeviceControlUser -
    -
    - Printers/ManageDriverExclusionList -
    -
    - Printers/PointAndPrintRestrictions -
    -
    - Printers/PointAndPrintRestrictions_User -
    -
    - Printers/PublishPrinters -
    -
    - Printers/RestrictDriverInstallationToAdministrators -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**Printers/ApprovedUsbPrintDevices** + +## ApprovedUsbPrintDevices - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. -The format of this setting is `/[,/]` - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *ApprovedUsbPrintDevices* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - - -
    - - -**Printers/ApprovedUsbPrintDevicesUser** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will contain the comma separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. -The format of this setting is `/[,/]` - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *ApprovedUsbPrintDevicesUser* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureCopyFilesPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate. - -If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. - -The following are the supported values: - -Type: DWORD. Defaults to 1. - -- 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections. -- 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. -- 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections. - - - - -ADMX Info: -- GP Friendly name: *Manage processing of Queue-specific files* -- GP name: *ConfigureCopyFilesPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureDriverValidationLevel** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate. - -If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. - -The following are the supported values: - -Type: DWORD. Defaults to 4. - -- 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer. -- 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. -- 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). -- 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. -- 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. - - - -ADMX Info: -- GP Friendly name: *Manage Print Driver signature validation* -- GP name: *ConfigureDriverValidationLevel* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureIppPageCountsPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary. - -If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs. - -The following are the supported values: - -AlwaysSendIppPageCounts: DWORD. Defaults to 0. - -- 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**. -- 1 (Enabled) - Job accounting information will always be sent for IPP print jobs. - - - - -ADMX Info: -- GP Friendly name: *Always send job page count information for IPP printers* -- GP name: *ConfigureIppPageCountsPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRedirectionGuardPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used. - -If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. - -The following are the supported values: - -Type: DWORD, defaults to 1. - -- 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process. -- 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used. -- 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled. - - - - -ADMX Info: -- GP Friendly name: *Configure Redirection Guard* -- GP name: *ConfigureRedirectionGuardPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRpcConnectionPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack. - -There are 2 values which can be configured: - -- RpcUseNamedPipeProtocol DWORD - - 0: RpcOverTcp (default) - - 1: RpcOverNamedPipes -- RpcAuthentication DWORD - - 0: RpcConnectionAuthenticationDefault (default) - - 1: RpcConnectionAuthenticationEnabled - - 2: RpcConnectionAuthenticationDisabled - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines. - -If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly. - -The following are the supported values: - -- Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines. -- Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication. - - - - -ADMX Info: -- GP Friendly name: *Configure RPC connection settings* -- GP name: *ConfigureRpcConnectionPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRpcListenerPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack. - -There are 2 values which can be configured: -- RpcProtocols DWORD - - 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes - - 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default) - - 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP -- ForceKerberosForRpc DWORD - - 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support - - 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*. - -If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. - -The following are the supported values: - -- Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol. -- Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use. - - - - -ADMX Info: -- GP Friendly name: *Configure RPC listener settings* -- GP name: *ConfigureRpcListenerPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRpcTcpPort** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage a new DWORD Value added under the the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack. - -- RpcTcpPort DWORD - - 0: Use dynamic TCP ports for RPC over TCP (default). - - 1-65535: Use the given port for RPC over TCP. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*. - -If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. - -The following are the supported values: - -- Not configured or Disabled - The print stack uses dynamic TCP ports for RPC over TCP. -- Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP. - - - - -ADMX Info: -- GP Friendly name: *Configure RPC over TCP port* -- GP name: *ConfigureRpcTcpPort* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/EnableDeviceControl** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. - -The default value of the policy will be Unconfigured. - -If the policy value is either Unconfigured or Disabled, the print spooler won't restrict printing. - -If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *EnableDeviceControl* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - -
    - - - -**Printers/EnableDeviceControlUser** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. - -The default value of the policy will be Unconfigured. - -If the policy value is either Unconfigured or Disabled, the print spooler won't restrict printing. - -If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *EnableDeviceControlUser* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - -
    - - -**Printers/ManageDriverExclusionList** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list. - -If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value. - -The following are the supported values: - -Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` - -Type: REG_SZ -Value Name: Hash of excluded file -Value Data: Name of excluded file - - - - -ADMX Info: -- GP Friendly name: *Manage Print Driver exclusion list* -- GP name: *ManageDriverExclusionList* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/PointAndPrintRestrictions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - -If you enable this policy setting: - -- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. - -- You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. - -If you don't configure this policy setting: - -- Windows Vista client computers can point and print to any server. - -- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print. - -- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated. - -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -If you disable this policy setting: - -- Windows Vista client computers can create a printer connection to any server using Point and Print. - -- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print. - -- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated. - -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - - - -ADMX Info: -- GP Friendly name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -Example: - -```xml -Name: Point and Print Enable Oma-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions -Data type: String Value: - - - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices ``` - - + -
    + + +This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting. - -**Printers/PointAndPrintRestrictions_User** +When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing. - +Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +The format of this setting is `/[,/]`. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * User + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | ApprovedUsbPrintDevices | +| Friendly Name | List of Approved USB-connected print devices | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ApprovedUsbPrintDevicesUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser +``` + + + + +This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting. + +When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing. + +Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list. + + + + +The format of this setting is `/[,/]`. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ApprovedUsbPrintDevicesUser | +| Friendly Name | List of Approved USB-connected print devices | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureCopyFilesPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureCopyFilesPolicy +``` + + + + +Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. + +You can enable this setting to change the default behavior involving queue-specific files. To use this setting, select one of the options below from the "Manage processing of Queue-specific files" box. + +- If you disable or do not configure this policy setting, the default behavior is "Limit Queue-specific files to Color profiles". + +- "Do not allow Queue-specific files" specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation. + +- "Limit Queue-specific files to Color profiles" specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. "Limit Queue-specific files to Color profiles" is the default behavior. + +- "Allow all Queue-specific files" specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation. + + + + +The following are the supported values: + +- 0: Do not allow Queue-specific files. +- 1 (Default): Limit Queue-specific files to Color profiles. +- 2: Allow all Queue-specific files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureCopyFilesPolicy | +| Friendly Name | Manage processing of Queue-specific files | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureDriverValidationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureDriverValidationLevel +``` + + + + +This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. + +As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation. + +You can enable this setting to change the default signature validation method. To use this setting, select one of the options below from the "Select the driver signature mechanism for this computer" box. + +- If you disable or do not configure this policy setting, the default method is "Allow all validly signed drivers". + +- "Require inbox signed drivers" specifies only drivers that are shipped as part of a Windows image are allowed on this computer. + +- "Allow inbox and PrintDrivers Trusted Store signed drivers" specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. + +- "Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). + +- "Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. + +- "Allow all validly signed drivers" specifies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. + +The 'PrintDrivers' certificate store needs to be created by an administrator under the local machine store location. + +The 'Trusted Publishers' certificate store can contain certificates from sources that are not related to print drivers. + + + + +The following are the supported values: + +- 0: Require inbox signed drivers. +- 1: Allow inbox and PrintDrivers Trusted Store signed drivers. +- 2: Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers. +- 3: Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers. +- 4 (Default): Allow all validly signed drivers. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDriverValidationLevel | +| Friendly Name | Manage Print Driver signature validation | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Driver | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureIppPageCountsPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppPageCountsPolicy +``` + + + + +Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver. + +By default, pages are sent to the printer as soon as they are rendered and page count information is not sent to the printer unless pages must be reordered. + +- If you enable this setting the system will render all print job pages up front and send the printer the total page count for the print job. + +- If you disable this setting or do not configure it, pages are printed as soon as they are rendered and page counts are only sent when page reordering is required to process the job. + + + + +The following are the supported values: + +- 0 (Default): Disabled. +- 1: Enabled. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureIppPageCountsPolicy | +| Friendly Name | Always send job page count information for IPP printers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\IPP | +| Registry Value Name | AlwaysSendIppPageCounts | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRedirectionGuardPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRedirectionGuardPolicy +``` + + + + +Determines whether Redirection Guard is enabled for the print spooler. + +You can enable this setting to configure the Redirection Guard policy being applied to spooler. + +- If you disable or do not configure this policy setting, Redirection Guard will default to being 'enabled'. + +- If you enable this setting you may select the following options: + +- Enabled : Redirection Guard will prevent any file redirections from being followed + +- Disabled : Redirection Guard will not be enabled and file redirections may be used within the spooler process + +- Audit : Redirection Guard will log events as though it were enabled but will not actually prevent file redirections from being used within the spooler. + + + + +The following are the supported values: + +- 0: Redirection guard disabled. +- 1 (Default): Redirection guard enabled. +- 2: Redirection guard audit mode. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRedirectionGuardPolicy | +| Friendly Name | Configure Redirection Guard | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRpcAuthnLevelPrivacyEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcAuthnLevelPrivacyEnabled +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcAuthnLevelPrivacyEnabled | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRpcConnectionPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcConnectionPolicy +``` + + + + +This policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler. + +By default, RPC over TCP is used and authentication is always enabled. For RPC over named pipes, authentication is always enabled for domain joined machines but disabled for non domain joined machines. + +Protocol to use for outgoing RPC connections: +- "RPC over TCP": Use RPC over TCP for outgoing RPC connections to a remote print spooler +- "RPC over named pipes": Use RPC over named pipes for outgoing RPC connections to a remote print spooler + +Use authentication for outgoing RPC over named pipes connections: +- "Default": By default domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes +- "Authentication enabled": RPC authentication will be used for outgoing RPC over named pipes connections +- "Authentication disabled": RPC authentication will not be used for outgoing RPC over named pipes connections + +- If you disable or do not configure this policy setting, the above defaults will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcConnectionPolicy | +| Friendly Name | Configure RPC connection settings | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRpcListenerPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcListenerPolicy +``` + + + + +This policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use. + +By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol. + +Protocols to allow for incoming RPC connections: +- "RPC over named pipes": Incoming RPC connections are only allowed over named pipes +- "RPC over TCP": Incoming RPC connections are only allowed over TCP (the default option) +- "RPC over named pipes and TCP": Incoming RPC connections will be allowed over TCP and named pipes + +Authentication protocol to use for incoming RPC connections: +- "Negotiate": Use the Negotiate authentication protocol (the default option) +- "Kerberos": Use the Kerberos authentication protocol + +- If you disable or do not configure this policy setting, the above defaults will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcListenerPolicy | +| Friendly Name | Configure RPC listener settings | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRpcTcpPort + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcTcpPort +``` + + + + +This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. + +By default dynamic TCP ports are used. + +RPC over TCP port: +- The port to use for RPC over TCP. A value of 0 is the default and indicates that dynamic TCP ports will be used + +- If you disable or do not configure this policy setting, dynamic TCP ports are used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcTcpPort | +| Friendly Name | Configure RPC over TCP port | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC | +| ADMX File Name | Printing.admx | + + + + + + + + + +## EnableDeviceControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl +``` + + + + +Determines whether Device Control Printing Restrictions are enforced for printing on this computer. + +By default, there are no restrictions to printing based on connection type or printer Make/Model. + +- If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers. + +- If you disable this setting or do not configure it, there are no restrictions to printing based on connection type or printer Make/Model. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableDeviceControl | +| Friendly Name | Enable Device Control Printing Restrictions | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | EnableDeviceControl | +| ADMX File Name | Printing.admx | + + + + + + + + + +## EnableDeviceControlUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser +``` + + + + +Determines whether Device Control Printing Restrictions are enforced for printing on this computer. + +By default, there are no restrictions to printing based on connection type or printer Make/Model. + +- If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers. + +- If you disable this setting or do not configure it, there are no restrictions to printing based on connection type or printer Make/Model. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableDeviceControlUser | +| Friendly Name | Enable Device Control Printing Restrictions | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | EnableDeviceControl | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ManageDriverExclusionList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ManageDriverExclusionList +``` + + + + +This policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system. + +This checks outranks the signature check and allows drivers that have a valid signature level for the Print Driver signature validation policy to be excluded. + +Entries in the exclusion list consist of a SHA256 hash (or SHA1 hash for Win7) of the INF file and/or main driver DLL file of the driver and the name of the file. + +- If you disable or do not configure this policy setting, the registry key and values associated with this policy setting will be deleted, if currently set to a value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ManageDriverExclusionList | +| Friendly Name | Manage Print Driver exclusion list | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Driver | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PointAndPrintRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions +``` + + + + This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. -If you enable this policy setting: +- If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. -- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. +- If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. -- You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. +- If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + -If you don't configure this policy setting: + + + -- Windows Vista client computers can point and print to any server. + +**Description framework properties**: -- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. +**ADMX mapping**: -If you disable this policy setting: +| Name | Value | +|:--|:--| +| Name | PointAndPrint_Restrictions_Win7 | +| Friendly Name | Point and Print Restrictions | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint | +| Registry Value Name | Restricted | +| ADMX File Name | Printing.admx | + -- Windows Vista client computers can create a printer connection to any server using Point and Print. + + + -- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print. + -- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated. + +## PointAndPrintRestrictions_User -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + +```User +./User/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions_User +``` + - - -ADMX Info: -- GP Friendly name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions* -- GP path: *Control Panel/Printers* -- GP ADMX file name: *Printing.admx* + + +This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - - +- If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. -
    +- If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -**Printers/PublishPrinters** +- If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | PointAndPrint_Restrictions | +| Friendly Name | Point and Print Restrictions | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint | +| Registry Value Name | Restricted | +| ADMX File Name | Printing.admx | + - - + + + + + + + +## PublishPrinters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/PublishPrinters +``` + + + + Determines whether the computer's shared printers can be published in Active Directory. -If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' on the Sharing tab, to publish shared printers in Active Directory. +- If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. -If you disable this setting, this computer's shared printers can't be published in Active Directory, and the "List in directory" option isn't available. +- If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. > [!NOTE] -> This setting takes priority over the setting "Automatically publish new printers in the Active Directory". +> This settings takes priority over the setting "Automatically publish new printers in the Active Directory". + - + + + - -ADMX Info: -- GP Friendly name: *Allow printers to be published* -- GP name: *PublishPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**Printers/RestrictDriverInstallationToAdministrators** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | PublishPrinters | +| Friendly Name | Allow printers to be published | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PublishPrinters | +| ADMX File Name | Printing2.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## RestrictDriverInstallationToAdministrators - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users. + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/RestrictDriverInstallationToAdministrators +``` + -This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup. + + +Determines whether users that aren't Administrators can install print drivers on this computer. -The default value of the policy will be Unconfigured. +By default, users that aren't Administrators can't install print drivers on this computer. -If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer. +- If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer. -If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer. +- If you disable this setting, the system won't limit installation of print drivers to this computer. + -The following are the supported values: + + + -- Not configured or Enabled - Only administrators can install print drivers on the computer. -- Disabled - Standard users are allowed to install print drivers on the computer. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Restrict installation of print drivers to Administrators* -- GP name: *RestrictDriverInstallationToAdministrators* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | RestrictDriverInstallationToAdministrators | +| Friendly Name | Limits print driver installation to Administrators | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint | +| Registry Value Name | RestrictDriverInstallationToAdministrators | +| ADMX File Name | Printing.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 124dfb9fc1..24f10738e5 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,4418 +1,5505 @@ --- -title: Policy CSP - Privacy -description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. +title: Privacy Policy CSP +description: Learn more about the Privacy Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Privacy + + + -
    + +## AllowAutoAcceptPairingAndPrivacyConsentPrompts - -## Privacy policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    -
    - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts -
    -
    - Privacy/AllowCrossDeviceClipboard -
    -
    - Privacy/AllowInputPersonalization -
    -
    - Privacy/DisableAdvertisingId -
    -
    - Privacy/DisablePrivacyExperience -
    -
    - Privacy/EnableActivityFeed -
    -
    - Privacy/LetAppsAccessAccountInfo -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCalendar -
    -
    - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory -
    -
    - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCamera -
    -
    - Privacy/LetAppsAccessCamera_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCamera_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessContacts -
    -
    - Privacy/LetAppsAccessContacts_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessContacts_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessEmail -
    -
    - Privacy/LetAppsAccessEmail_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessEmail_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput -
    -
    - Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessLocation -
    -
    - Privacy/LetAppsAccessLocation_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessLocation_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMessaging -
    -
    - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone -
    -
    - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMotion -
    -
    - Privacy/LetAppsAccessMotion_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMotion_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessNotifications -
    -
    - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessPhone -
    -
    - Privacy/LetAppsAccessPhone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessPhone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessRadios -
    -
    - Privacy/LetAppsAccessRadios_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessRadios_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTasks -
    -
    - Privacy/LetAppsAccessTasks_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTasks_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsActivateWithVoice -
    -
    - Privacy/LetAppsActivateWithVoiceAboveLock -
    -
    - Privacy/LetAppsGetDiagnosticInfo -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsRunInBackground -
    -
    - Privacy/LetAppsRunInBackground_ForceAllowTheseApps -
    -
    - Privacy/LetAppsRunInBackground_ForceDenyTheseApps -
    -
    - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices -
    -
    - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps -
    -
    - Privacy/PublishUserActivities -
    -
    - Privacy/UploadUserActivities -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts +``` + + + + -
    - - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. + + +Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. Most restricted value is 0. > [!NOTE] > There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default)– Not allowed. -- 1 – Allowed. - - - - -
    - - -**Privacy/AllowCrossDeviceClipboard** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow Clipboard synchronization across devices* -- GP name: *AllowCrossDeviceClipboard* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -0 – Not allowed. -1 (default) – Allowed. - - - - -
    - - -**Privacy/AllowInputPersonalization** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow input personalization* -- GP name: *AllowInputPersonalization* -- GP path: *Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Choice deferred to user's preference. - - - - -
    - - -**Privacy/DisableAdvertisingId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enables or disables the Advertising ID. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off the advertising ID* -- GP name: *DisableAdvertisingId* -- GP path: *System/User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - - - - -
    - - -**Privacy/DisablePrivacyExperience** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - -Supported value type is integer. - -- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. -- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. - -In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. - - - -ADMX Info: -- GP Friendly name: *Don't launch privacy settings experience on user logon* -- GP name: *DisablePrivacyExperience* -- GP path: *Windows Components/OOBE* -- GP ADMX file name: *OOBE.admx* - - - - - - - - - - - - - -
    - - -**Privacy/EnableActivityFeed** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to allow Apps/OS to publish to the activity feed. - - - -ADMX Info: -- GP Friendly name: *Enables Activity Feed* -- GP name: *EnableActivityFeed* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled (not published to the cloud). -- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether Windows apps can access account information. - -Most restricted value is 2. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + + +## AllowCrossDeviceClipboard + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/AllowCrossDeviceClipboard +``` + + + + +This policy setting determines whether Clipboard contents can be synchronized across devices. +- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. +- If you disable this policy setting, Clipboard contents cannot be shared to other devices. +Policy change takes effect immediately. + + + + + +Most restrictive value is `0` to not allow cross-device clipboard. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCrossDeviceClipboard | +| Friendly Name | Allow Clipboard synchronization across devices | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowCrossDeviceClipboard | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + +## AllowInputPersonalization + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/AllowInputPersonalization +``` + + + + +This policy specifies whether users on the device have the option to enable online speech recognition services. + +If this policy is enabled or not configured, control is deferred to users, and users may choose whether to enable speech services via settings. + +If this policy is disabled, speech services will be disabled, and users cannot enable speech services via settings. + + + + + +Updated in Windows 10, version 1809. + +When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft uses voice input to help improve speech services. + +The most restrictive value is `0` to not allow speech services. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Choice deferred to user's preference. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowInputPersonalization | +| Friendly Name | Allow users to enable online speech recognition services | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\InputPersonalization | +| Registry Value Name | AllowInputPersonalization | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## DisableAdvertisingId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/DisableAdvertisingId +``` + + + + +This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. + +- If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps. + +- If you disable or do not configure this policy setting, users can control whether apps can use the advertising ID for experiences across apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 | Enabled. | +| 65535 (Default) | Not configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAdvertisingId | +| Friendly Name | Turn off the advertising ID | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\AdvertisingInfo | +| Registry Value Name | DisabledByGroupPolicy | +| ADMX File Name | UserProfiles.admx | + + + + + + + + + +## DisablePrivacyExperience + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Privacy/DisablePrivacyExperience +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/DisablePrivacyExperience +``` + + + + +When logging into a new user account for the first time or after an upgrade in some scenarios, that user may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. Enable this policy to prevent this experience from launching. + +If this policy is enabled, the privacy experience will not launch for newly-created user accounts or for accounts that would have been prompted to choose their privacy settings after an upgrade. + +If this policy is disabled or not configured, then the privacy experience may launch for newly-created user accounts or for accounts that should be prompted to choose their privacy settings after an upgrade. + + + + + +In some managed environments, the privacy settings may be set by other policies. In this case, enable this policy to not show a screen for users to change these privacy settings. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow the 'choose privacy settings for your device' screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. | +| 1 | Do not allow the 'choose privacy settings for your device' screen when a new user logs in or an existing user logs in for the first time after an upgrade. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisablePrivacyExperience | +| Friendly Name | Don't launch privacy settings experience on user logon | +| Location | Computer and User Configuration | +| Path | Windows Components > OOBE | +| Registry Key Name | Software\Policies\Microsoft\Windows\OOBE | +| Registry Value Name | DisablePrivacyExperience | +| ADMX File Name | OOBE.admx | + + + + + + + + + +## EnableActivityFeed + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/EnableActivityFeed +``` + + + + +This policy setting determines whether ActivityFeed is enabled. +- If you enable this policy setting, all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the user. +- If you disable this policy setting, activities can't be published and ActivityFeed shall disable cloud sync. +Policy change takes effect immediately. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). | +| 1 (Default) | Enabled. Apps/OS can publish the activities and will be roamed across device graph. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableActivityFeed | +| Friendly Name | Enables Activity Feed | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableActivityFeed | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + +## LetAppsAccessAccountInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo +``` + + + + +This policy setting specifies whether Windows apps can access account information. + + + + + +The most restrictive value is `2` to deny apps access to account information. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessAccountInfo_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessAccountInfo_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessAccountInfo_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessBackgroundSpatialPerception** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessBackgroundSpatialPerception -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception +``` + - - + + +This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. + + + + > [!NOTE] -> Currently, this policy is supported only in HoloLens 2. +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). + -Specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. + +**Description framework properties**: -Supported value type is integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + -- 0 (default) – User in control. -- 1 – Force allow. -- 2 - Force deny. + + + - - + -
    + +## LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - -**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> Currently, this policy is supported only in HoloLens 2. + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps +``` + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + -Supported value type is chr. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - - - - -
    - - -**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> Currently, this policy is supported only in HoloLens 2. +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + + + + + + +## LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + -Supported value type is chr. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - - - - -
    - - -**Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> Currently, this policy is supported only in HoloLens 2. +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). + -List of semi-colon delimited Package Family Names of Windows Store Apps. -The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + +**Description framework properties**: -Supported value type is chr. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + - - + +## LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -**Privacy/LetAppsAccessCalendar** + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps +``` + - + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + - -
    +> [!NOTE] +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + -
    + + + - - -Specifies whether Windows apps can access the calendar. + -Most restricted value is 2. + +## LetAppsAccessCalendar - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar +``` + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + + +This policy setting specifies whether Windows apps can access the calendar. + - - + + -
    +The most restrictive value is `2` to deny apps access to the calendar. + - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -
    + + + - - + + + +## LetAppsAccessCalendar_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCalendar_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCalendar_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCallHistory** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCallHistory -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory +``` + - - -Specifies whether Windows apps can access call history. + + +This policy setting specifies whether Windows apps can access call history. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to call history. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCallHistory_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCallHistory_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCallHistory_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCamera** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCamera -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera +``` + - - -Specifies whether Windows apps can access the camera. + + +This policy setting specifies whether Windows apps can access the camera. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to the camera. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCamera_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCamera_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCamera_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessContacts** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessContacts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts +``` + - - -Specifies whether Windows apps can access contacts. + + +This policy setting specifies whether Windows apps can access contacts. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to contacts. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessContacts_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessContacts_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessContacts_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessEmail** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessEmail -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail +``` + - - -Specifies whether Windows apps can access email. + + +This policy setting specifies whether Windows apps can access email. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to email. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessEmail_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessEmail_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessEmail_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessGazeInput** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessGazeInput -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput +``` + - - + + This policy setting specifies whether Windows apps can access the eye tracker. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGazeInput_ForceAllowTheseApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps +``` + -
    - - - + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGazeInput_ForceDenyTheseApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps +``` + -
    - - - + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGazeInput_UserInControlOfTheseApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps +``` + -
    - - - + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessLocation** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGraphicsCaptureProgrammatic - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic +``` + -
    + + +This policy setting specifies whether Windows apps can use screen capture on arbitrary windows or displays. + - - -Specifies whether Windows apps can access location. + + + -Most restricted value is 2. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + - - -The following list shows the supported values: + +**Group policy mapping**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - - + + + -
    + - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + +## LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps +``` + - -
    + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use screen capture on arbitrary windows or displays. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use of screen capture on arbitrary windows or displays. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the programmatic screen capture setting for the listed apps. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder +``` + + + + +This policy setting specifies whether Windows apps can disable the screen capture border. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to disable the screen capture border. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied configuration access to the screen capture border. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the screen capture border privacy setting for the listed apps. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation +``` + + + + +This policy setting specifies whether Windows apps can access location. + + + + + +The most restrictive value is `2` to deny apps access to the device's location. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessLocation_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessLocation_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessLocation_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMessaging** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMessaging -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging +``` + - - -Specifies whether Windows apps can read or send messages (text or MMS). + + +This policy setting specifies whether Windows apps can read or send messages (text or MMS). + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to messaging. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMessaging_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMessaging_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMessaging_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMicrophone** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMicrophone -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone +``` + - - -Specifies whether Windows apps can access the microphone. + + +This policy setting specifies whether Windows apps can access the microphone. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to the microphone. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMicrophone_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMicrophone_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMicrophone_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMotion** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMotion -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion +``` + - - -Specifies whether Windows apps can access motion data. + + +This policy setting specifies whether Windows apps can access motion data. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to motion data. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMotion_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMotion_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMotion_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessNotifications** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessNotifications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications +``` + - - -Specifies whether Windows apps can access notifications. + + +This policy setting specifies whether Windows apps can access notifications. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to notifications. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessNotifications_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessNotifications_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessNotifications_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessPhone** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessPhone -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone +``` + - - -Specifies whether Windows apps can make phone calls. + + +This policy setting specifies whether Windows apps can make phone calls + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to make phone calls. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessPhone_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessPhone_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessPhone_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessRadios** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessRadios -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios +``` + - - -Specifies whether Windows apps have access to control radios. + + +This policy setting specifies whether Windows apps have access to control radios. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to control radios. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessRadios_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessRadios_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessRadios_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTasks** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks +``` + - - -Specifies whether Windows apps can access tasks. + + +This policy setting specifies whether Windows apps can access tasks. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTrustedDevices** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTrustedDevices -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices +``` + - - -Specifies whether Windows apps can access trusted devices. + + +This policy setting specifies whether Windows apps can access trusted devices. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access trusted devices. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTrustedDevices_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTrustedDevices_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTrustedDevices_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsActivateWithVoice** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies if Windows apps can be activated by voice. - - - -ADMX Info: -- GP Friendly name: *Allow voice activation* -- GP name: *LetAppsActivateWithVoice* -- GP element: *LetAppsActivateWithVoice_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 (default) – User in control. Users can decide if Windows apps can be activated by voice using Settings > Privacy options on the device. -- 1 – Force allow. Windows apps can be activated by voice and users cannot change it. -- 2 - Force deny. Windows apps cannot be activated by voice and users cannot change it. - - - - -
    - - -**Privacy/LetAppsActivateWithVoiceAboveLock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies if Windows apps can be activated by voice while the screen is locked. - - - -ADMX Info: -- GP Friendly name: *Allow voice activation above locked screen* -- GP name: *LetAppsActivateWithVoiceAboveLock* -- GP element: *LetAppsActivateWithVoiceAboveLock_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 (default) – User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device. -- 1 – Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it. -- 2 - Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it. - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - -Most restricted value is 2. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether Windows apps can run in the background. - -Most restricted value is 2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsActivateWithVoice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsActivateWithVoice +``` + + + + +This policy setting specifies whether Windows apps can be activated by voice. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. Users can decide if Windows apps can be activated by voice using Settings > Privacy options on the device. | +| 1 | Force allow. Windows apps can be activated by voice and users cannot change it. | +| 2 | Force deny. Windows apps cannot be activated by voice and users cannot change it. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsActivateWithVoice | +| Friendly Name | Let Windows apps activate with voice | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsActivateWithVoiceAboveLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsActivateWithVoiceAboveLock +``` + + + + +This policy setting specifies whether Windows apps can be activated by voice while the system is locked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device. | +| 1 | Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it. | +| 2 | Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsActivateWithVoiceAboveLock | +| Friendly Name | Let Windows apps activate with voice while the system is locked | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo +``` + + + + +This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. + + + + + +The most restrictive value is `2` to deny apps access to diagnostic data. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground +``` + + + + +This policy setting specifies whether Windows apps can run in the background. + + + + +The most restrictive value is `2` to deny apps from running in the background. > [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability, to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether Windows apps can sync with devices. - -Most restricted value is 2. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/PublishUserActivities** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to enable publishing of user activities to the activity feed. - - - -ADMX Info: -- GP Friendly name: *Allow publishing of User Activities* -- GP name: *PublishUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the *user activities*. -- 1 – (default) Enabled. Apps/OS can publish the *user activities*. - - - - -
    - - -**Privacy/UploadUserActivities** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows ActivityFeed to upload published 'User Activities'. - - - -ADMX Info: -- GP Friendly name: *Allow upload of User Activities* -- GP name: *UploadUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +> Be careful when you determine which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. If you turn off background activity for these types of apps, it could cause text message, email, and voicemail notifications to not function. This policy could also cause background email syncing to not function properly. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | . | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices +``` + + + + +This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. + + + + + +The most restrictive value is `2` to deny apps syncing with devices. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## PublishUserActivities + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/PublishUserActivities +``` + + + + +This policy setting determines whether User Activities can be published. +- If you enable this policy setting, activities of type User Activity are allowed to be published. +- If you disable this policy setting, activities of type User Activity are not allowed to be published. +Policy change takes effect immediately. + + + + + +For more information, see [Windows activity history and your privacy](https://support.microsoft.com/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. Apps/OS can't publish the user activities. | +| 1 (Default) | Enabled. Apps/OS can publish the user activities. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PublishUserActivities | +| Friendly Name | Allow publishing of User Activities | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | PublishUserActivities | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + +## UploadUserActivities + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/UploadUserActivities +``` + + + + +This policy setting determines whether published User Activities can be uploaded. +- If you enable this policy setting, activities of type User Activity are allowed to be uploaded. +- If you disable this policy setting, activities of type User Activity are not allowed to be uploaded. +Deletion of activities of type User Activity are independent of this setting. +Policy change takes effect immediately. + + + + + +For more information, see [Windows activity history and your privacy](https://support.microsoft.com/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UploadUserActivities | +| Friendly Name | Allow upload of User Activities | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | UploadUserActivities | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 28e5beb835..4cfd15a4b7 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -1,289 +1,327 @@ --- -title: Policy CSP - RemoteAssistance -description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display. +title: RemoteAssistance Policy CSP +description: Learn more about the RemoteAssistance Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteAssistance -
    - - -## RemoteAssistance policies - -
    -
    - RemoteAssistance/CustomizeWarningMessages -
    -
    - RemoteAssistance/SessionLogging -
    -
    - RemoteAssistance/SolicitedRemoteAssistance -
    -
    - RemoteAssistance/UnsolicitedRemoteAssistance -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteAssistance/CustomizeWarningMessages** + +## CustomizeWarningMessages - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/CustomizeWarningMessages +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you customize warning messages. -The "Display warning message before sharing control" policy setting allows you to specify a custom message, to display before users share control of their computers. +The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. -The "Display warning message before connecting" policy setting allows you to specify a custom message, to display before users allow a connection to their computers. +The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer. -If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. +- If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. -If you disable this policy setting, the user sees the default warning message. +- If you disable this policy setting, the user sees the default warning message. -If you don't configure this policy setting, the user sees the default warning message. +- If you do not configure this policy setting, the user sees the default warning message. + - + + + - -ADMX Info: -- GP Friendly name: *Customize warning messages* -- GP name: *RA_Options* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteAssistance/SessionLogging** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_Options | +| Friendly Name | Customize warning messages | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseCustomMessages | +| ADMX File Name | RemoteAssistance.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SessionLogging -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SessionLogging +``` + - - + + This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. -If you enable this policy setting, log files are generated. +- If you enable this policy setting, log files are generated. -If you disable this policy setting, log files aren't generated. +- If you disable this policy setting, log files are not generated. -If you don't configure this setting, application-based settings are used. +- If you do not configure this setting, application-based settings are used. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on session logging* -- GP name: *RA_Logging* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteAssistance/SolicitedRemoteAssistance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_Logging | +| Friendly Name | Turn on session logging | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | LoggingEnabled | +| ADMX File Name | RemoteAssistance.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SolicitedRemoteAssistance -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance +``` + - - + + This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure more Remote Assistance settings. +- If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. -If you disable this policy setting, users on this computer can't use email or file transfer to ask someone for help. Also, users can't use instant messaging programs to allow connections to this computer. +- If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. -If you don't configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. +- If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." +- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. -The "Select the method for sending email invitations" setting specifies which email standard to use, to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting isn't available in Windows Vista, since SMAPI is the only method supported. +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. -If you enable this policy setting, you should also enable appropriate firewall exceptions to allow Remote Assistance communications. +- If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Solicited Remote Assistance* -- GP name: *RA_Solicit* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteAssistance/UnsolicitedRemoteAssistance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_Solicit | +| Friendly Name | Configure Solicited Remote Assistance | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fAllowToGetHelp | +| ADMX File Name | RemoteAssistance.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## UnsolicitedRemoteAssistance -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance +``` + - - + + This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. -If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +- If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you disable this policy setting, users on this computer can't get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +- If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you don't configure this policy setting, users on this computer can't get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +- If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. +- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: -`\` or +``\\`` or -`\` +``\\`` -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you're running. +- If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. Windows Vista and later Enable the Remote Assistance exception for the domain profile. The exception must contain: - -- Port 135:TCP -- %WINDIR%\System32\msra.exe -- %WINDIR%\System32\raserver.exe +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) -- Port 135:TCP -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -- %WINDIR%\System32\Sessmgr.exe +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe For computers running Windows Server 2003 with Service Pack 1 (SP1) -- Port 135:TCP -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -- Allow Remote Desktop Exception +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception + - + + + - -ADMX Info: -- GP Friendly name: *Configure Offer Remote Assistance* -- GP name: *RA_Unsolicit* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RA_Unsolicit | +| Friendly Name | Configure Offer Remote Assistance | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fAllowUnsolicited | +| ADMX File Name | RemoteAssistance.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 364443eae5..a82841ffd5 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -1,119 +1,140 @@ --- -title: Policy CSP - RemoteDesktop -description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. +title: RemoteDesktop Policy CSP +description: Learn more about the RemoteDesktop Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteDesktop -
    + + + - -## RemoteDesktop policies -> [!Warning] -> Some information relates to prerelease products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +## AutoSubscription -
    -
    - RemoteDesktop/AutoSubscription -
    -
    - RemoteDesktop/LoadAadCredKeyFromProfile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1370] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1370] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1370] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1370] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/RemoteDesktop/AutoSubscription +``` + - -**RemoteDesktop/AutoSubscription** + + +Controls the list of URLs that the user should be auto-subscribed to + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +This policy lets you enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the client uses the specified URL to subscribe the signed-in user and retrieve the remote resources assigned to them. - -
    +To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/overview) in the Azure public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + -
    + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AutoSubscription | +| Friendly Name | Enable auto-subscription | +| Location | User Configuration | +| Path | AutoSubscription | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AutoSubscription | +| ADMX File Name | TerminalServer.admx | + -This policy allows administrators to enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the specified URL is used by the client to subscribe the logged on user and retrieve the remote resources assigned to them. To automatically subscribe to Azure Virtual Desktop in the Azure Public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. + + + - + - + +## LoadAadCredKeyFromProfile -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**RemoteDesktop/LoadAadCredKeyFromProfile** + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktop/LoadAadCredKeyFromProfile +``` + - + + +Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + - -
    +This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - - -This policy allows the user to load the DPAPI cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using FSLogix user profiles from Azure AD-joined VMs. +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + - + + + - -The following list shows the supported values: + -- 0 (default) - Disabled. -- 1 - Enabled. + + + - + - +## Related articles -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 20e9afc122..2a7bf33c7f 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,423 +1,490 @@ --- -title: Policy CSP - RemoteDesktopServices -description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services. +title: RemoteDesktopServices Policy CSP +description: Learn more about the RemoteDesktopServices Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteDesktopServices -
    - - -## RemoteDesktopServices policies - -
    -
    - RemoteDesktopServices/AllowUsersToConnectRemotely -
    -
    - RemoteDesktopServices/ClientConnectionEncryptionLevel -
    -
    - RemoteDesktopServices/DoNotAllowDriveRedirection -
    -
    - RemoteDesktopServices/DoNotAllowPasswordSaving -
    -
    -
    - RemoteDesktopServices/DoNotAllowWebAuthnRedirection -
    - RemoteDesktopServices/PromptForPasswordUponConnection - -
    - RemoteDesktopServices/RequireSecureRPCCommunication -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteDesktopServices/AllowUsersToConnectRemotely** + +## AllowUsersToConnectRemotely - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure remote access to computers by using Remote Desktop Services. -If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. +- If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. -If you disable this policy setting, users can't connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but won't accept any new incoming connections. +- If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. -If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed. +- If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. > [!NOTE] > You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. + - + + + - -ADMX Info: -- GP Friendly name: *Allow users to connect remotely by using Remote Desktop Services* -- GP name: *TS_DISABLE_CONNECTIONS* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteDesktopServices/ClientConnectionEncryptionLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_DISABLE_CONNECTIONS | +| Friendly Name | Allow users to connect remotely by using Remote Desktop Services | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ClientConnectionEncryptionLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/ClientConnectionEncryptionLevel +``` + - - -Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. + + +Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. -If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: +- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: -* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that don't support this encryption level can't connect to RD Session Host servers. +* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. -* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that don't support 128-bit encryption. +* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. -If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy. +- If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. -> [!IMPORTANT] -> FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level, when communications between clients and RD Session Host servers requires the highest level of encryption. +**Important** - +FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. + - -ADMX Info: -- GP Friendly name: *Set client connection encryption level* -- GP name: *TS_ENCRYPTION_POLICY* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**RemoteDesktopServices/DoNotAllowDriveRedirection** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_ENCRYPTION_POLICY | +| Friendly Name | Set client connection encryption level | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DoNotAllowDriveRedirection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection +``` + + + + This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format `` on ``. You can use this policy setting to override this behavior. -If you enable this policy setting, client drive redirection isn't allowed in Remote Desktop Services sessions, and Clipboard file copy redirection isn't allowed on computers running Windows Server 2019 and Windows 10. +- If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later). -If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. +- If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. -If you don't configure this policy setting, client drive redirection and Clipboard file copy redirection aren't specified at the Group Policy level. +- If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow drive redirection* -- GP name: *TS_CLIENT_DRIVE_M* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteDesktopServices/DoNotAllowPasswordSaving** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DRIVE_M | +| Friendly Name | Do not allow drive redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCdm | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowPasswordSaving -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowPasswordSaving +``` + - - + + Controls whether passwords can be saved on this computer from Remote Desktop Connection. -If you enable this setting, the password-saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves their settings, any password that previously existed in the RDP file will be deleted. +- If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. +- If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow passwords to be saved* -- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteDesktopServices/DoNotAllowWebAuthnRedirection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING_2 | +| Friendly Name | Do not allow passwords to be saved | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DisablePasswordSaving | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowWebAuthnRedirection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowWebAuthnRedirection +``` + - - -This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). + + +This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). By default, Remote Desktop allows redirection of WebAuthn requests. -If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session. +- If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session. -If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. +- If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. + -If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session. - + + + - -ADMX Info: -- GP Friendly name: *Do not allow WebAuthn redirection* -- GP name: *TS_WEBAUTHN* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteDesktopServices/PromptForPasswordUponConnection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_WEBAUTHN | +| Friendly Name | Do not allow WebAuthn redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableWebAuthn | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PromptForPasswordUponConnection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection +``` + - - + + This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. -By default, Remote Desktop Services allows users to automatically sign in by entering a password in the Remote Desktop Connection client. +By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. -If you enable this policy setting, users can't automatically sign in to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They're prompted for a password to sign in. +- If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. -If you disable this policy setting, users can always sign in to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. +- If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. -If you don't configure this policy setting, automatic logon isn't specified at the Group Policy level. +- If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Always prompt for password upon connection* -- GP name: *TS_PASSWORD* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteDesktopServices/RequireSecureRPCCommunication** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_PASSWORD | +| Friendly Name | Always prompt for password upon connection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fPromptForPassword | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequireSecureRPCCommunication -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication +``` + - - + + Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. -If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and doesn't allow unsecured communication with untrusted clients. +If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. -If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that don't respond to the request. +If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. If the status is set to Not Configured, unsecured communication is allowed. > [!NOTE] > The RPC interface is used for administering and configuring Remote Desktop Services. + - + + + - -ADMX Info: -- GP Friendly name: *Require secure RPC communication* -- GP name: *TS_RPC_ENCRYPTION* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RPC_ENCRYPTION | +| Friendly Name | Require secure RPC communication | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEncryptRPCTraffic | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 357f2c463f..1545ea14b2 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -1,816 +1,965 @@ --- -title: Policy CSP - RemoteManagement -description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. +title: RemoteManagement Policy CSP +description: Learn more about the RemoteManagement Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteManagement -
    - - -## RemoteManagement policies - -
    -
    - RemoteManagement/AllowBasicAuthentication_Client -
    -
    - RemoteManagement/AllowBasicAuthentication_Service -
    -
    - RemoteManagement/AllowCredSSPAuthenticationClient -
    -
    - RemoteManagement/AllowCredSSPAuthenticationService -
    -
    - RemoteManagement/AllowRemoteServerManagement -
    -
    - RemoteManagement/AllowUnencryptedTraffic_Client -
    -
    - RemoteManagement/AllowUnencryptedTraffic_Service -
    -
    - RemoteManagement/DisallowDigestAuthentication -
    -
    - RemoteManagement/DisallowNegotiateAuthenticationClient -
    -
    - RemoteManagement/DisallowNegotiateAuthenticationService -
    -
    - RemoteManagement/DisallowStoringOfRunAsCredentials -
    -
    - RemoteManagement/SpecifyChannelBindingTokenHardeningLevel -
    -
    - RemoteManagement/TrustedHosts -
    -
    - RemoteManagement/TurnOnCompatibilityHTTPListener -
    -
    - RemoteManagement/TurnOnCompatibilityHTTPSListener -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteManagement/AllowBasicAuthentication_Client** + +## AllowBasicAuthentication_Client - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Client +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. -If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text. +- If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text. -If you disable or don't configure this policy setting, the WinRM client doesn't use Basic authentication. +- If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Allow Basic authentication* -- GP name: *AllowBasic_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/AllowBasicAuthentication_Service** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowBasic_2 | +| Friendly Name | Allow Basic authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowBasic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowBasicAuthentication_Service -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Service +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. -If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client. +- If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client. -If you disable or don't configure this policy setting, the WinRM service doesn't accept Basic authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client. + - + + + - -ADMX Info: -- GP Friendly name: *Allow Basic authentication* -- GP name: *AllowBasic_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/AllowCredSSPAuthenticationClient** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowBasic_1 | +| Friendly Name | Allow Basic authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowBasic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowCredSSPAuthenticationClient -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowCredSSPAuthenticationClient +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication. -If you enable this policy setting, the WinRM client uses CredSSP authentication. +- If you enable this policy setting, the WinRM client uses CredSSP authentication. -If you disable or don't configure this policy setting, the WinRM client doesn't use CredSSP authentication. +- If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Allow CredSSP authentication* -- GP name: *AllowCredSSP_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/AllowCredSSPAuthenticationService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowCredSSP_2 | +| Friendly Name | Allow CredSSP authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowCredSSP | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowCredSSPAuthenticationService -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowCredSSPAuthenticationService +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. -If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client. +- If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client. -If you disable or don't configure this policy setting, the WinRM service doesn't accept CredSSP authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client. + - + + + - -ADMX Info: -- GP Friendly name: *Allow CredSSP authentication* -- GP name: *AllowCredSSP_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/AllowRemoteServerManagement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowCredSSP_1 | +| Friendly Name | Allow CredSSP authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowCredSSP | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowRemoteServerManagement -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. -If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. +- If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP). -If you disable or don't configure this policy setting, the WinRM service won't respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. +- If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges. -You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service doesn't listen on any addresses. +You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter. Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 -Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 +Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3. FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 + - + + + - -ADMX Info: -- GP Friendly name: *Allow remote server management through WinRM* -- GP name: *AllowAutoConfig* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/AllowUnencryptedTraffic_Client** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowAutoConfig | +| Friendly Name | Allow remote server management through WinRM | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowAutoConfig | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowUnencryptedTraffic_Client -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowUnencryptedTraffic_Client +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. -If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. +- If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +- If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. + - + + + - -ADMX Info: -- GP Friendly name: *Allow unencrypted traffic* -- GP name: *AllowUnencrypted_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/AllowUnencryptedTraffic_Service** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowUnencrypted_2 | +| Friendly Name | Allow unencrypted traffic | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowUnencryptedTraffic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowUnencryptedTraffic_Service -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowUnencryptedTraffic_Service +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. -If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. +- If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +- If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. + - + + + - -ADMX Info: -- GP Friendly name: *Allow unencrypted traffic* -- GP name: *AllowUnencrypted_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/DisallowDigestAuthentication** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowUnencrypted_1 | +| Friendly Name | Allow unencrypted traffic | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowUnencryptedTraffic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowDigestAuthentication -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowDigestAuthentication +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. -If you enable this policy setting, the WinRM client doesn't use Digest authentication. +- If you enable this policy setting, the WinRM client does not use Digest authentication. -If you disable or don't configure this policy setting, the WinRM client uses Digest authentication. +- If you disable or do not configure this policy setting, the WinRM client uses Digest authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow Digest authentication* -- GP name: *DisallowDigest* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/DisallowNegotiateAuthenticationClient** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowDigest | +| Friendly Name | Disallow Digest authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowDigest | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowNegotiateAuthenticationClient -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowNegotiateAuthenticationClient +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication. -If you enable this policy setting, the WinRM client doesn't use Negotiate authentication. +- If you enable this policy setting, the WinRM client does not use Negotiate authentication. -If you disable or don't configure this policy setting, the WinRM client uses Negotiate authentication. +- If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow Negotiate authentication* -- GP name: *DisallowNegotiate_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/DisallowNegotiateAuthenticationService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowNegotiate_2 | +| Friendly Name | Disallow Negotiate authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowNegotiate | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowNegotiateAuthenticationService -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowNegotiateAuthenticationService +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client. -If you enable this policy setting, the WinRM service doesn't accept Negotiate authentication from a remote client. +- If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client. -If you disable or don't configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow Negotiate authentication* -- GP name: *DisallowNegotiate_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/DisallowStoringOfRunAsCredentials** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowNegotiate_1 | +| Friendly Name | Disallow Negotiate authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowNegotiate | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowStoringOfRunAsCredentials -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowStoringOfRunAsCredentials +``` + - - -This policy setting allows you to manage whether the Windows Remote Management (WinRM) service won't allow RunAs credentials to be stored for any plug-ins. + + +This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. -If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. +- If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. -If you disable or don't configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. +- If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. -If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset. +If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow WinRM from storing RunAs credentials* -- GP name: *DisableRunAs* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRunAs | +| Friendly Name | Disallow WinRM from storing RunAs credentials | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | DisableRunAs | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyChannelBindingTokenHardeningLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/SpecifyChannelBindingTokenHardeningLevel +``` + - - -This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service regarding channel binding tokens. + + +This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens. -If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token. +- If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token. -If you disable or don't configure this policy setting, you can configure the hardening level locally on each computer. +- If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer. If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected. -If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that doesn't contain a channel binding token is accepted (though it isn't protected from credential-forwarding attacks). +If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that does not contain a channel binding token is accepted (though it is not protected from credential-forwarding attacks). -If HardeningLevel is set to None, all requests are accepted (though they aren't protected from credential-forwarding attacks). +If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks). + - + + + - -ADMX Info: -- GP Friendly name: *Specify channel binding token hardening level* -- GP name: *CBTHardeningLevel_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/TrustedHosts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CBTHardeningLevel_1 | +| Friendly Name | Specify channel binding token hardening level | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | CBTHardeningLevelStatus | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedHosts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TrustedHosts +``` + - - -This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity. + + +This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. -If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity. The WinRM client uses this list when HTTPS or Kerberos is used to authenticate the identity of the host. +- If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host. -If you disable or don't configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. +- If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. + - + + + - -ADMX Info: -- GP Friendly name: *Trusted Hosts* -- GP name: *TrustedHosts* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/TurnOnCompatibilityHTTPListener** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TrustedHosts | +| Friendly Name | Trusted Hosts | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | TrustedHosts | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOnCompatibilityHTTPListener -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TurnOnCompatibilityHTTPListener +``` + - - + + This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. -If you enable this policy setting, the HTTP listener always appears. +- If you enable this policy setting, the HTTP listener always appears. -If you disable or don't configure this policy setting, the HTTP listener never appears. +- If you disable or do not configure this policy setting, the HTTP listener never appears. When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985. A listener might be automatically created on port 80 to ensure backward compatibility. + - + + + - -ADMX Info: -- GP Friendly name: *Turn On Compatibility HTTP Listener* -- GP name: *HttpCompatibilityListener* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteManagement/TurnOnCompatibilityHTTPSListener** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HttpCompatibilityListener | +| Friendly Name | Turn On Compatibility HTTP Listener | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | HttpCompatibilityListener | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOnCompatibilityHTTPSListener -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TurnOnCompatibilityHTTPSListener +``` + - - + + This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. -If you enable this policy setting, the HTTPS listener always appears. +- If you enable this policy setting, the HTTPS listener always appears. -If you disable or don't configure this policy setting, the HTTPS listener never appears. +- If you disable or do not configure this policy setting, the HTTPS listener never appears. When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986. A listener might be automatically created on port 443 to ensure backward compatibility. + - + + + - -ADMX Info: -- GP Friendly name: *Turn On Compatibility HTTPS Listener* -- GP name: *HttpsCompatibilityListener* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | HttpsCompatibilityListener | +| Friendly Name | Turn On Compatibility HTTPS Listener | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | HttpsCompatibilityListener | +| ADMX File Name | WindowsRemoteManagement.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 2b7d68dc7e..fc904f741b 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,130 +1,56 @@ --- -title: Policy CSP - RemoteProcedureCall -description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they're making contains authentication information. +title: RemoteProcedureCall Policy CSP +description: Learn more about the RemoteProcedureCall Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteProcedureCall -
    - - -## RemoteProcedureCall policies - -
    -
    - RemoteProcedureCall/RPCEndpointMapperClientAuthentication -
    -
    - RemoteProcedureCall/RestrictUnauthenticatedRPCClients -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** + +## RestrictUnauthenticatedRPCClients - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteProcedureCall/RestrictUnauthenticatedRPCClients +``` + - -
    + + +This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. -> [!div class = "checklist"] -> * Device +- If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. -
    +- If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. - - -This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service, when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner. - -If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. - -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service. - -If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service. - -> [!NOTE] -> This policy won't be applied until the system is rebooted. - - - - -ADMX Info: -- GP Friendly name: *Enable RPC Endpoint Mapper Client Authentication* -- GP name: *RpcEnableAuthEpResolution* -- GP path: *System/Remote Procedure Call* -- GP ADMX file name: *rpc.admx* - - - - -
    - - -**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls, how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. - -This policy setting impacts all RPC applications. In a domain environment, this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. - -If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. - -If you don't configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client, and the value of "None" used for Server SKUs that support this policy setting. - -If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. +- If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. - "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. @@ -133,23 +59,115 @@ If you enable this policy setting, it directs the RPC server runtime to restrict - "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. > [!NOTE] -> This policy setting won't be applied until the system is rebooted. +> This policy setting will not be applied until the system is rebooted. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict Unauthenticated RPC clients* -- GP name: *RpcRestrictRemoteClients* -- GP path: *System/Remote Procedure Call* -- GP ADMX file name: *rpc.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RpcRestrictRemoteClients | +| Friendly Name | Restrict Unauthenticated RPC clients | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + + + + + + + + + +## RPCEndpointMapperClientAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteProcedureCall/RPCEndpointMapperClientAuthentication +``` + + + + +This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. + +- If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. + +- If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +- If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +> [!NOTE] +> This policy will not be applied until the system is rebooted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RpcEnableAuthEpResolution | +| Friendly Name | Enable RPC Endpoint Mapper Client Authentication | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| Registry Value Name | EnableAuthEpResolution | +| ADMX File Name | RPC.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index dcb0d50872..35fe66ae1a 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -1,391 +1,454 @@ --- -title: Policy CSP - RemoteShell -description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells. +title: RemoteShell Policy CSP +description: Learn more about the RemoteShell Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteShell -
    - - -## RemoteShell policies - -
    -
    - RemoteShell/AllowRemoteShellAccess -
    -
    - RemoteShell/MaxConcurrentUsers -
    -
    - RemoteShell/SpecifyIdleTimeout -
    -
    - RemoteShell/SpecifyMaxMemory -
    -
    - RemoteShell/SpecifyMaxProcesses -
    -
    - RemoteShell/SpecifyMaxRemoteShells -
    -
    - RemoteShell/SpecifyShellTimeout -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteShell/AllowRemoteShellAccess** + +## AllowRemoteShellAccess - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/AllowRemoteShellAccess +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures access to remote shells. -If you enable or do not configure this policy setting, new remote shell connections are accepted by the server. +- If you enable or do not configure this policy setting, new remote shell connections are accepted by the server. -If you set this policy to ‘disabled’, new remote shell connections are rejected by the server. +If you set this policy to 'disabled', new remote shell connections are rejected by the server. + - + + + - -ADMX Info: -- GP Friendly name: *Allow Remote Shell Access* -- GP name: *AllowRemoteShellAccess* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteShell/MaxConcurrentUsers** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowRemoteShellAccess | +| Friendly Name | Allow Remote Shell Access | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| Registry Value Name | AllowRemoteShellAccess | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MaxConcurrentUsers -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/MaxConcurrentUsers +``` + - - + + This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system. The value can be any number from 1 to 100. -If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit. +- If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit. -If you disable or do not configure this policy setting, the default number is five users. +- If you disable or do not configure this policy setting, the default number is five users. + - + + + - -ADMX Info: -- GP Friendly name: *MaxConcurrentUsers* -- GP name: *MaxConcurrentUsers* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteShell/SpecifyIdleTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxConcurrentUsers | +| Friendly Name | MaxConcurrentUsers | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyIdleTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyIdleTimeout +``` + - - -This policy setting configures the maximum time in milliseconds, and remote shell will stay open without any user activity until it is automatically deleted. + + +This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted. Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values. -If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell. +- If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell. If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used. + - + + + - -ADMX Info: -- GP Friendly name: *Specify idle Timeout* -- GP name: *IdleTimeout* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteShell/SpecifyMaxMemory** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IdleTimeout | +| Friendly Name | Specify idle Timeout | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaxMemory -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxMemory +``` + - - + + This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote shell and all its child processes. Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual memory. -If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota. +- If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota. -If you disable or do not configure this policy setting, the value 150 is used by default. +- If you disable or do not configure this policy setting, the value 150 is used by default. + - + + + - -ADMX Info: -- GP Friendly name: *Specify maximum amount of memory in MB per Shell* -- GP name: *MaxMemoryPerShellMB* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteShell/SpecifyMaxProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxMemoryPerShellMB | +| Friendly Name | Specify maximum amount of memory in MB per Shell | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaxProcesses -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxProcesses +``` + - - + + This policy setting configures the maximum number of processes a remote shell is allowed to launch. -If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes. +- If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes. -If you disable or do not configure this policy setting, the limit is five processes per shell. +- If you disable or do not configure this policy setting, the limit is five processes per shell. + - + + + - -ADMX Info: -- GP Friendly name: *Specify maximum number of processes per Shell* -- GP name: *MaxProcessesPerShell* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteShell/SpecifyMaxRemoteShells** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxProcessesPerShell | +| Friendly Name | Specify maximum number of processes per Shell | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaxRemoteShells -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxRemoteShells +``` + - - -This policy setting configures the maximum number of concurrent shells and any user can remotely open on the same system. + + +This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system. -Any number from 0 to 0x7FFFFFFF can be set, where 0 means unlimited number of shells. +Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells. -If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit. +- If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit. -If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user. +- If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user. + - + + + - -ADMX Info: -- GP Friendly name: *Specify maximum number of remote shells per user* -- GP name: *MaxShellsPerUser* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**RemoteShell/SpecifyShellTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxShellsPerUser | +| Friendly Name | Specify maximum number of remote shells per user | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyShellTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyShellTimeout +``` + - - + + This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured. + - + + + - -ADMX Info: -- GP Friendly name: *Specify Shell Timeout* -- GP name: *ShellTimeOut* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | ShellTimeOut | +| Friendly Name | Specify Shell Timeout | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 7606c9d786..1da17f0f74 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -1,76 +1,78 @@ --- -title: Policy CSP - RestrictedGroups -description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. +title: RestrictedGroups Policy CSP +description: Learn more about the RestrictedGroups Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 04/07/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RestrictedGroups + + + > [!IMPORTANT] -> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy, to configure members (users or Azure Active Directory groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Azure Active Directory (Azure AD) groups. +> +> Don't apply both policies to the same device, it's unsupported and may yield unpredictable results. + + +## ConfigureGroupMembership -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -## RestrictedGroups policies + +```Device +./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership +``` + -
    -
    - RestrictedGroups/ConfigureGroupMembership -
    -
    - - -
    - - -**RestrictedGroups/ConfigureGroupMembership** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership. - -For example, you can create a Restricted Groups policy to allow only specified users. Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group, and all other members will be removed. + + +This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group > [!CAUTION] -> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: +> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. + + + + +> [!CAUTION] +> You can't remove the built-in Administrator account from the built-in Administrators group. If you try to remove it, the command fails with the following error: > > | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------| -> | 0x55b (Hex)
    1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | +> | `0x55b` (Hex)
    `1371` (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | + -Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group, and should be used with caution. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +
    +
    + Expand to see schema XML ```xml @@ -87,34 +89,34 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and Restricted Group Member - + - + - - - - Restricted Group - - - + + + + Restricted Group + + + - + ``` - - +
    + - - + + -Here's an example: +**Example**: ```xml @@ -129,39 +131,39 @@ Here's an example: ``` -where: +Descriptions of the properties: - `` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in Active Directory, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group. > [!NOTE] -> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in the previous example. +> Currently, the RestrictedGroups/ConfigureGroupMembership policy doesn't have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in this example. + - - + -### Policy timeline + + -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in this topic. +**Policy timeline**: + +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. The following table describes how this policy setting behaves in different Windows 10 versions: | Windows 10 version | Policy behavior | | ------------------ | --------------- | |Windows 10, version 1803 | Added this policy setting.
    XML accepts group and member only by name.
    Supports configuring the administrators group using the group name.
    Expects member name to be in the account name format. | -| Windows 10, version 1809
    Windows 10, version 1903
    Windows 10, version 1909 | Supports configuring any local group.
    `` accepts only name.
    `` accepts a name or an SID.
    This is useful when you want to ensure a certain local group always has a well-known SID as member. | -| Windows 10, version 2004 | Behaves as described in this topic.
    Accepts name or SID for group and members and translates as appropriate.| +| Windows 10, version 1809
    Windows 10, version 1903
    Windows 10, version 1909 | Supports configuring any local group.
    `` accepts only name.
    `` accepts a name or a SID.
    This behavior is useful when you want to make sure a certain local group always has a well-known SID as member. | +| Windows 10, version 2004 | Behaves as described in this article.
    Accepts name or SID for group and members and translates as appropriate.| + - - -
    + - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index e6872c41dc..00120ee4f2 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,856 +1,1165 @@ --- -title: Policy CSP - Search -description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. +title: Search Policy CSP +description: Learn more about the Search Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/01/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/12/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Search - -
    - - -## Search policies - -
    -
    - Search/AllowCloudSearch -
    -
    - Search/AllowCortanaInAAD -
    -
    - Search/AllowFindMyFiles -
    -
    - Search/AllowIndexingEncryptedStoresOrItems -
    -
    - Search/AllowSearchToUseLocation -
    -
    - Search/AllowSearchHighlights -
    -
    - Search/AllowStoringImagesFromVisionSearch -
    -
    - Search/AllowUsingDiacritics -
    -
    - Search/AllowWindowsIndexer -
    -
    - Search/AlwaysUseAutoLangDetection -
    -
    - Search/DisableBackoff -
    -
    - Search/DisableRemovableDriveIndexing -
    -
    - Search/DisableSearch -
    -
    - Search/DoNotUseWebResults -
    -
    - Search/PreventIndexingLowDiskSpaceMB -
    -
    - Search/PreventRemoteQueries -
    -
    - - -
    - - -**Search/AllowCloudSearch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allow Search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. - - - -ADMX Info: -- GP Friendly name: *Allow Cloud Search* -- GP name: *AllowCloudSearch* -- GP element: *AllowCloudSearch_Dropdown* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Search/AllowCortanaInAAD** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the cortana opt-in page during windows setup out of the box experience. - - - -ADMX Info: -- GP Friendly name: *Allow Cloud Search* -- GP name: *AllowCortanaInAAD* -- GP element: *AllowCloudSearch_Dropdown* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - - -This value is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an Azure Active Directory account. - - - - - -
    - - -**Search/AllowFindMyFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Controls if the user can configure search to Find My Files mode, which searches files in secondary hard drives and also outside of the user profile. Find My Files doesn't allow users to search files or locations to which they don't have access. - - - -ADMX Info: -- GP Friendly name: *Allow Find My Files* -- GP name: *AllowFindMyFiles* -- GP path: *Computer Configuration/Administrative Templates/Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 1 (Default) - Find My Files feature can be toggled (still off by default), and the settings UI is present. -- 0 - Find My Files feature is turned off completely, and the settings UI is disabled. - - - - - - - - - - -
    - - -**Search/AllowIndexingEncryptedStoresOrItems** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. - -When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes file path and date modified. - -When the policy is disabled, the WIP protected items aren't indexed and don't show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps, if there are many WIP-protected media files on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow indexing of encrypted files* -- GP name: *AllowIndexingEncryptedStoresOrItems* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Search/AllowSearchToUseLocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether search can use location information. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow search and Cortana to use location* -- GP name: *AllowSearchToUseLocation* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Search/AllowSearchHighlights** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls whether search highlights are shown in the search box or in search home. - -- If you enable this policy setting, then this setting turns on search highlights in the search box or in the search home. -- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home. - - - -ADMX Info: -- GP Friendly name: *Allow search and highlights* -- GP name: *AllowSearchHighlights* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values in Windows 10: - -- 1 (default) - Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home. -- 0 - Disabling this setting turns off search highlights in the taskbar search box and in search home. - -The following list shows the supported values in Windows 11: - -- 1 (default) - Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. -- 0 - Disabling this setting turns off search highlights in the start menu search box and in search home. - - - - -
    - - -**Search/AllowStoringImagesFromVisionSearch** - - +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + + + + + + +## AllowCloudSearch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowCloudSearch +``` + + + + +Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCloudSearch | +| Friendly Name | Allow Cloud Search | +| Element Name | Cloud Search Setting | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowCortanaInAAD + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowCortanaInAAD +``` + + + + +Allow the cortana opt-in page during windows setup out of the box experience + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. The Cortana consent page will not appear in AAD OOBE during setup. | +| 1 | Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCortanaInAAD | +| Friendly Name | Allow Cortana Page in OOBE on an AAD account | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowCortanaInAAD | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowFindMyFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowFindMyFiles +``` + + + + +This feature allows you to disable find my files completely on the machine + + + + + +This policy controls whether the user can configure search to *Find My Files* mode. This mode searches files in secondary hard drives and also outside of the user profile. Find My Files doesn't allow users to search files or locations to which they don't have access. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | , and the settings UI is present. | +| 0 | Find My Files feature is turned off completely, and the settings UI is disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFindMyFiles | +| Path | Search > AT > WindowsComponents > Search | + + + + + + + + + +## AllowIndexingEncryptedStoresOrItems + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowIndexingEncryptedStoresOrItems +``` + + + + +This policy setting allows encrypted items to be indexed. +- If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). +- If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. +- If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encrypted content. + +When this setting is enabled or disabled, the index is rebuilt completely. + +Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. + + + + + +When the policy is enabled, Windows Information Protection (WIP) protected items are indexed. The metadata about them are stored in an unencrypted location. The metadata includes file path and date modified. + +When the policy is disabled, the WIP protected items aren't indexed. The encrypted items don't show up in the results in Cortana or file explorer. Search performance may also be affected on photos and other media apps, if there are many WIP-protected media files on the device. + +The most restrictive value is `0` to not allow indexing of encrypted items. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowIndexingEncryptedStoresOrItems | +| Friendly Name | Allow indexing of encrypted files | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowIndexingEncryptedStoresOrItems | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowSearchHighlights + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowSearchHighlights +``` + + + + +Disabling this setting turns off search highlights in the start menu search box and in search home. Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. + + + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabling this setting turns off search highlights in search home, and the taskbar search box (Windows 10) or the Start menu search box (Windows 11). | +| 1 (Default) | Enabling or not configuring this setting turns on search highlights in search home, and the taskbar search box (Windows 10) or the Start menu search box (Windows 11). | + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchHighlights | +| Friendly Name | Allow search highlights | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | EnableDynamicContentInWSB | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowSearchToUseLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowSearchToUseLocation +``` + + + + +This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. + +If this is enabled, search and Cortana can access location information. + + + + + +The most restrictive value is `0` to not allow search to use location. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchToUseLocation | +| Friendly Name | Allow search and Cortana to use location | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowSearchToUseLocation | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowStoringImagesFromVisionSearch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowStoringImagesFromVisionSearch +``` + + + + This policy has been deprecated. + - - + + + -
    + +**Description framework properties**: - -**Search/AllowUsingDiacritics** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowUsingDiacritics -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -Allows the use of diacritics. + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowUsingDiacritics +``` + -Most restricted value is 0. + + +This policy setting allows words that contain diacritic characters to be treated as separate words. +- If you enable this policy setting, words that only differ in diacritics are treated as different words. +- If you disable this policy setting, words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by default. +- If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. - - -ADMX Info: -- GP Friendly name: *Allow use of diacritics* -- GP name: *AllowUsingDiacritics* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* +> [!NOTE] +> By default, the Control Panel setting is set to treat words that differ only because of diacritics as the same word. + - - -The following list shows the supported values: + + -- 0 – Not allowed. -- 1 (default) – Allowed. +The most restrictive value is `0` to not allow the use of diacritics. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Search/AllowWindowsIndexer** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowUsingDiacritics | +| Friendly Name | Allow use of diacritics | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowUsingDiacritics | +| ADMX File Name | Search.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowWindowsIndexer - - -Allow Windows indexer. Supported value type is integer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowWindowsIndexer +``` + -
    + + +Allow Windows indexer. Value type is integer. + - -**Search/AlwaysUseAutoLangDetection** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-3]` | +| Default Value | 3 | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AlwaysUseAutoLangDetection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -Specifies whether to always use automatic language detection when indexing content and properties. + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AlwaysUseAutoLangDetection +``` + -Most restricted value is 0. + + +This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing history. +- If you enable this policy setting, Windows will always use automatic language detection to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this policy setting only on PCs where documents are stored in many languages. +- If you disable or do not configure this policy setting, Windows will use automatic language detection only when it can determine the language of a document with high confidence. + - - -ADMX Info: -- GP Friendly name: *Always use automatic language detection when indexing content and properties* -- GP name: *AlwaysUseAutoLangDetection* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + - - -The following list shows the supported values: +The most restrictive value is `0` to now allow automatic language detection. + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Search/DisableBackoff** +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AlwaysUseAutoLangDetection | +| Friendly Name | Always use automatic language detection when indexing content and properties | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AlwaysUseAutoLangDetection | +| ADMX File Name | Search.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ConfigureSearchOnTaskbarMode -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/ConfigureSearchOnTaskbarMode +``` + + + + +This policy setting allows you to configure search on the taskbar. + +- If you enable this policy setting and set it to hide, search on taskbar will be hidden by default. Users cannot change it in Settings. + +- If you enable this policy setting and set it to search icon only, the search icon will be displayed on the taskbar by default. Users cannot change it in Settings. + +- If you enable this policy setting and set it to search icon and label, the search icon and label will be displayed on the taskbar by default. Users cannot change it in Settings. + +- If you enable this policy setting and set it to search box, the search box will be displayed on the taskbar by default. Users cannot change it in Settings. + +- If you disable or do not configure this policy setting, search on taskbar will be configured according to the defaults for your Windows edition. Users will be able to change search on taskbar in Settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Hide. | +| 1 | Search icon only. | +| 2 | Search icon and label. | +| 3 (Default) | Search box. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureSearchOnTaskbarMode | +| Friendly Name | Configures search on the taskbar | +| Element Name | Search on the taskbar | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Search | +| ADMX File Name | Search.admx | + + + + + + + + + +## DisableBackoff + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DisableBackoff +``` + + + + If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. + - - -ADMX Info: -- GP Friendly name: *Disable indexer backoff* -- GP name: *DisableBackoff* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Disable. -- 1 – Enable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disable. | +| 1 | Enable. | + - -**Search/DisableRemovableDriveIndexing** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableBackoff | +| Friendly Name | Disable indexer backoff | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | DisableBackoff | +| ADMX File Name | Search.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableRemovableDriveIndexing -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DisableRemovableDriveIndexing +``` + - - + + This policy setting configures whether or not locations on removable drives can be added to libraries. -If you enable this policy setting, locations on removable drives can't be added to libraries. In addition, locations on removable drives can't be indexed. - -If you disable or don't configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. - - - -ADMX Info: -- GP Friendly name: *Do not allow locations on removable drives to be added to libraries* -- GP name: *DisableRemovableDriveIndexing* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 (default) – Disable. -- 1 – Enable. - - - - -
    - - -**Search/DisableSearch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -
    - - - -This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures. - -It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box. - - - -ADMX Info: - -- GP Friendly name: *Fully disable Search UI* -- GP name: *DisableSearch* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 (default) – Do not disable search. -- 1 – Disable search. - - - - -
    - - -**Search/DoNotUseWebResults** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Don't search the web or display web results in Search, or show search highlights in the search box or in search home. - -This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home. - -- If you enable this policy setting, queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. - -- If you disable this policy setting, queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. - - - -ADMX Info: -- GP Friendly name: *Don't search the web or display web results in Search* -- GP name: *DoNotUseWebResults* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 - Not allowed. Queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. -- 1 (default) - Allowed. Queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. - - - - -
    - - -**Search/PreventIndexingLowDiskSpaceMB** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. - -Enable this policy, if computers in your environment have limited hard drive space. - -When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. - - - -ADMX Info: -- GP Friendly name: *Stop indexing in the event of limited hard drive space* -- GP name: *StopIndexingOnLimitedHardDriveSpace* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Disable. -- 1 (default) – Enable. - - - - -
    - - -**Search/PreventRemoteQueries** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index. - - - -ADMX Info: -- GP Friendly name: *Prevent clients from querying the index remotely* -- GP name: *PreventRemoteQueries* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Disable. -- 1 (default) – Enable. - - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +- If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. + +- If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disable. | +| 1 | Enable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemovableDriveIndexing | +| Friendly Name | Do not allow locations on removable drives to be added to libraries | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | DisableRemovableDriveIndexing | +| ADMX File Name | Search.admx | + + + + + + + + + +## DisableSearch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DisableSearch +``` + + + + +- If you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu's search box and Search Taskbar button will also be hidden. + +- If you disable or don't configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not disable. | +| 1 | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSearch | +| Friendly Name | Fully disable Search UI | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | DisableSearch | +| ADMX File Name | Search.admx | + + + + + + + + + +## DoNotUseWebResults + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DoNotUseWebResults +``` + + + + +This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. + +- If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. + +- If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search. + +- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. | +| 1 (Default) | Allowed. Queries will be performed on the web and web results will be displayed when a user performs a query in Search. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotUseWebResults | +| Friendly Name | Don't search the web or display web results in Search | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | ConnectedSearchUseWeb | +| ADMX File Name | Search.admx | + + + + + + + + + +## PreventIndexingLowDiskSpaceMB + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/PreventIndexingLowDiskSpaceMB +``` + + + + +Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. Enable this policy if computers in your environment have extremely limited hard drive space. When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable. | +| 1 (Default) | Enable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | StopIndexingOnLimitedHardDriveSpace | +| Friendly Name | Stop indexing in the event of limited hard drive space | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| ADMX File Name | Search.admx | + + + + + + + + + +## PreventRemoteQueries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/PreventRemoteQueries +``` + + + + +If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index. . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable. | +| 1 (Default) | Enable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventRemoteQueries | +| Friendly Name | Prevent clients from querying the index remotely | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | PreventRemoteQueries | +| ADMX File Name | Search.admx | + + + + + + + + + +## SafeSearchPermissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/SafeSearchPermissions +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable. | +| 0 | Disable. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index f5585b9b4e..f4b72810bf 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,515 +1,624 @@ --- -title: Policy CSP - Security -description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages. +title: Security Policy CSP +description: Learn more about the Security Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Security -
    + + + - -## Security policies + +## AllowAddProvisioningPackage -
    -
    - Security/AllowAddProvisioningPackage -
    -
    - Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices -
    -
    - Security/AllowRemoveProvisioningPackage -
    -
    - Security/ClearTPMIfNotReady -
    -
    - Security/ConfigureWindowsPasswords -
    -
    - Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices -
    -
    - Security/RecoveryEnvironmentAuthentication -
    -
    - Security/RequireDeviceEncryption -
    -
    - Security/RequireProvisioningPackageSignature -
    -
    - Security/RequireRetrieveHealthCertificateOnBoot -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AllowAddProvisioningPackage +``` + - -**Security/AllowAddProvisioningPackage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies whether to allow the runtime configuration agent to install provisioning packages. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowManualRootCertificateInstallation - > [!NOTE] -> -> - This policy is deprecated in Windows 10, version 1607. +> This policy is deprecated and may be removed in a future release. -Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AllowManualRootCertificateInstallation +``` + -- 0 – Not allowed. -- 1 (default) – Allowed. + + +This policy is deprecated. + - - + + + -
    + +**Description framework properties**: - -**Security/AllowRemoveProvisioningPackage** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowRemoveProvisioningPackage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AllowRemoveProvisioningPackage +``` + + + + Specifies whether to allow the runtime configuration agent to remove provisioning packages. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Security/ClearTPMIfNotReady** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -Admin access is required. The prompt will appear on first admin logon after a reboot, when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. - - - -ADMX Info: -- GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.* -- GP name: *ClearTPMIfNotReady_Name* -- GP path: *System/Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* - - - -The following list shows the supported values: - -- 0 (default) – Won't force recovery from a non-ready TPM state. -- 1 – Will prompt to clear the TPM, if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. - - - - -
    - - -**Security/ConfigureWindowsPasswords** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configures the use of passwords for Windows features. - -> [!Note] -> This policy is only supported in Windows 10 S. - - - -The following list shows the supported values: - -- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features). -- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features). -- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords"). - - - - -
    - - -**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**. - -Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. - - - -The following list shows the supported values: - -- 0 (default) – Encryption enabled. -- 1 – Encryption disabled. - - - - -
    - - -**Security/RecoveryEnvironmentAuthentication** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy controls the Admin Authentication requirement in RecoveryEnvironment. - -Supported values: - -- 0 - Default: Keep using default(current) behavior. -- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment. -- 2 - NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment. - - - - - - - - - -**Validation procedure** - -The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE. -The process of starting Push Button Reset (PBR) in WinRE: - -1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE. -1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything". - -If the MDM policy is set to "Default" (0) or doesn't exist, the admin authentication flow should work as default behavior: - -1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. -1. Click "<-" (right arrow) button and choose "Remove everything", it shouldn't pop up admin authentication and just go to PBR options. - -If the MDM policy is set to "RequireAuthentication" (1) - -1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. -1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication. - -If the MDM policy is set to "NoRequireAuthentication" (2) - -1. Start PBR in WinRE, choose "Keep my files", it shouldn't pop up admin authentication. -1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back. -1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it shouldn't pop up admin authentication neither. - - - - -
    - - -**Security/RequireDeviceEncryption** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows enterprise to turn on internal storage encryption. - -Most restricted value is 1. - -> [!IMPORTANT] -> If encryption has been enabled, it cannot be turned off by using this policy. - - - -The following list shows the supported values: - -- 0 (default) – Encryption isn't required. -- 1 – Encryption is required. - - - - -
    - - -**Security/RequireProvisioningPackageSignature** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether provisioning packages must have a certificate signed by a device trusted authority. - - - -The following list shows the supported values: - -- 0 (default) – Not required. -- 1 – Required. - - - - -
    - - -**Security/RequireRetrieveHealthCertificateOnBoot** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS), when a device boots or reboots. - -Setting this policy to 1 (Required): - -- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0. -- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. + +## AntiTheftMode > [!NOTE] -> We recommend that this policy is set to Required after MDM enrollment. +> This policy is deprecated and may be removed in a future release. -Most restricted value is 1. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AntiTheftMode +``` + -- 0 (default) – Not required. -- 1 – Required. + + +This policy is deprecated. + - - -
    + + + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -## Related topics + +**Allowed values**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + + + + + + + +## ClearTPMIfNotReady + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/ClearTPMIfNotReady +``` + + + + +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Will not force recovery from a non-ready TPM state. | +| 1 | Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ClearTPMIfNotReady_Name | +| Friendly Name | Configure the system to clear the TPM if it is not in a ready state. | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| Registry Value Name | ClearTPMIfNotReadyGP | +| ADMX File Name | TPM.admx | + + + + + + + + + +## ConfigureWindowsPasswords + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/ConfigureWindowsPasswords +``` + + + + +Configures the use of passwords for Windows features + + + + +> [!NOTE] +> This policy is only supported in [Windows 10 S](/windows/deployment/s-mode). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features). | +| 1 | Allow passwords (Passwords continue to be allowed to be used for Windows features). | +| 2 (Default) | As per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords"). | + + + + + + + + + +## PreventAutomaticDeviceEncryptionForAzureADJoinedDevices + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices +``` + + + + +Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + + + + + +For more information, see [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Encryption enabled. | +| 1 | Encryption disabled. | + + + + + + + + + +## RecoveryEnvironmentAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Security/RecoveryEnvironmentAuthentication +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RecoveryEnvironmentAuthentication +``` + + + + +This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + +**Validation procedure**: + +To validate this policy, check whether Refresh ("Keep my files") and Reset ("Remove everything") require administrator authentication in Windows Recovery Environment (WinRE). + +1. First, start Push Button Reset (PBR) in WinRE. Open a command prompt as an administrator and run the following command: `reagentc /boottore` +1. The device should restart to WinRE. In the WinRE interface, go to **Troubleshoot** and select **Reset this PC**. You should see two options: **Keep my files** and **Remove everything**. +1. Choose the option to **Keep my files**. View the behavior for authentication. +1. Select the back arrow and choose **Remove everything**. View the behavior for authentication. + +Instead of going back, alternatively you can go through the reset options, and select **Cancel** on the final confirmation page. It will then return to the main WinRE interface. + +The following table shows what behavior is expected for the policy settings with each scenario: + +- :heavy_check_mark: It prompts for authentication. +- :x: No authentication required, and it continues with the reset options. + +| Policy | **Keep my files** | **Remove everything** | +|--------------------------------|--------------------|-----------------------| +| Default (`0`) | :heavy_check_mark: | :x: | +| RequireAuthentication" (`1`) | :heavy_check_mark: | :heavy_check_mark: | +| NoRequireAuthentication" (`2`) | :x: | :x: | + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Current) behavior. | +| 1 | RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment. | +| 2 | NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment. | + + + + + + + + + +## RequireDeviceEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption +``` + + + + +Allows enterprise to turn on internal storage encryption. Most restricted value is 1. Important. If encryption has been enabled, it cannot be turned off by using this policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Encryption is not required. | +| 1 | Encryption is required. | + + + + + + + + + +## RequireProvisioningPackageSignature + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RequireProvisioningPackageSignature +``` + + + + +Specifies whether provisioning packages must have a certificate signed by a device trusted authority. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not required. | +| 1 | Required. | + + + + + + + + + +## RequireRetrieveHealthCertificateOnBoot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RequireRetrieveHealthCertificateOnBoot +``` + + + + +Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. Setting this policy to 1 (Required)Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2. 0. Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification + +> [!NOTE] +> We recommend that this policy is set to Required after MDM enrollment. Most restricted value is 1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not required. | +| 1 | Required. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 0601509035..bec3edbcd6 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -1,100 +1,103 @@ --- -title: Policy CSP - ServiceControlManager -description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes. +title: ServiceControlManager Policy CSP +description: Learn more about the ServiceControlManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: Heidilohr -ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.topic: reference --- + + + # Policy CSP - ServiceControlManager -
    +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ServiceControlManager policies + + + -
    -
    - ServiceControlManager/SvchostProcessMitigation -
    -
    + +## SvchostProcessMitigation -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -**ServiceControlManager/SvchostProcessMitigation** + +```Device +./Device/Vendor/MSFT/Policy/Config/ServiceControlManager/SvchostProcessMitigation +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting enables process mitigation options on svchost.exe processes. -If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. +- If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. -These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. +This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. + +- If you disable or do not configure this policy setting, these stricter security settings will not be applied. + + + + + +If you enable this policy, it adds code integrity guard (CIG) and arbitrary code guard (ACG) enforcement and other process mitigation/code integrity policies to SVCHOST processes. > [!IMPORTANT] -> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software). +> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software. + -If you disable or do not configure this policy setting, the stricter security settings will not be applied. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Enable svchost.exe mitigation options* -- GP name: *SvchostProcessMitigationEnable* -- GP path: *System/Service Control Manager Settings/Security Settings* -- GP ADMX file name: *ServiceControlManager.admx* +**ADMX mapping**: - - -Supported values: -- Disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. -- Enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. - - +| Name | Value | +|:--|:--| +| Name | SvchostProcessMitigationEnable | +| Friendly Name | Enable svchost.exe mitigation options | +| Location | Computer Configuration | +| Path | System > Service Control Manager Settings > Security Settings | +| Registry Key Name | System\CurrentControlSet\Control\SCMConfig | +| Registry Value Name | EnableSvchostMitigationPolicy | +| ADMX File Name | ServiceControlManager.admx | + - - + + + - - -
    + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 10a0628e8d..e26697bc7e 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,706 +1,765 @@ --- -title: Policy CSP - Settings -description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings. +title: Settings Policy CSP +description: Learn more about the Settings Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Settings -
    + + + - -## Settings policies + +## AllowAutoPlay -
    -
    - Settings/AllowAutoPlay -
    -
    - Settings/AllowDataSense -
    -
    - Settings/AllowDateTime -
    -
    - Settings/AllowEditDeviceName -
    -
    - Settings/AllowLanguage -
    -
    - Settings/AllowOnlineTips -
    -
    - Settings/AllowPowerSleep -
    -
    - Settings/AllowRegion -
    -
    - Settings/AllowSignInOptions -
    -
    - Settings/AllowVPN -
    -
    - Settings/AllowWorkplace -
    -
    - Settings/AllowYourAccount -
    -
    - Settings/ConfigureTaskbarCalendar -
    -
    - Settings/PageVisibilityList -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowAutoPlay +``` + - -**Settings/AllowAutoPlay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -Allows the user to change Auto Play settings. + + +Allows the user to change Auto Play settings > [!NOTE] > Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowDataSense** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowDataSense - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowDataSense +``` + -
    - - - + + Allows the user to change Data Sense settings. + + + + > [!NOTE] -> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later. +> The AllowDataSense policy isn't supported on Windows 10, version 2004 and later. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Not allowed. -- 1 (default) – Allowed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**Settings/AllowDateTime** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowDateTime - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowDateTime +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + Allows the user to change date and time settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowEditDeviceName** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEditDeviceName -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowEditDeviceName +``` + - - -This policy disables edit device name option on Settings. + + +Allows the user to edit the device name. + - - + + + -Describes what values are supported in/by this policy and meaning of each value, and default value. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowLanguage** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowLanguage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowLanguage +``` + + + Allows the user to change the language settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowOnlineTips** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowOnlineTips - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowOnlineTips +``` + -
    + + +Enables or disables the retrieval of online tips and help for the Settings app. If disabled, Settings will not contact Microsoft content services to retrieve tips and help content. + - - -Enables or disables the retrieval of online tips and help for the Settings app. + + + -If disabled, Settings won't contact Microsoft content services to retrieve tips and help content. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Allow Online Tips* -- GP name: *AllowOnlineTips* -- GP element: *CheckBox_AllowOnlineTips* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**Settings/AllowPowerSleep** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowOnlineTips | +| Friendly Name | Allow Online Tips | +| Element Name | Allow Settings to retrieve online tips. | +| Location | Computer Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | ControlPanel.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowPowerSleep -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowPowerSleep +``` + + + Allows the user to change power and sleep settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowRegion** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowRegion - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowRegion +``` + + + Allows the user to change the region settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowSignInOptions** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowSignInOptions - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowSignInOptions +``` + -
    + + +Allows the user to change sign-in options. + - - + + + -Allows the user to change sign in options. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**Settings/AllowVPN** + - + +## AllowVPN -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowVPN +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Allows the user to change VPN settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowWorkplace** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowWorkplace - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowWorkplace +``` + + + Allows user to change workplace settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowYourAccount** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowYourAccount - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowYourAccount +``` + -
    - - - + + Allows user to change account settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/ConfigureTaskbarCalendar** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ConfigureTaskbarCalendar - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/Settings/ConfigureTaskbarCalendar +``` + -
    + + +By default, the calendar is set according to the locale of the operating system, and users can show an additional calendar. For zh-CN and zh-SG locales, an additional calendar shows the lunar month and date and holiday names in Simplified Chinese (Lunar) by default. For zh-TW, zh-HK, and zh-MO locales, an additional calendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default. - - -Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. +- If you enable this policy setting, users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar), regardless of the locale. - - -ADMX Info: -- GP Friendly name: *Show additional calendar* -- GP name: *ConfigureTaskbarCalendar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* +- If you disable this policy setting, users cannot show an additional calendar, regardless of the locale. - - -The following list shows the supported values: +- If you do not configure this policy setting, the calendar will be set according to the default logic. + -- 0 (default) – User will be allowed to configure the setting. -- 1 – Don't show more calendars. -- 2 - Simplified Chinese (Lunar). -- 3 - Traditional Chinese (Lunar). + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Settings/PageVisibilityList** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | User will be allowed to configure the setting. | +| 1 | Don't show additional calendars. | +| 2 | Simplified Chinese (Lunar). | +| 3 | Traditional Chinese (Lunar). | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | ConfigureTaskbarCalendar | +| Friendly Name | Show additional calendar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Settings | +| Registry Value Name | AllowConfigureTaskbarCalendar | +| ADMX File Name | Taskbar.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## PageVisibilityList - - -Allows IT Admins to either: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -- Prevent specific pages in the System Settings app from being visible or accessible. + +```User +./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList +``` - OR +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList +``` + -- To do so for all pages except the pages you enter. + + +Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string showonly or hide. Pages are identified by a shortened version of their already published URIs, which is the URI minus the ms-settings prefix. For example, if the URI for a settings page is ms-settingsbluetooth, the page identifier used in the policy will be just bluetooth. Multiple page identifiers are separated by semicolons. The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI ms-settingsabout and ms-settingsbluetooth respectivelyshowonlyabout;bluetooth. If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i. e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. **Note** that if a page is already hidden for another reason, then it will remain hidden even if it is in a showonly list. The format of the PageVisibilityList value is as follows The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. There are two variants one that shows only the given pages and one which hides the given pages. The first variant starts with the string showonly and the second with the string hide. Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. Each page identifier is the ms-settingsxyz URI for the page, minus the ms-settings prefix, so the identifier for the page with URI ms-settingsnetwork-wifi would be just network-wifi. The default value for this setting is an empty string, which is interpreted as show everything. Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settingsnetwork-wifi and ms-settingsbluetooth). All other pages (and the categories they're in) will be hiddenshowonlynetwork-wifi;bluetooth. Example 2, specifies that the wifi page should not be shownhidenetwork-wifi + -The mode will be specified by the policy string beginning with either the string `showonly:` or `hide:`. Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. + + -For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). +For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). -The following example shows a policy that allows access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: +To validate this policy, use the following steps: -`showonly:about;bluetooth` +1. In the Settings app, open **System** and verify that the **About** page is visible and accessible. +2. Configure this policy with the following string: `hide:about`. +3. Open **System** settings again and verify that the **About** page is hidden. + -If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable, if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list. + +**Description framework properties**: -The format of the PageVisibilityList value is as follows: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. -- There are two variants: one that shows only the given pages and one that hides the given pages. -- The first variant starts with the string `showonly:` and the second with the string "hide:". -- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. -- Each page identifier is the `ms-settings:xyz` URI for the page, minus the `ms-settings:` prefix. So the identifier for the page with the `ms-settings:network-wifi` URI would be `network-wifi`. + +**Group policy mapping**: -The default value for this setting is an empty string, which is interpreted as show everything. +| Name | Value | +|:--|:--| +| Name | SettingsPageVisibility | +| Friendly Name | Settings Page Visibility | +| Element Name | Settings Page Visibility | +| Location | Computer and User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | ControlPanel.admx | + + + + **Example 1**: Only the wifi and bluetooth pages should be shown. They have URIs `ms-settings:network-wifi` and `ms-settings:bluetooth`. All other pages (and the categories they're in) will be hidden: @@ -710,29 +769,19 @@ The default value for this setting is an empty string, which is interpreted as s `hide:network-wifi` - - -ADMX Info: -- GP Friendly name: *Settings Page Visibility* -- GP name: *SettingsPageVisibility* -- GP element: *SettingsPageVisibilityBox* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* +**Example 3**: Allow access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: - - -To validate on Desktop, use the following steps: +`showonly:about;bluetooth` + -1. Open System Settings and verify that the About page is visible and accessible. -2. Configure the policy with the following string: "hide:about". -3. Open System Settings again and verify that the About page is no longer accessible. + - - -
    + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md index 3be0b76457..e0f18ffd48 100644 --- a/windows/client-management/mdm/policy-csp-settingssync.md +++ b/windows/client-management/mdm/policy-csp-settingssync.md @@ -1,10 +1,10 @@ --- title: SettingsSync Policy CSP -description: Learn more about the SettingsSync Area in Policy CSP +description: Learn more about the SettingsSync Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - SettingsSync > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,9 +41,10 @@ ms.topic: reference + Prevent the "accessibility" group from syncing to and from this PC. This turns off and disables the "accessibility" group on the "Windows backup" settings page in PC settings. -If you enable this policy setting, the "accessibility", group will not be synced. +- If you enable this policy setting, the "accessibility", group will not be synced. Use the option "Allow users to turn accessibility syncing on" so that syncing is turned off by default but not disabled. @@ -66,6 +65,9 @@ If you do not set or disable this setting, syncing of the "accessibility" group +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -85,6 +87,57 @@ If you do not set or disable this setting, syncing of the "accessibility" group + +## DisableLanguageSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableLanguageSettingSync +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLanguageSettingSync | +| ADMX File Name | SettingSync.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index d736b16a60..907c344a75 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -1,188 +1,251 @@ --- -title: Policy CSP - SmartScreen -description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store. +title: SmartScreen Policy CSP +description: Learn more about the SmartScreen Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - SmartScreen + + + -
    + +## EnableAppInstallControl - -## SmartScreen policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - SmartScreen/EnableAppInstallControl -
    -
    - SmartScreen/EnableSmartScreenInShell -
    -
    - SmartScreen/PreventOverrideForFilesInShell -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl +``` + + + +App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly. -
    +- If you enable this setting, you must choose from the following behaviors: - -**SmartScreen/EnableAppInstallControl** +- Turn off app recommendations - +- Show me app recommendations -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- Warn me before installing apps from outside the Store - -
    +- Allow apps from Store only - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet. + -> [!div class = "checklist"] -> * Device + + +> [!NOTE] +> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled. +> +> This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. + -
    + +**Description framework properties**: - - -Allows IT Admins to control whether users are allowed to install apps from places other than the Store. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!Note] -> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.

    This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Configure App Install Control* -- GP name: *ConfigureAppInstallControl* -- GP path: *Windows Components/Windows Defender SmartScreen/Explorer* -- GP ADMX file name: *SmartScreen.admx* +| Value | Description | +|:--|:--| +| 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. | +| 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. | + - - -The following list shows the supported values: + +**Group policy mapping**: -- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. -- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. +| Name | Value | +|:--|:--| +| Name | ConfigureAppInstallControl | +| Friendly Name | Configure App Install Control | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\SmartScreen | +| Registry Value Name | ConfigureAppInstallControlEnabled | +| ADMX File Name | SmartScreen.admx | + - - + + + -

    + - -**SmartScreen/EnableSmartScreenInShell** + +## EnableSmartScreenInShell - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell +``` + - -
    + + +This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. -> [!div class = "checklist"] -> * Device +- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: -
    +- Warn and prevent bypass +- Warn - - -Allows IT Admins to configure SmartScreen for Windows. +- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. - - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *ShellConfigureSmartScreen* -- GP path: *Windows Components/Windows Defender SmartScreen/Explorer* -- GP ADMX file name: *SmartScreen.admx* +- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. - - -The following list shows the supported values: +- If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. -- 0 – Turns off SmartScreen in Windows. -- 1 – Turns on SmartScreen in Windows. +- If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. + - - + + + -
    + +**Description framework properties**: - -**SmartScreen/PreventOverrideForFilesInShell** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | ShellConfigureSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableSmartScreen | +| ADMX File Name | SmartScreen.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## PreventOverrideForFilesInShell + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell +``` + + + + Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files. + - - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *ShellConfigureSmartScreen* -- GP element: *ShellConfigureSmartScreen_Dropdown* -- GP path: *Windows Components/Windows Defender SmartScreen/Explorer* -- GP ADMX file name: *SmartScreen.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Employees can ignore SmartScreen warnings and run malicious files. -- 1 – Employees cannot ignore SmartScreen warnings and run malicious files. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -
    + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Do not prevent override. | +| 1 | Prevent override. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellConfigureSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Element Name | Pick one of the following settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | SmartScreen.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 7375101c7d..967b68b67e 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -1,83 +1,98 @@ --- -title: Policy CSP - Speech -description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models. +title: Speech Policy CSP +description: Learn more about the Speech Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Speech -
    + + + - -## Speech policies + +## AllowSpeechModelUpdate -
    -
    - Speech/AllowSpeechModelUpdate -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Speech/AllowSpeechModelUpdate +``` + - -**Speech/AllowSpeechModelUpdate** + + +Specifies whether the device will receive updates to the speech recognition and speech synthesis models. - +A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If enabled (default), the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - -ADMX Info: -- GP Friendly name: *Allow Automatic Update of Speech Data* -- GP name: *AllowSpeechModelUpdate* -- GP path: *Windows Components/Speech* -- GP ADMX file name: *Speech.admx* + +**Group policy mapping**: - - -The following list shows the supported values: +| Name | Value | +|:--|:--| +| Name | AllowSpeechModelUpdate | +| Friendly Name | Allow Automatic Update of Speech Data | +| Location | Computer Configuration | +| Path | Windows Components > Speech | +| Registry Key Name | Software\Policies\Microsoft\Speech | +| Registry Value Name | AllowSpeechModelUpdate | +| ADMX File Name | Speech.admx | + -- 0 – Not allowed. -- 1 (default) – Allowed. + + + - - -
    + + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 92dac37002..f0db80b75a 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,1959 +1,2191 @@ --- -title: Policy CSP - Start -description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu. +title: Start Policy CSP +description: Learn more about the Start Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Start -
    - - -## Start policies - -
    -
    - Start/AllowPinnedFolderDocuments -
    -
    - Start/AllowPinnedFolderDownloads -
    -
    - Start/AllowPinnedFolderFileExplorer -
    -
    - Start/AllowPinnedFolderHomeGroup -
    -
    - Start/AllowPinnedFolderMusic -
    -
    - Start/AllowPinnedFolderNetwork -
    -
    - Start/AllowPinnedFolderPersonalFolder -
    -
    - Start/AllowPinnedFolderPictures -
    -
    - Start/AllowPinnedFolderSettings -
    -
    - Start/AllowPinnedFolderVideos -
    -
    - Start/ConfigureStartPins -
    -
    - Start/DisableContextMenus -
    -
    - Start/DisableControlCenter -
    -
    - Start/DisableEditingQuickSettings -
    -
    - Start/ForceStartSize -
    -
    - Start/HideAppList -
    -
    - Start/HideChangeAccountSettings -
    -
    - Start/HideFrequentlyUsedApps -
    -
    - Start/HideHibernate -
    -
    - Start/HideLock -
    -
    - Start/HidePeopleBar -
    -
    - Start/HidePowerButton -
    -
    - Start/HideRecentJumplists -
    -
    - Start/HideRecentlyAddedApps -
    -
    - Start/HideRecommendedSection -
    -
    - Start/HideRestart -
    -
    - Start/HideShutDown -
    -
    - Start/HideSignOut -
    -
    - Start/HideSleep -
    -
    - Start/HideSwitchAccount -
    -
    - Start/HideTaskViewButton -
    -
    - Start/HideUserTile -
    -
    - Start/ImportEdgeAssets -
    -
    - Start/NoPinningToTaskbar -
    -
    - Start/ShowOrHideMostUsedApps -
    -
    - Start/SimplifyQuickSettings -
    -
    - Start/StartLayout -
    -
    - -
    - - -**Start/AllowPinnedFolderDocuments** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Documents shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderDownloads** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Downloads shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderFileExplorer** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the File Explorer shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderHomeGroup** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the HomeGroup shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderMusic** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Music shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderNetwork** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Network shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderPersonalFolder** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the PersonalFolder shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderPictures** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Pictures shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderSettings** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Settings shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderVideos** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Videos shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/ConfigureStartPins** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 11
    HomeNo
    ProYes
    BusinessYes
    EnterpriseYes
    EducationYes
    - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the Windows 11 start menu experience. - -It contains details on how to configure the start menu on Windows 11, see [/windows-hardware/customize/desktop/customize-the-windows-11-start-menu](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu) - - - - - -This string policy will take a JSON file (expected name LayoutModification.json), which enumerates the items to pin and their relative order. - - - - -
    - - - -**Start/DisableContextMenus** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Enabling this policy prevents context menus from being invoked in the Start Menu. - - - -ADMX Info: -- GP Friendly name: *Disable context menus in the Start Menu* -- GP name: *DisableContextMenusInStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -The following list shows the supported values: - -- 0 (default) – False (don't disable). -- 1 - True (disable). - - - - - - - - - -
    - - -**Start/DisableControlCenter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume. - -If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled. - ->[!Note] -> A reboot is required for this policy setting to take effect. - - - - -ADMX Info: -- GP Friendly name: *Remove control center* -- GP name: *DisableControlCenter* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* - - - -The following are the supported values: - -- Integer 0 - Disabled/Not configured. -- Integer 1 - Enabled. - - - -
    - - -**Start/DisableEditingQuickSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy will allow admins to indicate whether Quick Actions can be edited by the user. - - - -The following are the supported values: - -- 0: Allow editing Quick Actions (default) -- 1: Disable editing Quick Actions - - - - -
    - - -**Start/ForceStartSize** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -Forces the start screen size. - -If there's policy configuration conflict, the latest configuration request is applied to the device. - - - -The following list shows the supported values: - -- 0 (default) – Don't force size of Start. -- 1 – Force non-fullscreen size of Start. -- 2 - Force a fullscreen size of Start. - - - - -
    - - -**Start/HideAppList** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -> [!NOTE] -> This policy requires reboot to take effect. - -Allows IT Admins to configure Start by collapsing or removing the all apps list. - -> [!Note] -> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - -To validate on Desktop, do the following steps: - -- 1 - Enable policy and restart explorer.exe. -- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle isn't grayed out. -- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. -- 2c - If set to '3': Verify that there's no way of opening the all apps list from Start, and that the Settings toggle is grayed out. - - - -The following list shows the supported values: - -- 0 (default) – None. -- 1 – Hide all apps list. -- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app. -- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. - - - - -
    - - -**Start/HideChangeAccountSettings** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Change account settings" isn't available. - - - - -
    - - -**Start/HideFrequentlyUsedApps** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -> [!NOTE] -> This policy requires reboot to take effect. - -Allows IT Admins to configure Start by hiding most used apps. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable "Show most used apps" in the Settings app. -2. Use some apps to get them into the most used group in Start. -3. Enable policy. -4. Restart explorer.exe. -5. Check that "Show most used apps" Settings toggle is grayed out. -6. Check that most used apps don't appear in Start. - - - - -
    - - -**Start/HideHibernate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. + + + + + +## AllowPinnedFolderDocuments + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments +``` + + + + +This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads +``` + + + + +This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderFileExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderFileExplorer +``` + + + + +This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderHomeGroup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderHomeGroup +``` + + + + +This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderMusic + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderMusic +``` + + + + +This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderNetwork +``` + + + + +This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderPersonalFolder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPersonalFolder +``` + + + + +This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderPictures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPictures +``` + + + + +This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderSettings +``` + + + + +This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderVideos + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderVideos +``` + + + + +This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## ConfigureStartPins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/ConfigureStartPins +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ConfigureStartPins +``` + + + + +Allows admin to override the default items pinned to Start. + + + + + +With this policy you can push a new list of pinned apps to override the default/current list of pinned apps in the Windows Start menu. + +For more information on how to configure the Start menu, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11). + +This string policy takes a JSON file named `LayoutModification.json`. The file enumerates the items to pin and their relative order. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureStartPins | +| Path | StartMenu > AT > StartMenu | + + + + + + + + + +## DisableContextMenus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/DisableContextMenus +``` + + + + +This policy allows you to prevent users from being able to open context menus in the Start Menu. + +- If you enable this policy, then invocations of context menus within the Start Menu will be ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not disable. | +| 1 | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableContextMenusInStart | +| Friendly Name | Disable context menus in the Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableContextMenusInStart | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## DisableControlCenter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/DisableControlCenter +``` + + + + +This policy setting removes Quick Settings from the bottom right area on the taskbar. + +The quick settings area is located at the left of the clock in the taskbar and includes icons for current network and volume. + +- If this setting is enabled, Quick Settings is not displayed in the quick settings area. + +A reboot is required for this policy setting to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enable Quick Settings. | +| 1 | Disable Quick Settings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableControlCenter | +| Friendly Name | Remove Quick Settings | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableControlCenter | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## DisableEditingQuickSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/DisableEditingQuickSettings +``` + + + + +- If you enable this policy, the user will be unable to modify Quick Settings. + +- If you disable or don't configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable editing Quick Settings. | +| 1 | Disable editing Quick Settings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableEditingQuickSettings | +| Friendly Name | Disable Editing Quick Settings | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableEditingQuickSettings | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## ForceStartSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/ForceStartSize +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ForceStartSize +``` + + + + +- If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings. + +- If you disable or don't configure this policy setting, Windows will automatically select the size based on hardware form factor and users will be able to change the size of Start in Settings. + + + + + +If there's a policy configuration conflict, the latest configuration request is applied to the device. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not force size of Start. | +| 1 | Force non-fullscreen size of Start. | +| 2 | Force a fullscreen size of Start. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForceStartSize | +| Friendly Name | Force Start to be either full screen size or menu size | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HideAppList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideAppList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideAppList +``` + + + + +Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + + + + > [!NOTE] -> This policy can only be verified on laptops as "Hibernate" doesn't appear on regular PC's. +> This policy requires a reboot to take effect. +> +> There are significant fixes to this policy in Windows 10, version 1709. - - -The following list shows the supported values: +To validate this policy, do the following steps: -- 0 (default) – False (don't hide). -- 1 - True (hide). +1. Enable the policy and restart the explorer.exe process. - - -To validate on Laptop, do the following steps: +2. Verify the behavior based on the configuration. -1. Enable policy. -2. Open Start, click on the Power button, and verify "Hibernate" isn't available. + 1. If set to `1`: Verify that the **All Apps** list is collapsed, and that the **Settings** toggle isn't grayed out. - - + 2. If set to `2`: Verify that the **All Apps** list is collapsed, and that the **Settings** toggle is grayed out. -
    + 3. If set to `3`: Verify that there's no way of opening the **All Apps** list from Start, and that the **Settings** toggle is grayed out. + - -**Start/HideLock** + +**Description framework properties**: - -The table below shows the applicability of Windows: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | None. | +| 1 | Hide all apps list. | +| 2 | Hide all apps list, and Disable "Show app list in Start menu" in Settings app. | +| 3 | Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## HideChangeAccountSettings - - -Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideChangeAccountSettings +``` + -- 0 (default) – False (don't hide). -- 1 - True (hide). + + +Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + - - -To validate on Desktop, do the following steps: + + + -1. Enable policy. -2. Open Start, click on the user tile, and verify "Lock" isn't available. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Start/HidePeopleBar** +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## HideFrequentlyUsedApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideFrequentlyUsedApps +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideFrequentlyUsedApps +``` + - - -Enabling this policy removes the people icon from the taskbar and the corresponding settings toggle. It also prevents users from pinning people to the taskbar. + + +- If you enable this setting, the frequently used programs list is removed from the Start menu. -Supported value type is integer. +- If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu. + - - -ADMX Info: -- GP Friendly name: *Remove the People Bar from the taskbar* -- GP name: *HidePeopleBar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + + - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - - -
    - - -**Start/HidePowerButton** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. -Allows IT Admins to configure Start by hiding the Power button from appearing. +To validate this policy, do the following steps: - - -The following list shows the supported values: +1. Enable the option to **Show most used apps** in the Settings app. +2. Use some apps to get them into the most used group in Start. +3. Enable this policy. +4. Restart the explorer.exe process, or restart the computer. +5. Check that the **Show most used apps** Settings toggle is grayed out. +6. Check that most used apps don't appear in Start. + -- 0 (default) – False (don't hide). -- 1 - True (hide). + +**Description framework properties**: - - -To validate on Desktop, do the following steps: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -1. Enable policy. -2. Open Start, and verify the power button isn't available. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + -
    + +**Group policy mapping**: - -**Start/HideRecentJumplists** +| Name | Value | +|:--|:--| +| Name | NoFrequentUsedPrograms | +| Friendly Name | Remove frequent programs list from the Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuMFUprogramsList | +| ADMX File Name | StartMenu.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## HideHibernate - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideHibernate +``` + -
    + + +Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + + + + - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy is only applicable on laptops. The **Hibernate** option doesn't appear on desktop PCs. + -Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) – False (don't hide). -- 1 - True (hide). + +**Allowed values**: - - -To validate on Desktop, do the following steps: +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + -1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings. -2. Pin Photos to the taskbar, and open some images in the photos app. -3. Right click the pinned photos app and verify that a jump list of recently opened items pops up. -4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists. -5. Enable policy. -6. Restart explorer.exe. -7. Check that Settings toggle is grayed out. -8. Repeat Step 2. -9. Right Click pinned photos app and verify that there's no jump list of recent items. + + + - - + -
    + +## HideLock - -**Start/HideRecentlyAddedApps** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -The table below shows the applicability of Windows: + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideLock +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [Start_HideLock_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Start/HideUserTile`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + -
    + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HidePeopleBar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar +``` + + + + +This policy allows you to remove the People Bar from the taskbar and disables the My People experience. + +- If you enable this policy the people icon will be removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users will not be able to pin people to the taskbar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HidePeopleBar | +| Friendly Name | Remove the People Bar from the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HidePeopleBar | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HidePowerButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HidePowerButton +``` + + + + +Enabling this policy hides the power button from appearing in the start menu. + + + + - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. + -Allows IT Admins to configure Start by hiding recently added apps. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Remove "Recently added" list from Start Menu* -- GP name: *HideRecentlyAddedApps* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -The following list shows the supported values: + +**Allowed values**: -- 0 (default) – False (don't hide). -- 1 - True (hide). +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + - - -To validate on Desktop, do the following steps: + + + -1. Enable "Show recently added apps" in the Settings app. -2. Check if there are recently added apps in Start (if not, install some). -3. Enable policy. -4. Restart explorer.exe. -5. Check that "Show recently added apps" Settings toggle is grayed out. -6. Check that recently added apps don't appear in Start. + - - + +## HideRecentJumplists -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -**Start/HideRecommendedSection** + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + - -
    + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy allows you to hide the Start Menu's Recommended section when enabled. - - - -The following are the supported values: - -- 0 (default): Do not hide the Start menu's Recommended section. -- 1: Hide the Start menu's Recommended section. - - - -
    - - -**Start/HideRestart** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" aren't available. - - - - -
    - - -**Start/HideShutDown** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" aren't available. - - - - -
    - - -**Start/HideSignOut** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the user tile, and verify "Sign out" isn't available. - - - - -
    - - -**Start/HideSleep** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the Power button, and verify that "Sleep" isn't available. - - - - -
    - - -**Start/HideSwitchAccount** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Switch account" isn't available. - - - - -
    - - -**Start/HideTaskViewButton** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy allows you to hide the Task View button from the Taskbar and its corresponding option in the Settings app. - - - -The following are the supported values: - -- 0 (default): Do not hide the Taskbar's Task View button. -- 1: Hide the Taskbar's Task View button. - - - - -
    - - -**Start/HideUserTile** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. -Allows IT Admins to configure Start by hiding the user tile. +To validate this policy, do the following steps: - - -The following list shows the supported values: +1. In Settings, enable the option to **Show recently opened items in Jump Lists on Start of the taskbar**. +2. Pin the Photos app to the taskbar, and open some images in the app. +3. Right-click the pinned Photos app. Verify that a jump list shows recently opened items. +4. Toggle **Show recently opened items in Jump Lists on Start of the taskbar** in Settings to clear jump lists. +5. Enable this policy. +6. Restart the explorer.exe process or restart the computer. +7. Check that the Settings toggle is grayed out. +8. Open some images in the Photos app. +9. Right-click the pinned Photos app. Verify that there's no jump list of recent items. + -- 0 (default) – False (don't hide). -- 1 - True (hide). + +**Description framework properties**: - - -To validate on Desktop, do the following steps: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -1. Enable policy. -2. Sign out. -3. Sign in, and verify that the user tile is gone from Start. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + -
    + + + - -**Start/ImportEdgeAssets** + - -The table below shows the applicability of Windows: + +## HideRecentlyAddedApps -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps +``` + -> [!div class = "checklist"] -> * Device + + +This policy allows you to prevent the Start Menu from displaying a list of recently installed applications. -
    +- If you enable this policy, the Start Menu will no longer display the "Recently added" list. The corresponding setting will also be disabled in Settings. + + + + - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. -Here's more SKU support information: +To validate this policy, do the following steps: -|Release |SKU Supported | -|---------|---------| -|Windows 10, version 1607 and older |Not supported | -|Windows 10, version 1703 and later |Enterprise, Education, Business | -|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | +1. In the Settings app, enable the **Show recently added apps** option. +2. Check if there are recently added apps in Start. If not, install some apps. +3. Enable this policy. +4. Restart the explorer.exe process or restart the computer. +5. Check that the **Show recently added apps** Settings toggle is grayed out. +6. Check that recently added apps don't appear in Start. + -This policy imports Edge assets (for example, .png/.jpg files) for secondary tiles into its local app data path, which allows the StartLayout policy to pin Edge secondary tiles as weblink that ties to the image asset files. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecentlyAddedApps | +| Friendly Name | Remove "Recently added" list from Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideRecentlyAddedApps | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HideRecommendedSection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecommendedSection +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedSection +``` + + + + +This policy allows you to prevent the Start Menu from displaying a list of recommended applications and files. + +- If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Recommended section shown. | +| 1 | Recommended section hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecommendedSection | +| Friendly Name | Remove Recommended section from Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideRecommendedSection | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HideRestart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRestart +``` + + + + +Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideShutDown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideShutDown +``` + + + + +Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideSignOut + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideSignOut +``` + + + + +Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [Start_HideSignOut_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Start/HideUserTile`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideSleep + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideSleep +``` + + + + +Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideSwitchAccount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideSwitchAccount +``` + + + + +Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideTaskViewButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideTaskViewButton +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideTaskViewButton +``` + + + + +This policy setting allows you to hide the TaskView button. + +- If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | TaskView button shown. | +| 1 | TaskView button hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideTaskViewButton | +| Friendly Name | Hide the TaskView button | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideTaskViewButton | +| ADMX File Name | Taskbar.admx | + + + + + + + + + +## HideUserTile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideUserTile +``` + + + + +Enabling this policy hides the user tile from appearing in the start menu. + + + + + +> [!NOTE] +> This policy requires a reboot to take effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## ImportEdgeAssets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets +``` + + + + +This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. + + + + + +> [!NOTE] +> This policy requires a reboot to take effect. + +This policy imports Microsoft Edge assets for secondary tiles into its local app data path. Example assets are images like `.png` or `.jpg` files. This policy allows the [StartLayout policy](#startlayout) to pin Microsoft Edge secondary tiles as weblinks that use the image asset files. > [!IMPORTANT] -> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy, whenever there are Edge secondary tiles to be pinned from StartLayout policy. +> This asset import only happens only when the [StartLayout policy](#startlayout) changes. Change this **ImportEdgeAssets** policy at the same time as the **StartLayout** policy, whenever there are Microsoft Edge secondary tiles to be pinned from the StartLayout policy. -The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). +The value set for this policy is an XML string containing Microsoft Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). - - -To validate on Desktop, do the following steps: +To validate this policy, do the following steps: -1. Set policy with an XML for Edge assets. -2. Set StartLayout policy to anything so that would trigger the Edge assets import. -3. Sign out/in. -4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. +1. Configure this policy with an XML for Microsoft Edge assets. +2. Set the [StartLayout policy](#startlayout) to anything that triggers the Microsoft Edge assets import. +3. Sign out and sign in again. +4. Verify that all Microsoft Edge assets defined in the XML show up in the following path: `%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState`. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**Start/NoPinningToTaskbar** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## NoPinningToTaskbar - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/NoPinningToTaskbar +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to control pinning programs to the Taskbar. +- If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. +- If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + -
    + + - - -Allows IT Admins to configure the taskbar by disabling, pinning, and unpinning apps on the taskbar. +To validate this policy, do the following steps: - - -The following list shows the supported values: +1. Enable this policy. +2. Right-click on an app pinned to the taskbar. +3. Verify that the option to **Unpin from taskbar** doesn't show. +4. Open the Start menu and right-click on one of the app list icons. +5. Select **More** and verify that **Pin to taskbar** doesn't show. + -- 0 (default) – False (pinning enabled). -- 1 - True (pinning disabled). + +**Description framework properties**: - - -To validate on Desktop, do the following steps: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -1. Enable policy. -2. Right click on a program pinned to taskbar. -3. Verify that "Unpin from taskbar" menu doesn't show. -4. Open Start and right click on one of the app list icons. -5. Verify that More->Pin to taskbar menu doesn't show. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Pinning enabled. | +| 1 | Pinning disabled. | + -
    + + + - -**Start/ShowOrHideMostUsedApps** + - + +## ShowOrHideMostUsedApps -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/Start/ShowOrHideMostUsedApps +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ShowOrHideMostUsedApps +``` + -> [!div class = "checklist"] -> * Device -> * User + + +- If you enable this policy setting, you can configure Start menu to show or hide the list of user's most used apps, regardless of user settings. -
    +Selecting "Show" will force the "Most used" list to be shown, and user cannot change to hide it using the Settings app. - - +Selecting "Hide" will force the "Most used" list to be hidden, and user cannot change to show it using the Settings app. - - -The following list shows the supported values: +Selecting "Not Configured", or if you disable or do not configure this policy setting, all will allow users to turn on or off the display of "Most used" list using the Settings app. This is default behavior. -- 1 - Force showing of Most Used Apps in Start Menu, user can't change in Settings. -- 0 - Force hiding of Most Used Apps in Start Menu, user can't change in Settings. -- Not set - User can use Settings to hide or show Most Used Apps in Start Menu. +**Note** configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same part of Start menu but with fewer options). + -On clean install, the user setting defaults to "hide". + + + - + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Start/SimplifyQuickSettings** +| Value | Description | +|:--|:--| +| 0 (Default) | Do not enforce visibility of list of most used apps in Start; user can control via Settings app (default behavior equivalent to not configuring this policy). | +| 1 | Force showing of list of most used apps in Start; corresponding toggle in Setting app is disabled. | +| 2 | Force hiding of list of most used apps in Start; corresponding toggle in Setting app is disabled. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ShowOrHideMostUsedApps | +| Friendly Name | Show or hide "Most used" list from Start menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## SimplifyQuickSettings -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - -This policy will allow admins to indicate whether the default or simplified Quick Actions layout should be loaded. + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/SimplifyQuickSettings +``` + - - -The following are the supported values: + + +- If you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. -- 0: load regular Quick Actions layout. -- 1: load simplified Quick Actions layout. +- If you disable or don't configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked. + - - + + + -
    + +**Description framework properties**: - -**Start/StartLayout** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -The table below shows the applicability of Windows: + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +| Value | Description | +|:--|:--| +| 0 (Default) | Load regular Quick Settings layout. | +| 1 | Load simplified Quick Settings layout. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | SimplifyQuickSettings | +| Friendly Name | Simplify Quick Settings Layout | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | SimplifyQuickSettings | +| ADMX File Name | StartMenu.admx | + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + - - -> [!IMPORTANT] -> In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope) + +## StartLayout -Here's more SKU support information: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -|Release |SKU Supported | -|---------|---------| -|Windows 10, version 1511 and older |Not supported | -|Windows 10, version 1607 and later |Enterprise, Education, Business | -|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | + +```User +./User/Vendor/MSFT/Policy/Config/Start/StartLayout +``` -Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy. +```Device +./Device/Vendor/MSFT/Policy/Config/Start/StartLayout +``` + -For more information on how to customize the Start layout, see [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](/windows/configuration/configure-windows-10-taskbar). + + +Specifies the Start layout for users. - - -ADMX Info: -- GP Friendly name: *Start Layout* -- GP name: *LockedStartLayout* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +This setting lets you specify the Start layout for users and prevents them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. +To use this setting, you must first manually configure a device's Start layout to the desired look and feel. Once you are done, run the Export-StartLayout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured. - - -
    +Once the XML file is generated and moved to the desired file path, type the fully qualified path and name of the XML file. You can type a local path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Server\Share\Layout.xml. If the specified file is not available when the user logs on, the layout won't be changed. Users cannot customize their Start screen while this setting is enabled. - +- If you disable this setting or do not configure it, the Start screen layout won't be changed and users will be able to customize it. + -## Related topics + + + +If both user and device policies are set, the user policy is used. You can also use this policy to change apps that are pinned to the taskbar. + +For more information on how to customize the Start layout, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11) and [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LockedStartLayout | +| Friendly Name | Start Layout | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | LockedStartLayout | +| ADMX File Name | StartMenu.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md index 9b2eeee68c..b466e095ca 100644 --- a/windows/client-management/mdm/policy-csp-stickers.md +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -1,10 +1,10 @@ --- title: Stickers Policy CSP -description: Learn more about the Stickers Area in Policy CSP +description: Learn more about the Stickers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,6 +36,7 @@ ms.topic: reference + This policy setting allows you to control whether you want to allow stickers to be edited and placed on Desktop diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 787eee3961..bbf0efadb7 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,928 +1,925 @@ --- -title: Policy CSP - Storage -description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space. +title: Storage Policy CSP +description: Learn more about the Storage Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 03/25/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Storage -
    - - -## Storage policies - -
    -
    - Storage/AllowDiskHealthModelUpdates -
    -
    - Storage/AllowStorageSenseGlobal -
    -
    - Storage/AllowStorageSenseTemporaryFilesCleanup -
    -
    - Storage/ConfigStorageSenseCloudContentDehydrationThreshold -
    -
    - Storage/ConfigStorageSenseDownloadsCleanupThreshold -
    -
    - Storage/ConfigStorageSenseGlobalCadence -
    -
    - Storage/ConfigStorageSenseRecycleBinCleanupThreshold -
    -
    - Storage/EnhancedStorageDevices -
    -
    - Storage/RemovableDiskDenyWriteAccess -
    -
    - Storage/WPDDevicesDenyReadAccessPerDevice -
    -
    - Storage/WPDDevicesDenyReadAccessPerUser -
    -
    - Storage/WPDDevicesDenyWriteAccessPerDevice -
    -
    - Storage/WPDDevicesDenyWriteAccessPerUser -
    -
    - StorageHealthMonitor/DisableStorageHealthMonitor -
    -
    - -
    - - -**Storage/AllowDiskHealthModelUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows disk health model updates. - -Supported value type is integer. - - - -ADMX Info: -- GP Friendly name: *Allow downloading updates to the Disk Failure Prediction Model* -- GP name: *SH_AllowDiskHealthModelUpdates* -- GP path: *System/Storage Health* -- GP ADMX file name: *StorageHealth.admx* - - - -The following list shows the supported values: - -- 0 - Don't allow -- 1 (default) - Allow - - - - -
    - - -**Storage/AllowStorageSenseGlobal** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space, and it is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy. - -If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy). - -If you disable this policy setting, the machine will turn off Storage Sense. Users can't enable Storage Sense. - -If you don't configure this policy setting, Storage Sense is turned off by default until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. - - -ADMX Info: -- GP Friendly name: *Allow Storage Sense* -- GP name: *SS_AllowStorageSenseGlobal* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/AllowStorageSenseTemporaryFilesCleanup** - - -Versions prior to version 1903 don't support group policy. - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When Storage Sense runs, it can delete the user’s temporary files that aren't in use. - -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. - -If you enable this policy setting, Storage Sense will delete the user’s temporary files that aren't in use. Users can't disable this setting in Storage settings. - -If you disable this policy setting, Storage Sense won't delete the user’s temporary files. Users can't enable this setting in Storage settings. - -If you don't configure this policy setting, Storage Sense will delete the user’s temporary files by default. Users can configure this setting in Storage settings. - - - -ADMX Info: -- GP Friendly name: *Allow Storage Sense Temporary Files cleanup* -- GP name: *SS_AllowStorageSenseTemporaryFilesCleanup* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/ConfigStorageSenseCloudContentDehydrationThreshold** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain number of days. - -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. - -If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. - -If you set this value to zero, Storage Sense won't dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content. - -If you disable or don't configure this policy setting, then Storage Sense won't dehydrate any cloud-backed content by default. Users can configure this setting in Storage settings. - - - -ADMX Info: -- GP Friendly name: *Configure Storage Sense Cloud Content dehydration threshold* -- GP name: *SS_ConfigStorageSenseCloudContentDehydrationThreshold* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/ConfigStorageSenseDownloadsCleanupThreshold** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. - -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. - -If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. - -If you set this value to zero, Storage Sense won't delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. - -If you disable or don't configure this policy setting, then Storage Sense won't delete files in the user’s Downloads folder by default. Users can configure this setting in Storage settings. - - - -ADMX Info: -- GP Friendly name: *Configure Storage Storage Downloads cleanup threshold* -- GP name: *SS_ConfigStorageSenseDownloadsCleanupThreshold* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/ConfigStorageSenseGlobalCadence** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Storage Sense can automatically clean some of the user’s files to free up disk space. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. - -If you enable this policy setting, you must provide the desired Storage Sense cadence. - -The following are supported options: - -- 1 – Daily -- 7 – Weekly -- 30 – Monthly -- 0 – During low free disk space - -The default is 0 (during low free disk space). - -If you don't configure this policy setting, then the Storage Sense cadence is set to “during low free disk space” by default. Users can configure this setting in Storage settings. - - - -ADMX Info: -- GP Friendly name: *Configure Storage Sense cadence* -- GP name: *SS_ConfigStorageSenseGlobalCadence* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/ConfigStorageSenseRecycleBinCleanupThreshold** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When Storage Sense runs, it can delete files in the user’s Recycle Bin if they've been there for over a certain number of days. - -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. - -If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365. - -If you set this value to zero, Storage Sense won't delete files in the user’s Recycle Bin. The default is 30 days. - -If you disable or don't configure this policy setting, Storage Sense will delete files in the user’s Recycle Bin which have been there for over 30 days by default. Users can configure this setting in Storage settings. - - - -ADMX Info: -- GP Friendly name: *Configure Storage Sense Recycle Bin cleanup threshold* -- GP name: *SS_ConfigStorageSenseRecycleBinCleanupThreshold* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/EnhancedStorageDevices** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## AllowDiskHealthModelUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/AllowDiskHealthModelUpdates +``` + + + + +Allows downloading new updates to ML Model parameters for predicting storage disk failure. + +Enabled: +Updates would be downloaded for the Disk Failure Prediction Failure Model. + +Disabled: +Updates would not be downloaded for the Disk Failure Prediction Failure Model. + +Not configured: +Same as Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Do not allow. | +| 1 (Default) | Allow. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SH_AllowDiskHealthModelUpdates | +| Friendly Name | Allow downloading updates to the Disk Failure Prediction Model | +| Location | Computer Configuration | +| Path | System > Storage Health | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageHealth | +| Registry Value Name | AllowDiskHealthModelUpdates | +| ADMX File Name | StorageHealth.admx | + + + + + + + + + +## AllowStorageSenseGlobal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal +``` + + + + +Storage Sense can automatically clean some of the user's files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy. + +Enabled: +Storage Sense is turned on for the machine, with the default cadence as 'during low free disk space'. Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy). + +Disabled: +Storage Sense is turned off the machine. Users cannot enable Storage Sense. + +Not Configured: +By default, Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Allow. | +| 0 (Default) | Block. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_AllowStorageSenseGlobal | +| Friendly Name | Allow Storage Sense | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| Registry Value Name | AllowStorageSenseGlobal | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## AllowStorageSenseTemporaryFilesCleanup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseTemporaryFilesCleanup +``` + + + + +When Storage Sense runs, it can delete the user's temporary files that are not in use. + +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. + +Enabled: +Storage Sense will delete the user's temporary files that are not in use. Users cannot disable this setting in Storage settings. + +Disabled: +Storage Sense will not delete the user's temporary files. Users cannot enable this setting in Storage settings. + +Not Configured: +By default, Storage Sense will delete the user's temporary files. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow. | +| 0 | Block. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_AllowStorageSenseTemporaryFilesCleanup | +| Friendly Name | Allow Storage Sense Temporary Files cleanup | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| Registry Value Name | AllowStorageSenseTemporaryFilesCleanup | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## ConfigStorageSenseCloudContentDehydrationThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseCloudContentDehydrationThreshold +``` + + + + +When Storage Sense runs, it can dehydrate cloud-backed content that hasn't been opened in a certain amount of days. + +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. + +Enabled: +You must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365. +If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, or never dehydrating cloud-backed content. + +Disabled or Not Configured: +By default, Storage Sense will not dehydrate any cloud-backed content. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseCloudContentDehydrationThreshold | +| Friendly Name | Configure Storage Sense Cloud Content dehydration threshold | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## ConfigStorageSenseDownloadsCleanupThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseDownloadsCleanupThreshold +``` + + + + +When Storage Sense runs, it can delete files in the user's Downloads folder if they haven't been opened for more than a certain number of days. + +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. + +Enabled: +You must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365. +If you set this value to zero, Storage Sense will not delete files in the user's Downloads folder. The default is 0, or never deleting files in the Downloads folder. + +Disabled or Not Configured: +By default, Storage Sense will not delete files in the user's Downloads folder. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseDownloadsCleanupThreshold | +| Friendly Name | Configure Storage Storage Downloads cleanup threshold | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## ConfigStorageSenseGlobalCadence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseGlobalCadence +``` + + + + +Storage Sense can automatically clean some of the user's files to free up disk space. + +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. + +Enabled: +You must provide the desired Storage Sense cadence. Supported options are: daily, weekly, monthly, and during low free disk space. The default is 0 (during low free disk space). + +Disabled or Not Configured: +By default, the Storage Sense cadence is set to "during low free disk space". Users can configure this setting in Storage settings. + + + + + +Use the following integer values for the supported options: + +- `0`: During low free disk space (default) +- `1`: Daily +- `7`: Weekly +- `30`: Monthly + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseGlobalCadence | +| Friendly Name | Configure Storage Sense cadence | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## ConfigStorageSenseRecycleBinCleanupThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseRecycleBinCleanupThreshold +``` + + + + +When Storage Sense runs, it can delete files in the user's Recycle Bin if they have been there for over a certain amount of days. + +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. + +Enabled: +You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0 - 365. +If you set this value to zero, Storage Sense will not delete files in the user's Recycle Bin. The default is 30 days. + +Disabled or Not Configured: +By default, Storage Sense will delete files in the user's Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 30 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseRecycleBinCleanupThreshold | +| Friendly Name | Configure Storage Sense Recycle Bin cleanup threshold | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## EnhancedStorageDevices + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/EnhancedStorageDevices +``` + + + + This policy setting configures whether or not Windows will activate an Enhanced Storage device. -If you enable this policy setting, Windows won't activate un-activated Enhanced Storage devices. +- If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. -If you disable or don't configure this policy setting, Windows will activate un-activated Enhanced Storage devices. +- If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. + - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -ADMX Info: -- GP Friendly name: *Do not allow Windows to activate Enhanced Storage devices* -- GP name: *TCGSecurityActivationDisabled* -- GP path: *System/Enhanced Storage Access* -- GP ADMX file name: *enhancedstorage.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | TCGSecurityActivationDisabled | +| Friendly Name | Do not allow Windows to activate Enhanced Storage devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | TCGSecurityActivationDisabled | +| ADMX File Name | EnhancedStorage.admx | + -
    + + + - -**Storage/RemovableDiskDenyWriteAccess** + - -The table below shows the applicability of Windows: + +## RemovableDiskDenyWriteAccess -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting denies write access to removable disks. -> [!div class = "checklist"] -> * Device +- If you enable this policy setting, write access is denied to this removable storage class. -
    - - - -If you enable this policy setting, write access is denied to this removable storage class. If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - -> [!Note] -> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - -Supported values for this policy are: -- 0 - Disable -- 1 - Enable - - - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny write access* -- GP name: *RemovableDisks_DenyWrite_Access_2* -- GP element: *RemovableDisks_DenyWrite_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - - - - -Example for setting the device custom OMA-URI setting to enable this policy: -To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. - -See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. - - - - - -
    - - -**Storage/WPDDevicesDenyReadAccessPerDevice** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. -- Mass Storage Class (MSC) over USB. - -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. - ->[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. - -Supported values for this policy are: -- Not configured -- Enabled -- Disabled - - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - - - - - - - -
    - - -**Storage/WPDDevicesDenyReadAccessPerUser** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. -- Mass Storage Class (MSC) over USB. - -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. - ->[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. - -Supported values for this policy are: -- Not configured -- Enabled -- Disabled - - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_1* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - - - - - - - -
    - - -**Storage/WPDDevicesDenyWriteAccessPerDevice** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. -- Mass Storage Class (MSC) over USB. - -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. - ->[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. - -Supported values for this policy are: -- Not configured -- Enabled -- Disabled - - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - - - - - - - -
    - - -**Storage/WPDDevicesDenyWriteAccessPerUser** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. -- Mass Storage Class (MSC) over USB. - -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. - ->[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. - -Supported values for this policy are: -- Not configured -- Enabled -- Disabled - - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_1* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - - - - - - - -
    - - - -**StorageHealthMonitor/DisableStorageHealthMonitor** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. > [!NOTE] -> Versions prior to 21H2 will not support this policy +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - - -Allows disable of Storage Health Monitor. +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -Supported value type is integer. + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyWrite_Access_2 | +| Friendly Name | Removable Disks: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| ADMX File Name | RemovableStorage.admx | + - -The following list shows the supported values: + + + -- 0 - Storage Health Monitor is Enabled. -- 1 - Storage Health Monitor is Disabled. + - - + +## WPDDevicesDenyReadAccessPerDevice -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerDevice +``` + - + + +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -## Related topics +- If you enable this policy setting, read access is denied to this removable storage class. -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. + + +>[!NOTE] +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access_2 | +| Friendly Name | WPD Devices: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## WPDDevicesDenyReadAccessPerUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerUser +``` + + + + +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +- If you enable this policy setting, read access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. + + +>[!NOTE] +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access_1 | +| Friendly Name | WPD Devices: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## WPDDevicesDenyWriteAccessPerDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerDevice +``` + + + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +- If you enable this policy setting, write access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. + + +>[!NOTE] +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access_2 | +| Friendly Name | WPD Devices: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## WPDDevicesDenyWriteAccessPerUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerUser +``` + + + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +- If you enable this policy setting, write access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. + + +>[!NOTE] +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access_1 | +| Friendly Name | WPD Devices: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3475130df0..fd1abf6088 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -703,12 +703,7 @@ The "Configure diagnostic data opt-in settings user interface" group policy can **Allowed values**: -| Value | Description | -|:--|:--| -| 0 | Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
    Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. | -| 1 (Default) | Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. | -| 3 | Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. | - +
    **Group policy mapping**: diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 750cb5bad8..7cfbd6b1fa 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,308 +1,367 @@ --- -title: Policy CSP - SystemServices -description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4). +title: SystemServices Policy CSP +description: Learn more about the SystemServices Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - SystemServices -
    - - -## SystemServices policies - -
    -
    - SystemServices/ConfigureHomeGroupListenerServiceStartupMode -
    -
    - SystemServices/ConfigureHomeGroupProviderServiceStartupMode -
    -
    - SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode -
    -
    - - -
    - - -**SystemServices/ConfigureHomeGroupListenerServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *HomeGroup Listener* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureHomeGroupProviderServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *HomeGroup Provider* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Accessory Management Service* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Live Auth Manager* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Live Game Save* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Live Networking Service* -- GP path: *Windows Settings/Security Settings/System Services* - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + +## ConfigureHomeGroupListenerServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupListenerServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-4]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HomeGroup Listener | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureHomeGroupProviderServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupProviderServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-4]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HomeGroup Provider | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxAccessoryManagementServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Accessory Management Service | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxLiveAuthManagerServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Live Auth Manager | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxLiveGameSaveServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Live Game Save | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxLiveNetworkingServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Live Networking Service | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 0ee8b53c39..6c58c87151 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,86 +1,80 @@ --- -title: Policy CSP - TaskManager -description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks. +title: TaskManager Policy CSP +description: Learn more about the TaskManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TaskManager -
    + + + - -## TaskManager policies + +## AllowEndTask -
    -
    - TaskManager/AllowEndTask -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TaskManager/AllowEndTask +``` + - -**TaskManager/AllowEndTask** + + +This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disabled. EndTask functionality is blocked in TaskManager. | +| 1 (Default) | Enabled. Users can perform EndTask in TaskManager. | + -
    + + + - - -This setting determines whether non-administrators can use Task Manager to end tasks. + -Supported value type is integer. + + + -Supported values: -- 0 - Disabled. EndTask functionality is blocked in TaskManager. -- 1 - Enabled (default). Users can perform EndTask in TaskManager. + - - - - - - - - -**Validation procedure:** -- When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager. -- When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager. - - - -
    - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index a333e1450f..855e816358 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,69 +1,80 @@ --- -title: Policy CSP - TaskScheduler -description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0). +title: TaskScheduler Policy CSP +description: Learn more about the TaskScheduler Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TaskScheduler -
    + + + - -## TaskScheduler policies + +## EnableXboxGameSaveTask -
    -
    - TaskScheduler/EnableXboxGameSaveTask -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/TaskScheduler/EnableXboxGameSaveTask +``` + -
    + + +This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. + - -**TaskScheduler/EnableXboxGameSaveTask** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled. + + + - - -
    + - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md index 0ab6c560aa..a3d3f7355e 100644 --- a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md +++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md @@ -1,10 +1,10 @@ --- title: TenantDefinedTelemetry Policy CSP -description: Learn more about the TenantDefinedTelemetry Area in Policy CSP +description: Learn more about the TenantDefinedTelemetry Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,6 +36,7 @@ ms.topic: reference + This policy is used to let mission control what type of Edition we are currently in. @@ -58,9 +59,9 @@ This policy is used to let mission control what type of Edition we are currently | Value | Description | |:--|:--| -| 0 (Default) | Base | -| 1 | Education | -| 2 | Commercial | +| 0 (Default) | Base. | +| 1 | Education. | +| 2 | Commercial. | diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index 936808277a..babefd000e 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -1,10 +1,10 @@ --- title: TenantRestrictions Policy CSP -description: Learn more about the TenantRestrictions Area in Policy CSP +description: Learn more about the TenantRestrictions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - TenantRestrictions > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,16 +41,18 @@ ms.topic: reference + This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory. When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant. -Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. +> [!NOTE] +> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. -https://go.microsoft.com/fwlink/?linkid=2148762 + Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information. -For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230 +For details about setting up WDAC with tenant restrictions, see @@ -69,6 +69,9 @@ For details about setting up WDAC with tenant restrictions, see https://go.micro +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index f4cb783c7e..656d59762c 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,1350 +1,1549 @@ --- -title: Policy CSP - TextInput -description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file. +title: TextInput Policy CSP +description: Learn more about the TextInput Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 03/03/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TextInput -
    + + + - -## TextInput policies + +## AllowHardwareKeyboardTextSuggestions -
    -
    - TextInput/AllowHardwareKeyboardTextSuggestions -
    -
    - TextInput/AllowIMELogging -
    -
    - TextInput/AllowIMENetworkAccess -
    -
    - TextInput/AllowInputPanel -
    -
    - TextInput/AllowJapaneseIMESurrogatePairCharacters -
    -
    - TextInput/AllowJapaneseIVSCharacters -
    -
    - TextInput/AllowJapaneseNonPublishingStandardGlyph -
    -
    - TextInput/AllowJapaneseUserDictionary -
    -
    - TextInput/AllowKeyboardTextSuggestions -
    -
    - TextInput/AllowKoreanExtendedHanja -
    -
    - TextInput/AllowLanguageFeaturesUninstall -
    -
    - TextInput/AllowLinguisticDataCollection -
    -
    - TextInput/AllowTextInputSuggestionUpdate -
    -
    - TextInput/ConfigureJapaneseIMEVersion -
    -
    - TextInput/ConfigureSimplifiedChineseIMEVersion -
    -
    - TextInput/ConfigureTraditionalChineseIMEVersion -
    -
    - TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode -
    -
    - TextInput/ExcludeJapaneseIMEExceptJIS0208 -
    -
    - TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC -
    -
    - TextInput/ExcludeJapaneseIMEExceptShiftJIS -
    -
    - TextInput/ForceTouchKeyboardDockedState -
    -
    - TextInput/TouchKeyboardDictationButtonAvailability -
    -
    - TextInput/TouchKeyboardEmojiButtonAvailability -
    -
    - TextInput/TouchKeyboardFullModeAvailability -
    -
    - TextInput/TouchKeyboardHandwritingModeAvailability -
    -
    - TextInput/TouchKeyboardNarrowModeAvailability -
    -
    - TextInput/TouchKeyboardSplitModeAvailability -
    -
    - TextInput/TouchKeyboardWideModeAvailability -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowHardwareKeyboardTextSuggestions +``` + -
    - - -**TextInput/AllowHardwareKeyboardTextSuggestions** - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Placeholder only. Do not use in production environment. + - - + + + -
    + +**Description framework properties**: - -**TextInput/AllowIMELogging** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -The table below shows the applicability of Windows: + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowIMELogging -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowIMELogging +``` + + + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. Most restricted value is 0. + -Allows the user to turn on and off the logging for incorrect conversion, and saving auto-tuning result to a file and history-based predictive input. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**TextInput/AllowIMENetworkAccess** + - -The table below shows the applicability of Windows: + +## AllowIMENetworkAccess -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowIMENetworkAccess +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. Most restricted value is 0. In Windows 10, version 1803, we introduced new suggestion services in Japanese IME in addition to cloud suggestion. When AllowIMENetworkAccess is set to 1, all suggestion services are available as predictive input. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -Most restricted value is 0. + +**Allowed values**: -In Windows 10, version 1803, we introduced new suggestion services in Japanese IME in addition to cloud suggestion. When AllowIMENetworkAccess is set to 1, all suggestion services are available as predictive input. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. In Windows 10, version 1803, suggestion services are also available in Japanese IME. + - - + +## AllowInputPanel -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -**TextInput/AllowInputPanel** + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowInputPanel +``` + - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows the IT admin to disable the touch/handwriting keyboard on Windows. Most restricted value is 0. + -Allows the IT admin to disable the touch/handwriting keyboard on Windows. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**TextInput/AllowJapaneseIMESurrogatePairCharacters** + - -The table below shows the applicability of Windows: + +## AllowJapaneseIMESurrogatePairCharacters -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseIMESurrogatePairCharacters +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows the Japanese IME surrogate pair characters. Most restricted value is 0. + -Allows the Japanese IME surrogate pair characters. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**TextInput/AllowJapaneseIVSCharacters** + - -The table below shows the applicability of Windows: + +## AllowJapaneseIVSCharacters -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseIVSCharacters +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows Japanese Ideographic Variation Sequence (IVS) characters. Most restricted value is 0. + -Allows Japanese Ideographic Variation Sequence (IVS) characters. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**TextInput/AllowJapaneseNonPublishingStandardGlyph** + - -The table below shows the applicability of Windows: + +## AllowJapaneseNonPublishingStandardGlyph -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseNonPublishingStandardGlyph +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows the Japanese non-publishing standard glyph. Most restricted value is 0. + -Allows the Japanese non-publishing standard glyph. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**TextInput/AllowJapaneseUserDictionary** + - -The table below shows the applicability of Windows: + +## AllowJapaneseUserDictionary -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseUserDictionary +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows the Japanese user dictionary. Most restricted value is 0. + -Allows the Japanese user dictionary. + + + -Most restricted value is 0. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**TextInput/AllowKeyboardTextSuggestions** + - -The table below shows the applicability of Windows: + +## AllowKeyboardTextSuggestions -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowKeyboardTextSuggestions +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. Most restricted value is 0. + -Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Enabled. - - - + + To validate that text prediction is disabled on Windows 10 for desktop, do the following: -1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button. -2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. -3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. +1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the "Use Text Prediction" setting is enabled from the options button. +1. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the "Show text suggestions as I type" setting is enabled in the Settings app. +1. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -**TextInput/AllowKoreanExtendedHanja** + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -This policy has been deprecated. + + + - - + -
    + +## AllowLanguageFeaturesUninstall - -**TextInput/AllowLanguageFeaturesUninstall** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -The table below shows the applicability of Windows: + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowLanguageFeaturesUninstall +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +When this policy setting is enabled, some language features (such as handwriting recognizers and spell checking dictionaries) included with a language can be uninstalled from a user's machine when the language is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setting is disabled, language features remain on the user's machine when the language is uninstalled. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -Allows the uninstall of language features, such as spell checkers on a device. + +**Group policy mapping**: -Most restricted value is 0. +| Name | Value | +|:--|:--| +| Name | AllowLanguageFeaturesUninstall | +| Friendly Name | Allow uninstallation of language features when a language is uninstalled | +| Location | Computer Configuration | +| Path | Windows Components > Text Input | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\TextInput | +| Registry Value Name | AllowLanguageFeaturesUninstall | +| ADMX File Name | TextInput.admx | + - - -ADMX Info: -- GP Friendly name: *Allow Uninstallation of Language Features* -- GP name: *AllowLanguageFeaturesUninstall* -- GP path: *Windows Components/Text Input* -- GP ADMX file name: *TextInput.admx* + + + - - -The following list shows the supported values: + -- 0 – Not allowed. -- 1 (default) – Allowed. + +## AllowLinguisticDataCollection - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowLinguisticDataCollection +``` + - -**TextInput/AllowLinguisticDataCollection** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the ability to send inking and typing data to Microsoft to improve the language recognition and suggestion capabilities of apps and services running on Windows. + - - -ADMX Info: -- GP Friendly name: *Improve inking and typing recognition* -- GP name: *AllowLinguisticDataCollection* -- GP path: *Windows Components/Text Input* -- GP ADMX file name: *TextInput.admx* + + + - - -This setting supports a range of values between 0 and 1. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**TextInput/AllowTextInputSuggestionUpdate** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -The table below shows the applicability of Windows: + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AllowLinguisticDataCollection | +| Friendly Name | Improve inking and typing recognition | +| Location | Computer Configuration | +| Path | Windows Components > Text Input | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\TextInput | +| Registry Value Name | AllowLinguisticDataCollection | +| ADMX File Name | TextInput.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowTextInputSuggestionUpdate -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Allows the user to turn on or off the automatic downloading of newer versions of the Expressive Input UI. -When downloading is not allowed the Expressive Input panel will always display the initial UI included with the base Windows image. + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowTextInputSuggestionUpdate +``` + -Most restricted value is 0. + + +Allows the user to turn on or off the automatic downloading of newer versions of the Expressive Input UI. When downloading is not allowed the Expressive Input panel will always display the initial UI included with the base Windows image. Most restricted value is 0. The following list shows the supported values: 0 - Not allowed. 1 (default) - Allowed. + -Default: Enabled + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 1 (Enabled) - The newer UX is downloaded from Microsoft service. -- 0 (Disabled) - The UX remains unchanged with what the operating system installs. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**TextInput/ConfigureJapaneseIMEVersion** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConfigureJapaneseIMEVersion - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureJapaneseIMEVersion +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting controls the version of Microsoft IME. -
    +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. + +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. + +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. + +This Policy setting applies only to Microsoft Japanese IME. - - > [!NOTE] -> - The policy is only enforced in Windows 10 for desktop. -> - This policy requires reboot to take effect. +> Changes to this setting will not take effect until the user logs off. + -Allows IT admins to configure Microsoft Japanese IME version in the desktop. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) - Allows you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is configured by default. -- 1 - Does not allow you to configure which Microsoft Japanese IME version to use. The previous version of Microsoft Japanese IME is always selected. -- 2 - Does not allow you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is always selected. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Allows you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is configured by default. | +| 1 | Does not allow you to configure which Microsoft Japanese IME version to use. The previous version of Microsoft Japanese IME is always selected. | +| 2 | Does not allow you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is always selected. | + - -**TextInput/ConfigureSimplifiedChineseIMEVersion** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | L_ConfigureJapaneseImeVersion | +| Friendly Name | Configure Japanese IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\JPN | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureKoreanIMEVersion -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureKoreanIMEVersion +``` + + + + +This policy setting controls the version of Microsoft IME. + +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. + +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. + +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. + +This Policy setting applies only to Microsoft Korean IME. - - > [!NOTE] -> - This policy is enforced only in Windows 10 for desktop. -> - This policy requires reboot to take effect. +> Changes to this setting will not take effect until the user logs off. + -Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) - Allows you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is configured by default. -- 1 - Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The previous version of Microsoft Simplified Chinese IME is always selected. -- 2 - Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is always selected. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | L_ConfigureKoreanImeVersion | +| Friendly Name | Configure Korean IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\KOR | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + - -**TextInput/ConfigureTraditionalChineseIMEVersion** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConfigureSimplifiedChineseIMEVersion - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureSimplifiedChineseIMEVersion +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting controls the version of Microsoft IME. -
    +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. + +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. + +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. + +This Policy setting applies only to Microsoft Simplified Chinese IME. - - > [!NOTE] -> - This policy is enforced only in Windows 10 for desktop. -> - This policy requires reboot to take effect. +> Changes to this setting will not take effect until the user logs off. + -Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) - Allows you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is configured by default. -- 1 - Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The previous version of Microsoft Traditional Chinese IME is always selected. -- 2 - Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is always selected. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Allows you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is configured by default. | +| 1 | Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The previous version of Microsoft Simplified Chinese IME is always selected. | +| 2 | Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is always selected. | + - -**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | L_ConfigureSimplifiedChineseImeVersion | +| Friendly Name | Configure Simplified Chinese IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\CHS | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureTraditionalChineseIMEVersion -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureTraditionalChineseIMEVersion +``` + - - -This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. + + +This policy setting controls the version of Microsoft IME. -The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. -But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. -When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -This policy corresponds to "Show the touch keyboard when not in tablet mode and there's no keyboard attached" in the Settings app. +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. - - -The following list shows the supported values: +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. -- 0 (default) - Disabled. -- 1 - Enabled. +This Policy setting applies only to Microsoft Traditional Chinese IME. - - - -
    - - -**TextInput/ExcludeJapaneseIMEExceptJIS0208** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> Changes to this setting will not take effect until the user logs off. + -Allows the users to restrict character code range of conversion by setting the character filter. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – No characters are filtered. -- 1 – All characters except JIS0208 are filtered. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Allows you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is configured by default. | +| 1 | Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The previous version of Microsoft Traditional Chinese IME is always selected. | +| 2 | Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is always selected. | + - -**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | L_ConfigureTraditionalChineseImeVersion | +| Friendly Name | Configure Traditional Chinese IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\CHT | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableTouchKeyboardAutoInvokeInDesktopMode -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode +``` + - - + + +This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. This policy corresponds to Show the touch keyboard when not in tablet mode and there's no keyboard attached in the Settings app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + + +## ExcludeJapaneseIMEExceptJIS0208 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ExcludeJapaneseIMEExceptJIS0208 +``` + + + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows the users to restrict character code range of conversion by setting the character filter. + -Allows the users to restrict character code range of conversion by setting the character filter. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – No characters are filtered. -- 1 – All characters except JIS0208 and EUDC are filtered. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | No characters are filtered. | +| 1 | All characters except JIS0208 are filtered. | + - -**TextInput/ExcludeJapaneseIMEExceptShiftJIS** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ExcludeJapaneseIMEExceptJIS0208andEUDC - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +> The policy is only enforced in Windows 10 for desktop. Allows the users to restrict character code range of conversion by setting the character filter. + -Allows the users to restrict character code range of conversion by setting the character filter. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – No characters are filtered. -- 1 – All characters except ShiftJIS are filtered. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | No characters are filtered. | +| 1 | All characters except JIS0208 and EUDC are filtered. | + - -**TextInput/ForceTouchKeyboardDockedState** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ExcludeJapaneseIMEExceptShiftJIS - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ExcludeJapaneseIMEExceptShiftJIS +``` + -> [!div class = "checklist"] -> * Device + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the users to restrict character code range of conversion by setting the character filter. + -
    + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No characters are filtered. | +| 1 | All characters except ShiftJIS are filtered. | + + + + + + + + + +## ForceTouchKeyboardDockedState + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ForceTouchKeyboardDockedState +``` + + + + Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked. + - - -The following list shows the supported values: + + + -- 0 - (default) - The OS determines when it's most appropriate to be available. -- 1 - Touch keyboard is always docked. -- 2 - Touch keyboard docking can be changed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**TextInput/TouchKeyboardDictationButtonAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Touch keyboard is always docked. | +| 2 | Touch keyboard docking can be changed. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TouchKeyboardDictationButtonAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardDictationButtonAvailability +``` + -
    - - - + + Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines when it's most appropriate to be available. -- 1 - Dictation button on the keyboard is always available. -- 2 - Dictation button on the keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**TextInput/TouchKeyboardEmojiButtonAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Dictation button on the keyboard is always available. | +| 2 | Dictation button on the keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TouchKeyboardEmojiButtonAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardEmojiButtonAvailability +``` + -
    + + +Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled. + - - -Specifies whether the emoji, GIF (only in Windows 11), and kaomoji (only in Windows 11) buttons are available or unavailable for the touch keyboard. When this policy is set to disabled, the buttons are hidden and unavailable. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) - The OS determines when buttons are most appropriate to be available. -- 1 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always available. -- 2 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always unavailable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Emoji button on keyboard is always available. | +| 2 | Emoji button on keyboard is always disabled. | + - -**TextInput/TouchKeyboardFullModeAvailability** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TouchKeyboardFullModeAvailability - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardFullModeAvailability +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Full keyboard is always available. -- 2 - Full keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**TextInput/TouchKeyboardHandwritingModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Full keyboard is always available. | +| 2 | Full keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TouchKeyboardHandwritingModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardHandwritingModeAvailability +``` + -
    - - - + + Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Handwriting input panel is always available. -- 2 - Handwriting input panel is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**TextInput/TouchKeyboardNarrowModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Handwriting input panel is always available. | +| 2 | Handwriting input panel is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TouchKeyboardNarrowModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardNarrowModeAvailability +``` + -
    - - - + + Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Narrow keyboard is always available. -- 2 - Narrow keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**TextInput/TouchKeyboardSplitModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Narrow keyboard is always available. | +| 2 | Narrow keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TouchKeyboardSplitModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardSplitModeAvailability +``` + -
    - - - + + Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Split keyboard is always available. -- 2 - Split keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**TextInput/TouchKeyboardWideModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Split keyboard is always available. | +| 2 | Split keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TouchKeyboardWideModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardWideModeAvailability +``` + -
    - - - + + Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Wide keyboard is always available. -- 2 - Wide keyboard is always disabled. + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -## Related topics +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Wide keyboard is always available. | +| 2 | Wide keyboard is always disabled. | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 77496a13ff..7a3dfd08c5 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,248 +1,320 @@ --- -title: Policy CSP - TimeLanguageSettings -description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device. +title: TimeLanguageSettings Policy CSP +description: Learn more about the TimeLanguageSettings Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/28/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TimeLanguageSettings -
    + + + - -## TimeLanguageSettings policies + +## AllowSet24HourClock -
    -
    - TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks -
    -
    - TimeLanguageSettings/ConfigureTimeZone -
    -
    - TimeLanguageSettings/MachineUILanguageOverwrite -
    -
    - TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall -
    -
    +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/AllowSet24HourClock +``` + - -**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks** + + +This policy is deprecated. + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + -
    + + + - - -This policy setting controls whether the maintenance task will run to clean up language packs installed on a machine but aren't used by any users on that machine. + -If you enable this policy setting (value 1), language packs that are installed as part of the system image will remain installed even if they aren't used by any user on that system. + +## BlockCleanupOfUnusedPreinstalledLangPacks -If you disable (value 0) or don't configure this policy setting, language packs that are installed as part of the system image but aren't used by any user on that system will be removed as part of a scheduled cleanup task. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks +``` + - - -ADMX Info: -- GP Friendly name: *Block cleanup of unused language packs* -- GP name: *BlockCleanupOfUnusedPreinstalledLangPacks* -- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + + +This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not used by any users on that machine. - - +- If you enable this policy setting, language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. - - +- If you disable or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task. + - - + + + -
    + +**Description framework properties**: - -**TimeLanguageSettings/ConfigureTimeZone** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -The table below shows the applicability of Windows: + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Not blocked. | +| 1 | Blocked. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | BlockCleanupOfUnusedPreinstalledLangPacks | +| Friendly Name | Block clean-up of unused language packs | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | BlockCleanupOfUnusedPreinstalledLangPacks | +| ADMX File Name | Globalization.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Specifies the time zone to be applied to the device. This policy name is the standard Windows name for the target time zone. + +## ConfigureTimeZone + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/ConfigureTimeZone +``` + + + + +Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. + + + + > [!TIP] > To get the list of available time zones, run `Get-TimeZone -ListAvailable` in PowerShell. + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + + + - - -
    + - -**TimeLanguageSettings/MachineUILanguageOverwrite** + +## MachineUILanguageOverwrite - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/MachineUILanguageOverwrite +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls which UI language is used for computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language isn't installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. +- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. -If you disable or don't configure this policy setting, there's no restriction of a specific language used for the Windows menus and dialogs. +- If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs. + - - + + + - - -ADMX Info: -- GP Friendly name: *Force selected system UI language to overwrite the user UI language* -- GP name: *MachineUILanguageOverwrite* -- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -
    + +**Group policy mapping**: - -**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall** +| Name | Value | +|:--|:--| +| Name | MachineUILanguageOverwrite | +| Friendly Name | Force selected system UI language to overwrite the user UI language | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\MUI\Settings | +| Registry Value Name | MachineUILock | +| ADMX File Name | Globalization.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## RestrictLanguagePacksAndFeaturesInstall - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall +``` + - - -This policy setting restricts standard users from installing language features on demand. This policy doesn't restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.” + + +This policy setting restricts the install of language packs and language features, such as spell checkers, on a device. + -If you enable this policy setting, the installation of language features is prevented for standard users. + + + -If you disable or don't configure this policy setting, there's no language feature installation restriction for the standard users. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + - - + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | RestrictLanguagePacksAndFeaturesInstall | +| Path | Globalization > AT > ControlPanel > RegionalOptions | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index 22fbd1c4fc..ddcdb2743d 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,103 +1,122 @@ --- -title: Policy CSP - Troubleshooting -description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains. +title: Troubleshooting Policy CSP +description: Learn more about the Troubleshooting Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.topic: reference --- + + + # Policy CSP - Troubleshooting -
    + + + - -## Troubleshooting policies + +## AllowRecommendations -
    -
    - Troubleshooting/AllowRecommendations -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Troubleshooting/AllowRecommendations +``` + -
    + + +This policy setting configures how troubleshooting for known problems can be applied on the device and lets administrators configure how it's applied to their domains/IT environments. - -**Troubleshooting/AllowRecommendations** +Not configuring this policy setting will allow the user to configure how troubleshooting is applied. - -The table below shows the applicability of Windows: +Enabling this policy allows you to configure how troubleshooting is applied on the user's device. You can select from one of the following values: +0 = Do not allow users, system features, or Microsoft to apply troubleshooting. +1 = Only automatically apply troubleshooting for critical problems by system features and Microsoft. +2 = Automatically apply troubleshooting for critical problems by system features and Microsoft. Notify users when troubleshooting for other problems is available and allow users to choose to apply or ignore. +3 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Notify users when troubleshooting has solved a problem. +4 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. +5 = Allow the user to choose their own troubleshooting settings. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +After setting this policy, you can use the following instructions to check devices in your domain for available troubleshooting from Microsoft: - -
    +1. Create a bat script with the following contents: +rem The following batch script triggers Recommended Troubleshooting +schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" - -[Scope](./policy-configuration-service-provider.md#policy-scope): +2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. +3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7). -> [!div class = "checklist"] -> * Device +4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox. +5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1. -
    +6. Configure the task to deploy to your domain. + - - -This policy setting allows IT admins to configure, how to apply recommended troubleshooting for known problems on the devices in their domains or IT environments. + + + - - -ADMX Info: -- GP Friendly name: *Troubleshooting: Allow users to access recommended troubleshooting for known problems* -- GP name: *TroubleshootingAllowRecommendations* -- GP path: *Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* + +**Description framework properties**: - - -This setting is a numeric policy setting with merge algorithm (lowest value is the most secure) that uses the most restrictive settings for complex manageability scenarios. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -Supported values: -- 0 (default) - Turn off this feature. -- 1 - Turn off this feature but still apply critical troubleshooting. -- 2 - Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -- 3 - Run recommended troubleshooting automatically and notify the user after it ran successfully. -- 4 - Run recommended troubleshooting automatically without notifying the user. -- 5 - Allow the user to choose their own recommended troubleshooting settings. + +**Allowed values**: -By default, this policy isn't configured and the SKU based defaults are used for managed devices. Current policy values for SKUs are as follows: +| Value | Description | +|:--|:--| +| 0 | Off - Do not allow users, system features, or Microsoft to apply troubleshooting. | +| 1 (Default) | Critical - Automatically apply troubleshooting for critical problems detected by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. | +| 2 | Prompt - Automatically apply troubleshooting for critical problems detected by system features and Microsoft. Prompt users when troubleshooting for other problems is available and allow the user to choose to apply or ignore. | +| 3 | Notify - Automatically apply troubleshooting for critical and other problems detected by system features and Microsoft. Notify users when troubleshooting has solved a problem. | +| 4 | Silent - Automatically apply troubleshooting for critical and other problems detected by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. | +| 5 | Configurable - Allow the user to choose their own troubleshooting settings. | + -|SKU|Unmanaged Default|Managed Default| -|--- |--- |--- | -|Home|Prompt (OOBE)|Off| -|Pro|Prompt (OOBE)|Off| -|Education|On (auto)|Off| -|Enterprise|Off|Off| -|Government|Off|Off| + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | TroubleshootingAllowRecommendations | +| Friendly Name | Troubleshooting: Allow users to access recommended troubleshooting for known problems | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | Software\Policies\Microsoft\Windows\Troubleshooting\AllowRecommendations | +| Registry Value Name | TroubleshootingAllowRecommendations | +| ADMX File Name | MSDT.admx | + - - + + + - - -
    + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 7c1858edb3..e9921d6795 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,1470 +1,3671 @@ --- -title: Policy CSP - Update -description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled. +title: Update Policy CSP +description: Learn more about the Update Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 06/15/2022 -ms.reviewer: -manager: aaroncz -ms.collection: highpri +ms.topic: reference --- + + + # Policy CSP - Update - -
    - - -## Update policies - -
    -
    - Update/ActiveHoursEnd -
    -
    - Update/ActiveHoursMaxRange -
    -
    - Update/ActiveHoursStart -
    -
    - Update/AllowAutoUpdate -
    -
    - Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork -
    -
    - Update/AllowMUUpdateService -
    -
    - Update/AllowNonMicrosoftSignedUpdate -
    -
    - Update/AllowUpdateService -
    -
    - Update/AutoRestartDeadlinePeriodInDays -
    -
    - Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates -
    -
    - Update/AutoRestartNotificationSchedule -
    -
    - Update/AutoRestartRequiredNotificationDismissal -
    -
    - Update/AutomaticMaintenanceWakeUp -
    -
    - Update/BranchReadinessLevel -
    -
    - Update/ConfigureDeadlineForFeatureUpdates -
    -
    - Update/ConfigureDeadlineForQualityUpdates -
    -
    - Update/ConfigureDeadlineGracePeriod -
    -
    - Update/ConfigureDeadlineGracePeriodForFeatureUpdates -
    -
    - Update/ConfigureDeadlineNoAutoReboot -
    -
    - Update/ConfigureFeatureUpdateUninstallPeriod -
    -
    - Update/DeferFeatureUpdatesPeriodInDays -
    -
    - Update/DeferQualityUpdatesPeriodInDays -
    -
    - Update/DeferUpdatePeriod -
    -
    - Update/DeferUpgradePeriod -
    -
    - Update/DetectionFrequency -
    -
    - Update/DisableDualScan -
    -
    - Update/DisableWUfBSafeguards -
    -
    - Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection -
    -
    - Update/EngagedRestartDeadline -
    -
    - Update/EngagedRestartDeadlineForFeatureUpdates -
    -
    - Update/EngagedRestartSnoozeSchedule -
    -
    - Update/EngagedRestartSnoozeScheduleForFeatureUpdates -
    -
    - Update/EngagedRestartTransitionSchedule -
    -
    - Update/EngagedRestartTransitionScheduleForFeatureUpdates -
    -
    - Update/ExcludeWUDriversInQualityUpdate -
    -
    - Update/FillEmptyContentUrls -
    -
    - Update/IgnoreMOAppDownloadLimit -
    -
    - Update/IgnoreMOUpdateDownloadLimit -
    -
    - Update/ManagePreviewBuilds -
    -
    - Update/NoUpdateNotificationDuringActiveHours -
    -
    - Update/PauseDeferrals -
    -
    - Update/PauseFeatureUpdates -
    -
    - Update/PauseFeatureUpdatesStartTime -
    -
    - Update/PauseQualityUpdates -
    -
    - Update/PauseQualityUpdatesStartTime -
    -
    - Update/PhoneUpdateRestrictions -
    -
    - Update/RequireDeferUpgrade -
    -
    - Update/RequireUpdateApproval -
    -
    - Update/ScheduleImminentRestartWarning -
    -
    - Update/ScheduleRestartWarning -
    -
    - Update/ScheduledInstallDay -
    -
    - Update/ScheduledInstallEveryWeek -
    -
    - Update/ScheduledInstallFirstWeek -
    -
    - Update/ScheduledInstallFourthWeek -
    -
    - Update/ScheduledInstallSecondWeek -
    -
    - Update/ScheduledInstallThirdWeek -
    -
    - Update/ScheduledInstallTime -
    -
    - Update/SetAutoRestartNotificationDisable -
    -
    - Update/SetDisablePauseUXAccess -
    -
    - Update/SetDisableUXWUAccess -
    -
    - Update/SetEDURestart -
    -
    - Update/SetPolicyDrivenUpdateSourceForDriverUpdates -
    -
    - Update/SetPolicyDrivenUpdateSourceForFeatureUpdates -
    -
    - Update/SetPolicyDrivenUpdateSourceForOtherUpdates -
    -
    - Update/SetPolicyDrivenUpdateSourceForQualityUpdates -
    -
    - Update/SetProxyBehaviorForUpdateDetection -
    -
    - Update/ProductVersion -
    -
    - Update/TargetReleaseVersion -
    -
    - Update/UpdateNotificationLevel -
    -
    - Update/UpdateServiceUrl -
    -
    - Update/UpdateServiceUrlAlternate -
    -
    - - -
    - - -**Update/ActiveHoursEnd** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default is 17 (5 PM). - - - -ADMX Info: -- GP Friendly name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursEndTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/ActiveHoursMaxRange** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -Supported values are 8-18. - -The default value is 18 (hours). - - - -ADMX Info: -- GP Friendly name: *Specify active hours range for auto-restarts* -- GP name: *ActiveHoursMaxRange* -- GP element: *ActiveHoursMaxRange* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/ActiveHoursStart** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default value is 8 (8 AM). - - - -ADMX Info: -- GP Friendly name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursStartTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/AllowAutoUpdate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -Supported operations are Get and Replace. - -If the policy isn't configured, end-users get the default behavior (Auto download and install). - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateMode* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page. -- 5: Turn off automatic updates. -- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured. - > [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you won't get security updates as well. +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. - - + + + -
    +Update CSP policies are listed below based on the group policy area: - -**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** +- [Windows Insider Preview](#windows-insider-preview) + - [AllowTemporaryEnterpriseFeatureControl](#allowtemporaryenterprisefeaturecontrol) + - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) + - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates) +- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) + - [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate) + - [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup) + - [BranchReadinessLevel](#branchreadinesslevel) + - [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays) + - [DeferQualityUpdatesPeriodInDays](#deferqualityupdatesperiodindays) + - [DisableWUfBSafeguards](#disablewufbsafeguards) + - [ExcludeWUDriversInQualityUpdate](#excludewudriversinqualityupdate) + - [ManagePreviewBuilds](#managepreviewbuilds) + - [PauseFeatureUpdates](#pausefeatureupdates) + - [PauseFeatureUpdatesStartTime](#pausefeatureupdatesstarttime) + - [PauseQualityUpdates](#pausequalityupdates) + - [PauseQualityUpdatesStartTime](#pausequalityupdatesstarttime) + - [ProductVersion](#productversion) + - [TargetReleaseVersion](#targetreleaseversion) +- [Manage updates offered from Windows Server Update Service](#manage-updates-offered-from-windows-server-update-service) + - [AllowUpdateService](#allowupdateservice) + - [DetectionFrequency](#detectionfrequency) + - [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](#donotenforceenterprisetlscertpinningforupdatedetection) + - [FillEmptyContentUrls](#fillemptycontenturls) + - [SetPolicyDrivenUpdateSourceForDriverUpdates](#setpolicydrivenupdatesourcefordriverupdates) + - [SetPolicyDrivenUpdateSourceForFeatureUpdates](#setpolicydrivenupdatesourceforfeatureupdates) + - [SetPolicyDrivenUpdateSourceForOtherUpdates](#setpolicydrivenupdatesourceforotherupdates) + - [SetPolicyDrivenUpdateSourceForQualityUpdates](#setpolicydrivenupdatesourceforqualityupdates) + - [SetProxyBehaviorForUpdateDetection](#setproxybehaviorforupdatedetection) + - [UpdateServiceUrl](#updateserviceurl) + - [UpdateServiceUrlAlternate](#updateserviceurlalternate) +- [Manage end user experience](#manage-end-user-experience) + - [ActiveHoursEnd](#activehoursend) + - [ActiveHoursMaxRange](#activehoursmaxrange) + - [ActiveHoursStart](#activehoursstart) + - [AllowAutoUpdate](#allowautoupdate) + - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](#allowautowindowsupdatedownloadovermeterednetwork) + - [AllowMUUpdateService](#allowmuupdateservice) + - [ConfigureDeadlineForFeatureUpdates](#configuredeadlineforfeatureupdates) + - [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates) + - [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod) + - [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates) + - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot) + - [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod) + - [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours) + - [ScheduledInstallDay](#scheduledinstallday) + - [ScheduledInstallEveryWeek](#scheduledinstalleveryweek) + - [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) + - [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) + - [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + - [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) + - [ScheduledInstallTime](#scheduledinstalltime) + - [SetDisablePauseUXAccess](#setdisablepauseuxaccess) + - [SetDisableUXWUAccess](#setdisableuxwuaccess) + - [SetEDURestart](#setedurestart) + - [UpdateNotificationLevel](#updatenotificationlevel) +- [Legacy Policies](#legacy-policies) + - [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays) + - [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates) + - [AutoRestartNotificationSchedule](#autorestartnotificationschedule) + - [AutoRestartRequiredNotificationDismissal](#autorestartrequirednotificationdismissal) + - [DeferUpdatePeriod](#deferupdateperiod) + - [DeferUpgradePeriod](#deferupgradeperiod) + - [DisableDualScan](#disabledualscan) + - [EngagedRestartDeadline](#engagedrestartdeadline) + - [EngagedRestartDeadlineForFeatureUpdates](#engagedrestartdeadlineforfeatureupdates) + - [EngagedRestartSnoozeSchedule](#engagedrestartsnoozeschedule) + - [EngagedRestartSnoozeScheduleForFeatureUpdates](#engagedrestartsnoozescheduleforfeatureupdates) + - [EngagedRestartTransitionSchedule](#engagedrestarttransitionschedule) + - [EngagedRestartTransitionScheduleForFeatureUpdates](#engagedrestarttransitionscheduleforfeatureupdates) + - [IgnoreMOAppDownloadLimit](#ignoremoappdownloadlimit) + - [IgnoreMOUpdateDownloadLimit](#ignoremoupdatedownloadlimit) + - [PauseDeferrals](#pausedeferrals) + - [PhoneUpdateRestrictions](#phoneupdaterestrictions) + - [RequireDeferUpgrade](#requiredeferupgrade) + - [RequireUpdateApproval](#requireupdateapproval) + - [ScheduleImminentRestartWarning](#scheduleimminentrestartwarning) + - [ScheduleRestartWarning](#schedulerestartwarning) + - [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable) - -The table below shows the applicability of Windows: +## Windows Insider Preview -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +### AllowTemporaryEnterpriseFeatureControl - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Option to download updates automatically over metered connections (off by default). The supported value type is integer. - -A significant number of devices primarily use cellular data and don't have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. - -This policy is accessible through the Update setting in the user interface or Group Policy. - - - -ADMX Info: -- GP Friendly name: *Allow updates to be downloaded automatically over metered connections* -- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Not allowed -- 1 - Allowed - - - - -
    - - -**Update/AllowMUUpdateService** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT admin to manage whether to scan for app updates from Microsoft Update. - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AllowMUUpdateServiceId* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Not configured. -- 1 - Allowed. Accepts updates received through Microsoft Update. - -> [!NOTE] -> Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl ``` -$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager" -$MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d") + + + + +Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*. + +- If this policy is configured to "Enabled", then all features available in the latest monthly quality update installed will be on. + +- If this policy is set to "Not Configured" or "Disabled" then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed. + +*Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowTemporaryEnterpriseFeatureControl | +| Friendly Name | Enable features introduced via servicing that are off by default | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | AllowTemporaryEnterpriseFeatureControl | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineNoAutoRebootForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates ``` - - - - -
    - - -**Update/AllowNonMicrosoftSignedUpdate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. - -Supported operations are Get and Replace. - -This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). This policy allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft, when the update is found on an intranet Microsoft update service location. - - - -The following list shows the supported values: - -- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. - - - - -
    - - -**Update/AllowUpdateService** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. - -Even when Windows Update is configured to receive updates from an intranet update service. It will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. - -Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Update service isn't allowed. -- 1 (default) - Update service is allowed. - - - - -
    - - -**Update/AutoRestartDeadlinePeriodInDays** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. - -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. - -Supported value type is integer. Default is seven days. - -Supported values range: 2-30. - -The PC must restart for certain updates to take effect. - -If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. - -If you disable or don't configure this policy, the PC will restart according to the default schedule. - -If any of the following two policies are enabled, this policy has no effect: - -1. No autorestart with signed-in users for the scheduled automatic updates installations. -2. Always automatically restart at scheduled time. - - - -ADMX Info: -- GP Friendly name: *Specify deadline before auto-restart for update installation* -- GP name: *AutoRestartDeadline* -- GP element: *AutoRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. - -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. - -Supported value type is integer. Default is 7 days. - -Supported values range: 2-30. - -The PC must restart for certain updates to take effect. - -If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. - -If you disable or don't configure this policy, the PC will restart according to the default schedule. - -If any of the following two policies are enabled, this policy has no effect: - -1. No autorestart with logged on users for the scheduled automatic updates installations. -2. Always automatically restart at scheduled time. - - - -ADMX Info: -- GP Friendly name: *Specify deadline before auto-restart for update installation* -- GP name: *AutoRestartDeadline* -- GP element: *AutoRestartDeadlineForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/AutoRestartNotificationSchedule** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT Admin to specify the period for autorestart reminder notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP Friendly name: *Configure auto-restart reminder notifications for updates* -- GP name: *AutoRestartNotificationConfig* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, 60, 120, and 240 (minutes). - - - - -
    - - -**Update/AutoRestartRequiredNotificationDismissal** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT Admin to specify the method by which the autorestart required notification is dismissed. - - - -ADMX Info: -- GP Friendly name: *Configure auto-restart required notification for updates* -- GP name: *AutoRestartRequiredNotificationDismissal* -- GP element: *AutoRestartRequiredNotificationDismissal* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 1 (default) - Auto Dismissal. -- 2 - User Dismissal. - - - - -
    - - -**Update/AutomaticMaintenanceWakeUp** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. - -> [!Note] -> If the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if necessary. - -If you disable or don't configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. - - - -ADMX Info: -- GP Friendly name: *Automatic Maintenance WakeUp Policy* -- GP name: *WakeUpPolicy* -- GP path: *Windows Components/Maintenance Scheduler* -- GP ADMX file name: *msched.admx* - - - -Supported values: -- 0 - Disable -- 1 - Enable (Default) - - - - - - - - - -
    - - -**Update/BranchReadinessLevel** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of General Availability Channel (Targeted) and General Availability Channel have been combined into one General Availability Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 isn't a supported value. - - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *BranchReadinessLevelId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) -- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) -- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) -- 16 {0x10} - (default) General Availability Channel (Targeted). Device gets all applicable feature updates from General Availability Channel (Targeted) -- 32 {0x20} - General Availability Channel. Device gets feature updates from General Availability Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the General Availability Channel and General Availability Channel (Targeted) into a single General Availability Channel with a value of 16) - - - - -
    - - -**Update/ConfigureDeadlineForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineForFeatureUpdates* -- GP element: *ConfigureDeadlineForFeatureUpdates* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. - -Default value is 7. - - - - - - - - - -
    - - -**Update/ConfigureDeadlineForQualityUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineForQualityUpdates* -- GP element: *ConfigureDeadlineForQualityUpdates* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. - -Default value is 7. - - - - - - - - - -
    - - -**Update/ConfigureDeadlineGracePeriod** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy isn't, then the default value of 2 will be used. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineGracePeriod* -- GP element: *ConfigureDeadlineGracePeriod* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required quality update. - -Default value is 2. - - - - - - - - - -
    - - -**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy isn't, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates* -- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required feature update. - -Default value is 2. - - - - - - - - - -
    - - -**Update/ConfigureDeadlineNoAutoReboot** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. - -When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineNoAutoReboot* -- GP element: *ConfigureDeadlineNoAutoReboot* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values: -- 1 - Enabled -- 0 (default) - Disabled - - - - - - - - - -
    - - -**Update/ConfigureFeatureUpdateUninstallPeriod** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enable IT admin to configure feature update uninstall period. - -Values range 2 - 60 days. - -Default is 10 days. - - - - -
    - - -**Update/DeferFeatureUpdatesPeriodInDays** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -Defers Feature Updates for the specified number of days. - -Supported values are 0-365 days. + + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | + + + + + + + + + +### ConfigureDeadlineNoAutoRebootForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates +``` + + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | + + + + + + + + +## Manage updates offered from Windows Update + + +### AllowNonMicrosoftSignedUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate +``` + + + + +Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. | +| 1 (Default) | Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the 'Trusted Publishers' certificate store of the local computer. | + + + + + + + + + +### AutomaticMaintenanceWakeUp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutomaticMaintenanceWakeUp +``` + + + + +This policy setting allows you to configure Automatic Maintenance wake up policy. + +The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. + +- If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. + +- If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WakeUpPolicy | +| Friendly Name | Automatic Maintenance WakeUp Policy | +| Location | Computer Configuration | +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| Registry Value Name | WakeUp | +| ADMX File Name | msched.admx | + + + + + + + + + +### BranchReadinessLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel +``` + + + + +Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 16 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709). | +| 4 | {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709). | +| 8 | {0x8} - Release Windows Insider build (added in Windows 10, version 1709). | +| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). | +| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). | +| 64 | {0x40} - Release Preview of Quality Updates Only. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DeferFeatureUpdatesPeriodInDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays +``` + + + + +Defers Feature Updates for the specified number of days. Supported values are 0-365 days. > [!IMPORTANT] > The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *DeferFeatureUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 0 | + - -**Update/DeferQualityUpdatesPeriodInDays** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Element Name | How many days after a Feature Update is released would you like to defer the update before it is offered to the device? | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +### DeferQualityUpdatesPeriodInDays -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays +``` + - - -Defers Quality Updates for the specified number of days. + + +Defers Quality Updates for the specified number of days. Supported values are 0-30. + -Supported values are 0-30. + + + - - -ADMX Info: -- GP Friendly name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *DeferQualityUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 0 | + -
    + +**Group policy mapping**: - -**Update/DeferUpdatePeriod** +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates | +| Friendly Name | Select when Quality Updates are received | +| Element Name | After a quality update is released, defer receiving it for this many days | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +### DisableWUfBSafeguards - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1490] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1110] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1110] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.546] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards +``` + -
    + + +This policy setting specifies that a Windows Update for Business device should skip safeguards. + - - + + +Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. + +IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the **Disable safeguards for Feature Updates** Group Policy. + +> [!NOTE] +> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. +> +> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. +> +> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. | +| 1 | Safeguards are not enabled and upgrades will be deployed without blocking on safeguards. | + + + + + + + + + +### ExcludeWUDriversInQualityUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ExcludeWUDriversInQualityUpdate +``` + + + + +Enable this policy to not include drivers with Windows quality updates. + +- If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow Windows Update drivers. | +| 1 | Exclude Windows Update drivers. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExcludeWUDriversInQualityUpdate | +| Friendly Name | Do not include drivers with Windows Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | ExcludeWUDriversInQualityUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ManagePreviewBuilds + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ManagePreviewBuilds +``` + + + + +Used to manage Windows 10 Insider Preview builds. Value type is integer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable Preview builds. | +| 1 | Disable Preview builds once the next release is public. | +| 2 | Enable Preview builds. | +| 3 (Default) | Preview builds is left to user selection. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ManagePreviewBuilds | +| Friendly Name | Manage preview builds | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdates +``` + + + + +Allows IT Admins to pause Feature Updates for up to 60 days. + + + + +> [!NOTE] +> We recommend that you use the Update/PauseFeatureUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Feature Updates are not paused. | +| 1 | Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseFeatureUpdatesStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdatesStartTime +``` + + + + +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Element Name | Pause Preview Builds or Feature Updates starting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates +``` + + + + +Allows IT Admins to pause Quality Updates. + + + + +> [!NOTE] +> We recommend that you use the Update/PauseQualityUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Quality Updates are not paused. | +| 1 | Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates | +| Friendly Name | Select when Quality Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseQualityUpdatesStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdatesStartTime +``` + + + + +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). + + + + +> [!NOTE] +> When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates | +| Friendly Name | Select when Quality Updates are received | +| Element Name | Pause Quality Updates starting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ProductVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ProductVersion +``` + + + + +Enables IT administrators to specify the product version associated with the target feature update they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows release information](/windows/release-health/release-information). + + + + +Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device: + +1. The applicable Windows license was purchased through volume licensing, or +2. You're authorized to bind your organization and are accepting on its behalf the relevant [Microsoft Software License Terms](https://www.microsoft.com/Useterms). + +> [!NOTE] +> If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | TargetReleaseVersion | +| Friendly Name | Select the target Feature Update version | +| Element Name | Which Windows product version would you like to receive feature updates for? e.g., Windows 10 | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### TargetReleaseVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1488] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.836] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion +``` + + + + +Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](/windows/release-health/release-information). + + + + +Supported value type is a string containing Windows version number. For example, `1809`, `1903`, etc. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | TargetReleaseVersion | +| Friendly Name | Select the target Feature Update version | +| Element Name | Target Version for Feature Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + +## Manage updates offered from Windows Server Update Service + + +### AllowUpdateService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowUpdateService +``` + + + + +Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DetectionFrequency + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DetectionFrequency +``` + + + + +Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + + +This policy should be enabled only when [UpdateServiceUrl](#updateserviceurl) is configured to point the device at a WSUS server rather than Microsoft Update. + +> [!NOTE] +> There is a random variant of 0-4 hours applied to the scan frequency, which cannot be configured. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-22]` | +| Default Value | 22 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectionFrequency_Title | +| Friendly Name | Automatic Updates detection frequency | +| Element Name | interval (hours) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18818] and later
    :heavy_check_mark: Windows 10, version 1607 [10.0.14393.4169] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063.2108] and later
    :heavy_check_mark: Windows 10, version 1709 [10.0.16299.2166] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1967] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1697] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1316] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1316] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.746] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.746] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection +``` + + + + +Do not enforce TLS certificate pinning for Windows Update client for detecting updates. + + + + +> [!NOTE] +> By default, certificate pinning for Windows Update client isn't enforced. To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Do not enforce TLS certificate pinning for Windows Update client for detecting updates. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### FillEmptyContentUrls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/FillEmptyContentUrls +``` + + + + +Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Download files with no Url in the metadata if alternate download server is set. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForDriverUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForDriverUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Windows Driver Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Driver Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Driver Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForFeatureUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Windows Feature Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Feature Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Feature Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForOtherUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForOtherUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Other Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy other Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy other Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForQualityUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Windows Quality Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Quality Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Quality Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetProxyBehaviorForUpdateDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18696] and later
    :heavy_check_mark: Windows 10, version 1607 [10.0.14393.3930] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063.2500] and later
    :heavy_check_mark: Windows 10, version 1709 [10.0.16299.2107] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1726] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1457] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1082] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1082] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.508] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetProxyBehaviorForUpdateDetection +``` + + + + +Select the proxy behavior for Windows Update client for detecting updates + + + + +By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents. + +This policy setting doesn't impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. + +> [!NOTE] +> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Only use system proxy for detecting updates (default). | +| 1 | Allow user proxy to be used as a fallback if detection using system proxy fails. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Select the proxy behavior for Windows Update client for detecting updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### UpdateServiceUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl +``` + + + + +Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. + + + + +The following list shows the supported values: + +- Not configured: The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`: The device checks for updates from the WSUS server at the specified URL. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | CorpWSUS | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Set the intranet update service for detecting updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + +**Example**: + +```xml + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + +``` + + + + + +### UpdateServiceUrlAlternate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrlAlternate +``` + + + + +Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!NOTE] +> If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Set the alternate download server | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + +## Manage end user experience + + +### ActiveHoursEnd + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursEnd +``` + + + + +Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default is 17 (5 PM). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 17 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ActiveHours | +| Friendly Name | Turn off auto-restart for updates during active hours | +| Element Name | End | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ActiveHoursMaxRange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursMaxRange +``` + + + + +Enable this policy to specify the maximum number of hours from the start time that users can set their active hours. + +The max active hours range can be set between 8 and 18 hours. + +- If you disable or do not configure this policy, the default max active hours range will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[8-18]` | +| Default Value | 18 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ActiveHoursMaxRange | +| Friendly Name | Specify active hours range for auto-restarts | +| Element Name | Max range | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ActiveHoursStart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursStart +``` + + + + +Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default value is 8 (8 AM). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 8 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ActiveHours | +| Friendly Name | Turn off auto-restart for updates during active hours | +| Element Name | Start | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### AllowAutoUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate +``` + + + + +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Important. This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | +| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. | +| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. | +| 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | +| 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. | +| 5 | Turn off automatic updates. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Configure automatic updating | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### AllowAutoWindowsUpdateDownloadOverMeteredNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork +``` + + + + +Enabling this policy will automatically download updates, even over metered data connections (charges may apply) + + + + +A significant number of devices primarily use cellular data and don't have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. + +This policy is accessible through the Update setting in the user interface or Group Policy. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork | +| Friendly Name | Allow updates to be downloaded automatically over metered connections | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### AllowMUUpdateService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowMUUpdateService +``` + + + + +Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + + + + +> [!NOTE] +> Setting this policy back to 0 or Not configured doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service: +> +> ```powershell +> $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager" +> $MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d") +> ``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed or not configured. | +| 1 | Allowed. Accepts updates received through Microsoft Update. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Install updates for other Microsoft products | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForFeatureUpdates +``` + + + + +Number of days before feature updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. + + + + +> [!NOTE] +> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 2 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForQualityUpdates +``` + + + + +Number of days before quality updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. + + + + +> [!NOTE] +> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineGracePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriod +``` + + + + +Minimum number of days from update installation until restarts occur automatically for quality updates. This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy is not, then the default value of 2 days will take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-7]` | +| Default Value | 2 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Grace period (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineGracePeriodForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1852] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1474] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.906] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriodForFeatureUpdates +``` + + + + +Minimum number of days from update installation until restarts occur automatically for feature updates. This policy only takes effect when Update/ConfigureDeadlineForFeatureUpdates is configured. If Update/ConfigureDeadlineForFeatureUpdates is configured but this policy is not, then the value configured by Update/ConfigureDeadlineGracePeriod will be used. If Update/ConfigureDeadlineGracePeriod is also not configured, then the default value of 7 days will take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-7]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Grace Period (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineNoAutoReboot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot +``` + + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Don't auto-restart until end of grace period | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureFeatureUpdateUninstallPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureFeatureUpdateUninstallPeriod +``` + + + + +Enable enterprises/IT admin to configure feature update uninstall period + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-60]` | +| Default Value | 10 | + + + + + + + + + +### NoUpdateNotificationsDuringActiveHours + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/NoUpdateNotificationsDuringActiveHours +``` + + + + +0 (default) - Use the default Windows Update notifications +1 - Turn off all notifications, excluding restart warnings +2 - Turn off all notifications, including restart warnings + +This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. + +**Important** if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + +If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. + + + + +> [!NOTE] +> This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. If no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UpdateNotificationLevel | +| Friendly Name | Display options for update notifications | +| Element Name | Apply only during active hours | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallDay +``` + + + + +Enables the IT admin to schedule the day of the update installation. The data type is an integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Every day. | +| 1 | Sunday. | +| 2 | Monday. | +| 3 | Tuesday. | +| 4 | Wednesday. | +| 5 | Thursday. | +| 6 | Friday. | +| 7 | Saturday. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Scheduled install day | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallEveryWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallEveryWeek +``` + + + + +Enables the IT admin to schedule the update installation every week. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | No update in the schedule. | +| 1 (Default) | Update is scheduled every week. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Every week | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallFirstWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFirstWeek +``` + + + + +Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every first week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | First week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallFourthWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFourthWeek +``` + + + + +Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every fourth week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Fourth week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallSecondWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallSecondWeek +``` + + + + +Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every second week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Second week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallThirdWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallThirdWeek +``` + + + + +Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every third week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Third week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallTime +``` + + + + + the IT admin to schedule the time of the update installation. The data type is an integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + + + + +> [!NOTE] +> +> - This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. +> - There is a window of approximately 30 minutes to allow for higher success rates of installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Scheduled install time | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetDisablePauseUXAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetDisablePauseUXAccess +``` + + + + +This setting allows removing access to "Pause updates" feature. + +Once enabled user access to pause updates is removed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisablePauseUXAccess | +| Friendly Name | Remove access to "Pause updates" feature | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetDisablePauseUXAccess | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetDisableUXWUAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetDisableUXWUAccess +``` + + + + +This setting allows you to remove access to scan Windows Update. + +- If you enable this setting user access to Windows Update scan, download and install is removed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableUXWUAccess | +| Friendly Name | Remove access to use all Windows Update features | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetDisableUXWUAccess | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetEDURestart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetEDURestart +``` + + + + +Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the scheduled install time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not configured. | +| 1 | Configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetEDURestart | +| Friendly Name | Update Power Policy for Cart Restarts | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetEDURestart | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### UpdateNotificationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel +``` + + + + +0 (default) - Use the default Windows Update notifications +1 - Turn off all notifications, excluding restart warnings +2 - Turn off all notifications, including restart warnings + +This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. + +**Important** if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + +If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Use the default Windows Update notifications. | +| 1 | Turn off all notifications, excluding restart warnings. | +| 2 | Turn off all notifications, including restart warnings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UpdateNotificationLevel | +| Friendly Name | Display options for update notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetUpdateNotificationLevel | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + +## Legacy Policies + + +### AutoRestartDeadlinePeriodInDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartDeadlinePeriodInDays +``` + + + + +Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date. + +The restart may happen inside active hours. + +- If you disable or do not configure this policy, the PC will restart according to the default schedule. + +Enabling either of the following two policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartDeadline | +| Friendly Name | Specify deadline before auto-restart for update installation | +| Element Name | Quality Updates (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### AutoRestartDeadlinePeriodInDaysForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates +``` + + + + +Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date. + +The restart may happen inside active hours. + +- If you disable or do not configure this policy, the PC will restart according to the default schedule. + +Enabling either of the following two policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartDeadline | +| Friendly Name | Specify deadline before auto-restart for update installation | +| Element Name | Feature Updates (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### AutoRestartNotificationSchedule + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartNotificationSchedule +``` + + + + +Allows the IT Admin to specify the period for auto-restart reminder notifications. The default value is 15 (minutes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 15 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 15 (Default) | 15 Minutes. | +| 30 | 30 Minutes. | +| 60 | 60 Minutes. | +| 120 | 120 Minutes. | +| 240 | 240 Minutes. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartNotificationConfig | +| Friendly Name | Configure auto-restart reminder notifications for updates | +| Element Name | Period (min) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### AutoRestartRequiredNotificationDismissal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartRequiredNotificationDismissal +``` + + + + +Enable this policy to specify the method by which the auto-restart required notification is dismissed. When a restart is required to install updates, the auto-restart required notification is displayed. By default, the notification is automatically dismissed after 25 seconds. + +The method can be set to require user action to dismiss the notification. + +- If you disable or do not configure this policy, the default method will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Auto Dismissal. | +| 2 | User Dismissal. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartRequiredNotificationDismissal | +| Friendly Name | Configure auto-restart required notification for updates | +| Element Name | Method | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DeferUpdatePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod +``` + + + + + + + + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. -Allows IT Admins to specify update delays for up to four weeks. +Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. -Supported values are 0-4, which refers to the number of weeks to defer updates. - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +- If the **Specify intranet Microsoft update service location** policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. OS upgrade: + - Maximum deferral: Eight months - Deferral increment: One month - Update type/notes: - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 Update: + - Maximum deferral: One month - Deferral increment: One week - Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: @@ -1485,2602 +3686,1116 @@ Other/can't defer: - Update type/notes: Any update category not enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpdatePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4]` | +| Default Value | 0 | + -
    + +**Group policy mapping**: - -**Update/DeferUpgradePeriod** +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpdatePeriodId | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +### DeferUpgradePeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod +``` + -
    + + + + + + +Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. + +- If the **Specify intranet Microsoft update service location** policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. - - > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + -Allows IT Admins to specify other upgrade delays for up to eight months. + +**Description framework properties**: -Supported values are 0-8, which refers to the number of months to defer upgrades. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-8]` | +| Default Value | 0 | + -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +**Group policy mapping**: -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpgradePeriodId | + - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* + + + - - + -
    + +### DisableDualScan - -**Update/DetectionFrequency** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -The table below shows the applicability of Windows: + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DisableDualScan +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should be enabled only when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update. - - - -ADMX Info: -- GP Friendly name: *Automatic Updates detection frequency* -- GP name: *DetectionFrequency_Title* -- GP element: *DetectionFrequency_Hour2* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/DisableDualScan** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Don't allow update deferral policies to cause scans against Windows Update. If this policy isn't enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. - -For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). - -This setting is the same as the Group Policy in **Windows Components** > **Windows Update**: "Do not allow update deferral policies to cause scans against Windows Update." - -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP Friendly name: *Do not allow update deferral policies to cause scans against Windows Update* -- GP name: *DisableDualScan* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Allow scan against Windows Update -- 1 - Don't allow update deferral policies to cause scans against Windows Update - - - - -
    - - -**Update/DisableWUfBSafeguards** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards. - -Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. - -The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. - -IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy. + + +Enable this policy to not allow update deferral policies to cause scans against Windows Update. +If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled. > [!NOTE] -> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. -> -> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. -> -> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues. - - - -ADMX Info: -- GP Friendly name: *Disable safeguards for Feature Updates* -- GP name: *DisableWUfBSafeguards* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. -- 1 - Safeguards aren't enabled and upgrades will be deployed without blocking on safeguards. - - - - -
    - - -**Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. - -By default, certificate pinning for Windows Update client isn't enforced. - - - -ADMX Info: -- GP Friendly name: *Allow user proxy to be used as a fallback if detection using system proxy fails* -- GP name: *Allow user proxy to be used as a fallback if detection using system proxy fails* -- GP path: *Windows Update\SpecifyintranetMicrosoftupdateserviceLocation* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Enforce certificate pinning. -- 1 - Don't enforce certificate pinning. - - - - -
    - - -**Update/EngagedRestartDeadline** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Autorestart to Engaged restart (pending user schedule) to be executed automatically, within the specified period. - -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. +> This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect. + + + > [!NOTE] -> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule aren't set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. +> For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow scan against Windows Update. | +| 1 | Do not allow update deferral policies to cause scans against Windows Update. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDualScan | +| Friendly Name | Do not allow update deferral policies to cause scans against Windows Update | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | DisableDualScan | +| ADMX File Name | WindowsUpdate.admx | + + + + + -Supporting value type is integer. + -Default is 14. + +### EngagedRestartDeadline -Supported value range: 2 - 30. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -If no deadline is specified or deadline is set to 0, the restart won't be automatically executed, and will remain Engaged restart (for example, pending user scheduling). + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartDeadline +``` + -If you disable or don't configure this policy, the default behaviors will be used. + + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. - - +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. -
    +- If you disable or do not configure this policy, the PC will restart following the default schedule. - -**Update/EngagedRestartDeadlineForFeatureUpdates** +Enabling any of the following policies will override the above policy: - -The table below shows the applicability of Windows: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time + +3. Specify deadline before auto-restart for update installation + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 14 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +### EngagedRestartDeadlineForFeatureUpdates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartDeadlineForFeatureUpdates +``` + - - -For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be executed automatically, within the specified period. + + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. -Supported value type is integer. +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -Default is 14. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. -Supported value range: 2-30. +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. -If no deadline is specified or deadline is set to 0, the restart won't be automatically executed and will remain Engaged restart (for example, pending user scheduling). +- If you disable or do not configure this policy, the PC will restart following the default schedule. -If you disable or don't configure this policy, the default behaviors will be used. +Enabling any of the following policies will override the above policy: -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartDeadlineForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +3. Specify deadline before auto-restart for update installation + - - + + + -
    + +**Description framework properties**: - -**Update/EngagedRestartSnoozeSchedule** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 14 | + - -The table below shows the applicability of Windows: + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +### EngagedRestartSnoozeSchedule -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days. + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartSnoozeSchedule +``` + -Supported value type is integer. + + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. -Default is three days. +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -Supported value range: 1-3. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. -If you disable or don't configure this policy, the default behaviors will be used. +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. +- If you disable or do not configure this policy, the PC will restart following the default schedule. - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartSnoozeSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +Enabling any of the following policies will override the above policy: - - +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time -
    +3. Specify deadline before auto-restart for update installation + - -**Update/EngagedRestartSnoozeScheduleForFeatureUpdates** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-3]` | +| Default Value | 3 | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Snooze (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days. + +### EngagedRestartSnoozeScheduleForFeatureUpdates -Supported value type is integer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -Default is three days. + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartSnoozeScheduleForFeatureUpdates +``` + -Supported value range: 1-3. + + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. -If you disable or don't configure this policy, the default behaviors will be used. +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. - - +- If you disable or do not configure this policy, the PC will restart following the default schedule. -
    +Enabling any of the following policies will override the above policy: - -**Update/EngagedRestartTransitionSchedule** +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time - -The table below shows the applicability of Windows: +3. Specify deadline before auto-restart for update installation + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-3]` | +| Default Value | 3 | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Snooze (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + - - -For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + + + -Supported value type is integer. + -Default value is 7 days. + +### EngagedRestartTransitionSchedule -Supported value range: 2 - 30. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -If you disable or don't configure this policy, the default behaviors will be used. + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartTransitionSchedule +``` + -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. + + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartTransitionSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. - - +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. -
    +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. - -**Update/EngagedRestartTransitionScheduleForFeatureUpdates** +- If you disable or do not configure this policy, the PC will restart following the default schedule. - -The table below shows the applicability of Windows: +Enabling any of the following policies will override the above policy: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time - -
    +3. Specify deadline before auto-restart for update installation + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 7 | + - - -For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +**Group policy mapping**: -Supported value type is integer. +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Transition (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### EngagedRestartTransitionScheduleForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -Default value is seven days. + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartTransitionScheduleForFeatureUpdates +``` + + + + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. -Supported value range: 2-30. +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -If you disable or don't configure this policy, the default behaviors will be used. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +- If you disable or do not configure this policy, the PC will restart following the default schedule. - - +Enabling any of the following policies will override the above policy: -
    +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time - -**Update/ExcludeWUDriversInQualityUpdate** +3. Specify deadline before auto-restart for update installation + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 7 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device - -
    - - - - -Allows IT Admins to exclude Windows Update (WU) drivers during updates. - - - -ADMX Info: -- GP Friendly name: *Do not include drivers with Windows Updates* -- GP name: *ExcludeWUDriversInQualityUpdate* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Allow Windows Update drivers. -- 1 - Exclude Windows Update drivers. - - - - -
    - - -**Update/FillEmptyContentUrls** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows Windows Update Agent to determine the download URL when it's missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). - -> [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service doesn't provide download URLs in the update metadata for files which are available on the alternate download server. - - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUFillEmptyContentUrls* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Disabled. -- 1 - Enabled. - - - - -
    - - -**Update/IgnoreMOAppDownloadLimit** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Transition (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### IgnoreMOAppDownloadLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOAppDownloadLimit +``` + + + + Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. + - - -The following list shows the supported values: - -- 0 (default) - Don't ignore MO download limit for apps and their updates. -- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates. - - - + + To validate this policy: -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in [TShell](/windows-hardware/manufacture/desktop/factoryos/connect-using-tshell): + ```TShell - exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' + exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' ``` + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Update/IgnoreMOUpdateDownloadLimit** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 (Default) | Do not ignore MO download limit for apps and their updates. | +| 1 | Ignore MO download limit (allow unlimited downloading) for apps and their updates. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +### IgnoreMOUpdateDownloadLimit -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOUpdateDownloadLimit +``` + - - + + Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. + - - -The following list shows the supported values: - -- 0 (default) - Don't ignore MO download limit for OS updates. -- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates. - - - + + To validate this policy: -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in [TShell](/windows-hardware/manufacture/desktop/factoryos/connect-using-tshell): + ```TShell - exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' + exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' ``` + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Update/ManagePreviewBuilds** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 (Default) | Do not ignore MO download limit for OS updates. | +| 1 | Ignore MO download limit (allow unlimited downloading) for OS updates. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +### PauseDeferrals -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    - - - -Used to manage Windows 10 Insider Preview builds. - -Supported value type is integer. - - - -ADMX Info: -- GP Friendly name: *Manage preview builds* -- GP name: *ManagePreviewBuilds* -- GP element: *ManagePreviewBuildsId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Disable Preview builds. -- 1 - Disable Preview builds once the next release is public. -- 2 - Enable Preview builds. - - - - -
    - - -**Update/NoUpdateNotificationDuringActiveHours** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. - -Supported value type is a boolean. - -0 (Default) This configuration will provide the default behavior (notifications may display during active hours) -1: This setting will prevent notifications from displaying during active hours. - - - -ADMX Info: -- GP Friendly name: *Display options for update notifications* -- GP name: *NoUpdateNotificationDuringActiveHours* -- GP element: *NoUpdateNotificationDuringActiveHours* -- GP path: *Windows Components\WindowsUpdate\Manage end user experience* -- GP ADMX file name: *WindowsUpdate.admx* - - - -
    - - - -**Update/PauseDeferrals** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - -Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *PauseDeferralsId* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Deferrals aren't paused. -- 1 - Deferrals are paused. - - - - -
    - - -**Update/PauseFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -Allows IT Admins to pause feature updates for up to 35 days. We recommend that you use the *Update/PauseFeatureUpdatesStartTime* policy, if you're running Windows 10, version 1703 or later. - - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Feature Updates aren't paused. -- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner. - - - - -
    - - -**Update/PauseFeatureUpdatesStartTime** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date. - -- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28). -- Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/PauseQualityUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead. - - - -ADMX Info: -- GP Friendly name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Quality Updates aren't paused. -- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - - -
    - - -**Update/PauseQualityUpdatesStartTime** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. - -- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28). -- Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP Friendly name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/PhoneUpdateRestrictions** - - -This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead. - - - - -
    - - -**Update/ProductVersion** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product. - -If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information). - - - -ADMX Info: -- GP Friendly name: *Select the target Feature Update version* -- GP name: *TargetReleaseVersion* -- GP element: *ProductVersion* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". - - - - - - - - -By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device, either: - -1. The applicable Windows license was purchased through volume licensing, or - -2. You're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms). - -
    - - -**Update/RequireDeferUpgrade** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - -Allows the IT admin to set a device to General Availability Channel train. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - User gets upgrades from General Availability Channel (Targeted). -- 1 - User gets upgrades from General Availability Channel. - - - - -
    - - -**Update/RequireUpdateApproval** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - -Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved. - -Supported operations are Get and Replace. - - - -The following list shows the supported values: - -- 0 - Not configured. The device installs all applicable updates. -- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - - -
    - - -**Update/ScheduleImminentRestartWarning** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT Admin to specify the period for autorestart imminent warning notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP Friendly name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarn* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, or 60 (minutes). - - - - -
    - - -**Update/ScheduleRestartWarning** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Allows the IT Admin to specify the period for autorestart warning reminder notifications. - -The default value is 4 (hours). - - - -ADMX Info: -- GP Friendly name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarnRemind* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 2, 4, 8, 12, or 24 (hours). - - - - -
    - - -**Update/ScheduledInstallDay** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the day of the update installation. - -Supported data type is an integer. - -Supported operations are Add, Delete, Get, and Replace. - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchDay* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Every day -- 1 - Sunday -- 2 - Monday -- 3 - Tuesday -- 4 - Wednesday -- 5 - Thursday -- 6 - Friday -- 7 - Saturday - - - - -
    - - -**Update/ScheduledInstallEveryWeek** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the update installation on every week. - -Supported Value type is integer. - -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every week. - - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchEveryWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/ScheduledInstallFirstWeek** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the update installation on the first week of the month. - -Supported value type is integer. - -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every first week of the month. - - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchFirstWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/ScheduledInstallFourthWeek** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the update installation on the fourth week of the month. - -Supported value type is integer. - -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every fourth week of the month. - - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallFourthWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/ScheduledInstallSecondWeek** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the update installation on the second week of the month. - -Supported value type is integer. - -Supported values: - -- 0 - no update in the schedule. -- 1 - update is scheduled every second week of the month. - - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallSecondWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/ScheduledInstallThirdWeek** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the update installation on the third week of the month. - -Supported value type is integer. - -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every third week of the month. - - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallThirdWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/ScheduledInstallTime** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation. - -The supported data type is an integer. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/SetAutoRestartNotificationDisable** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the IT Admin to disable autorestart notifications for update installations. - - - -ADMX Info: -- GP Friendly name: *Turn off auto-restart notifications for update installations* -- GP name: *AutoRestartNotificationDisable* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Enabled -- 1 - Disabled - - - - -
    - - -**Update/SetDisablePauseUXAccess** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user can't access the "Pause updates" feature. - -Supported value type is integer. - -Default is 0. - -Supported values 0, 1. - - - -ADMX Info: -- GP name: *SetDisablePauseUXAccess* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/SetDisableUXWUAccess** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features. - -Supported value type is integer. - -Default is 0. - -Supported values 0, 1. - - - -ADMX Info: -- GP name: *SetDisableUXWUAccess* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
    - - -**Update/SetEDURestart** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. - -When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period, after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. - - - -ADMX Info: -- GP Friendly name: *Update Power Policy for Cart Restarts* -- GP name: *SetEDURestart* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - not configured -- 1 - configured - - - - -
    - - -**Update/SetPolicyDrivenUpdateSourceForDriverUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeatureUpdates -- SetPolicyDrivenUpdateSourceForQualityUpdates -- SetPolicyDrivenUpdateSourceForOtherUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForDriver* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Drivers from Windows Update. -- 1: Enabled, Detect, download, and deploy Drivers from Windows Server Update Server (WSUS). - - - - -
    - - -**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForQualityUpdates -- SetPolicyDrivenUpdateSourceForDriverUpdates -- SetPolicyDrivenUpdateSourceForOtherUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForFeature* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Feature Updates from Windows Update. -- 1: Enabled, Detect, download, and deploy Feature Updates from Windows Server Update Server (WSUS). - - - - -
    - - -**Update/SetPolicyDrivenUpdateSourceForOtherUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeatureUpdates -- SetPolicyDrivenUpdateSourceForQualityUpdates -- SetPolicyDrivenUpdateSourceForDriverUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForOther* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Other updates from Windows Update. -- 1: Enabled, Detect, download, and deploy Other updates from Windows Server Update Server (WSUS). - - - - -
    - - -**Update/SetPolicyDrivenUpdateSourceForQualityUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeatureUpdates -- SetPolicyDrivenUpdateSourceForDriverUpdates -- SetPolicyDrivenUpdateSourceForOtherUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForQuality* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Quality Updates from Windows Update. -- 1: Enabled, Detect, download, and deploy Quality Updates from Windows Server Update Server (WSUS). - - - - -
    - - -**Update/SetProxyBehaviorForUpdateDetection** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents. - -This policy setting doesn't impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. - - - -ADMX Info: -- GP Friendly name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service* -- GP name: *Select the proxy behavior* -- GP element: *Select the proxy behavior* -- GP path: *Windows Components/Windows Update/Specify intranet Microsoft update service location* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Allow system proxy only for HTTP scans. -- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. - -> [!NOTE] -> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. - - - - -
    - - -**Update/TargetReleaseVersion** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](/windows/release-health/release-information/). - - - -ADMX Info: -- GP Friendly name: *Select the target Feature Update version* -- GP name: *TargetReleaseVersion* -- GP element: *TargetReleaseVersionInfo* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported value type is a string containing Windows 10 version number. For example, 1809, 1903. - - - - - - - - - -
    - - -**Update/UpdateNotificationLevel** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. - -Options: - -- 0 (default) - Use the default Windows Update notifications. -- 1 - Turn off all notifications, excluding restart warnings. -- 2 - Turn off all notifications, including restart warnings. - -> [!IMPORTANT] -> If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. - - - -ADMX Info: -- GP Friendly name: *Display options for update notifications* -- GP name: *UpdateNotificationLevel* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - - - - - - -
    - - -**Update/UpdateServiceUrl** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy isn't supported in IoT Mobile. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. This setting is useful for on-premises MDMs that need to update devices that can't connect to the Internet. - -Supported operations are Get and Replace. - - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUURL_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - - - -Example - -```xml - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseDeferrals ``` + - - - -
    - - -**Update/UpdateServiceUrlAlternate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. - -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. - -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. - -Supported value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. - + + > [!NOTE] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates. -> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUContentHost_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* + + + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -## Related topics + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Deferrals are not paused. | +| 1 | Deferrals are paused. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | PauseDeferralsId | + + + + + + + + + +### PhoneUpdateRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PhoneUpdateRestrictions +``` + + + + +This policy is deprecated. Use Update/RequireUpdateApproval instead. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4]` | +| Default Value | 4 | + + + + + + + + + +### RequireDeferUpgrade + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade +``` + + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User gets upgrades from Semi-Annual Channel (Targeted). | +| 1 | User gets upgrades from Semi-Annual Channel. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpgradePeriodId | + + + + + + + + + +### RequireUpdateApproval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval +``` + + + + +> [!NOTE] +> If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not configured. The device installs all applicable updates. | +| 1 | The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. | + + + + + + + + + +### ScheduleImminentRestartWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduleImminentRestartWarning +``` + + + + +Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 15 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 15 (Default) | 15 Minutes. | +| 30 | 30 Minutes. | +| 60 | 60 Minutes. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestartWarnRemind | +| Friendly Name | Configure auto-restart warning notifications schedule for updates | +| Element Name | Warning (mins) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduleRestartWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduleRestartWarning +``` + + + + +Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed. + +Specifies the amount of time prior to a scheduled restart to display the warning reminder to the user. + +You can specify the amount of time prior to a scheduled restart to notify the user that the auto restart is imminent to allow them time to save their work. + +- If you disable or do not configure this policy, the default notification behaviors will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 4 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | 2 Hours. | +| 4 (Default) | 4 Hours. | +| 8 | 8 Hours. | +| 12 | 12 Hours. | +| 24 | 24 Hours. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestartWarnRemind | +| Friendly Name | Configure auto-restart warning notifications schedule for updates | +| Element Name | Reminder (hours) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetAutoRestartNotificationDisable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable +``` + + + + +Allows the IT Admin to disable auto-restart notifications for update installations. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enabled. | +| 1 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartNotificationDisable | +| Friendly Name | Turn off auto-restart notifications for update installations | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 9359f7ab9e..3e96dc09de 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,26 +1,30 @@ --- -title: Policy CSP - UserRights -description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question. +title: UserRights Policy CSP +description: Learn more about the UserRights Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/24/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - UserRights -
    - -User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). + + +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). Even though strings are supported for well-known accounts and groups, it's better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. -Here's an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. +## General example + +Here's an example for setting the user right [BackupFilesAndDirectories](#backupfilesanddirectories) for Administrators and Authenticated Users groups. ```xml @@ -44,1418 +48,2002 @@ Here's an example for setting the user right BackupFilesAndDirectories for Admin ``` -Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator. +Here are examples of data fields. The encoded `0xF000` is the standard delimiter/separator. - Grant a user right to Administrators group via SID: - ```xml - *S-1-5-32-544 - ``` + + ```xml + *S-1-5-32-544 + ``` - Grant a user right to multiple groups (Administrators, Authenticated Users) via SID: - ```xml - *S-1-5-32-544*S-1-5-11 - ``` + + ```xml + *S-1-5-32-544*S-1-5-11 + ``` - Grant a user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings: - ```xml - *S-1-5-32-544Authenticated Users - ``` + + ```xml + *S-1-5-32-544Authenticated Users + ``` - Grant a user right to multiple groups (Authenticated Users, Administrators) via strings: - ```xml - Authenticated UsersAdministrators - ``` + + ```xml + Authenticated UsersAdministrators + ``` - Empty input indicates that there are no users configured to have that user right: - ```xml - - ``` - If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. + ```xml + + ``` + +If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using `0xF000` as the delimiter/separator. > [!NOTE] -> `` is the entity encoding of 0xF000. +> `` is the entity encoding of `0xF000`. -For example, the following syntax grants user rights to Authenticated Users and Replicator user groups.: +For example, the following syntax grants user rights to Authenticated Users and Replicator user groups: ```xml ``` -For example, the following syntax grants user rights to two specific Azure Active Directory (AAD) users from Contoso, user1 and user2: +For example, the following syntax grants user rights to two specific Azure Active Directory (Azure AD) users from Contoso, user1 and user2: ```xml ``` -For example, the following syntax grants user rights to a specific user or group, by using the Security Identifier (SID) of the account or group: +For example, the following syntax grants user rights to a specific user or group, by using the SID of the account or group: ```xml ``` + -
    + +## AccessCredentialManagerAsTrustedCaller - -## UserRights policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    -
    - UserRights/AccessCredentialManagerAsTrustedCaller -
    -
    - UserRights/AccessFromNetwork -
    -
    - UserRights/ActAsPartOfTheOperatingSystem -
    -
    - UserRights/AllowLocalLogOn -
    -
    - UserRights/BackupFilesAndDirectories -
    -
    - UserRights/ChangeSystemTime -
    -
    - UserRights/CreateGlobalObjects -
    -
    - UserRights/CreatePageFile -
    -
    - UserRights/CreatePermanentSharedObjects -
    -
    - UserRights/CreateSymbolicLinks -
    -
    - UserRights/CreateToken -
    -
    - UserRights/DebugPrograms -
    -
    - UserRights/DenyAccessFromNetwork -
    -
    - UserRights/DenyLocalLogOn -
    -
    - UserRights/DenyRemoteDesktopServicesLogOn -
    -
    - UserRights/EnableDelegation -
    -
    - UserRights/GenerateSecurityAudits -
    -
    - UserRights/ImpersonateClient -
    -
    - UserRights/IncreaseSchedulingPriority -
    -
    - UserRights/LoadUnloadDeviceDrivers -
    -
    - UserRights/LockMemory -
    -
    - UserRights/ManageAuditingAndSecurityLog -
    -
    - UserRights/ManageVolume -
    -
    - UserRights/ModifyFirmwareEnvironment -
    -
    - UserRights/ModifyObjectLabel -
    -
    - UserRights/ProfileSingleProcess -
    -
    - UserRights/RemoteShutdown -
    -
    - UserRights/RestoreFilesAndDirectories -
    -
    - UserRights/TakeOwnership -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller +``` + + + +This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + -
    + + + - -**UserRights/AccessCredentialManagerAsTrustedCaller** + +**Description framework properties**: - -The table below shows the applicability of Windows: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Access Credential Manager ase a trusted caller | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AccessFromNetwork - - -This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it's only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - -GP Info: -- GP Friendly name: *Access Credential Manager as a trusted caller* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork +``` + - - - -
    - - -**UserRights/AccessFromNetwork** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services isn't affected by this user right. + + +This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right > [!NOTE] > Remote Desktop Services was called Terminal Services in previous versions of Windows Server. + - - -GP Info: -- GP Friendly name: *Access this computer from the network* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ActAsPartOfTheOperatingSystem** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Access this computer from the network | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ActAsPartOfTheOperatingSystem -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ActAsPartOfTheOperatingSystem +``` + - - -This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. + + +This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Act as part of the operating system* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/AllowLocalLogOn** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Act as part of the operating system | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowLocalLogOn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn +``` + - - -This user right determines which users can sign in to the computer. + + +This user right determines which users can log on to the computer > [!NOTE] -> Modifying this setting might affect compatibility with clients, services, and applications. For compatibility information about this setting, see [Allow log on locally](https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. +> Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally ( ) at the Microsoft website. + - - -GP Info: -- GP Friendly name: *Allow log on locally* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/BackupFilesAndDirectories** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Allow log on locally | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BackupFilesAndDirectories -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories +``` + - - -This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Read. + + +This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the systemTraverse Folder/Execute File, Read > [!CAUTION] -> Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, assign this user right to trusted users only. +> Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users + - - -GP Info: -- GP Friendly name: *Back up files and directories* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ChangeSystemTime** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Back up files and directories | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BypassTraverseChecking -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/BypassTraverseChecking +``` + - - + + +This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Bypass traverse checking | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## ChangeSystemTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime +``` + + + + This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. + + + + > [!CAUTION] -> Configuring user rights replaces existing users or groups previously assigned to those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy. +> When you configure user rights, it replaces existing users or groups that were previously assigned to those user rights. The system requires that the **Local Service** account (SID `S-1-5-19`) always has the ChangeSystemTime right. Always specify **Local Service**, in addition to any other accounts that you need to configure in this policy. > -> Not including the Local Service account will result in failure with the following error: +> If you don't include the **Local Service** account, the request fails with the following error: > -> | Error code | Symbolic name | Error description | Header | -> |----------|----------|----------|----------| -> | 0x80070032 (Hex)|ERROR_NOT_SUPPORTED|The request isn't supported.| winerror.h | +> | Error code | Symbolic name | Error description | Header | +> |--------------------|---------------------|------------------------------|------------| +> | `0x80070032` (Hex) | ERROR_NOT_SUPPORTED | The request isn't supported. | winerror.h | + - - -GP Info: -- GP Friendly name: *Change the system time* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -
    + +**Group policy mapping**: - -**UserRights/CreateGlobalObjects** +| Name | Value | +|:--|:--| +| Name | Change the system time | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ChangeTimeZone - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeTimeZone +``` + -
    + + +This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. + - - -This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Change the time zone | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## CreateGlobalObjects + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreateGlobalObjects +``` + + + + +This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Assign this user right only to trusted users. + - - -GP Info: -- GP Friendly name: *Create global objects* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreatePageFile** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create global objects | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreatePageFile -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePageFile +``` + - - -This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually doesn't need to be assigned to any users. + + +This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users + - - -GP Info: -- GP Friendly name: *Create a pagefile* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreatePermanentSharedObjects** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create a pagefile | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreatePermanentSharedObjects -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePermanentSharedObjects +``` + - - -This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it's not necessary to specifically assign it. + + +This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. + - - -GP Info: -- GP Friendly name: *Create permanent shared objects* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreateSymbolicLinks** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create permanent shared objects | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreateSymbolicLinks -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreateSymbolicLinks +``` + - - -This user right determines if the user can create a symbolic link from the computer they're signed in to. + + +This user right determines if the user can create a symbolic link from the computer he is logged on to > [!CAUTION] -> This privilege should be given to trusted users only. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. +> This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them > [!NOTE] -> This setting can be used in conjunction with a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. +> This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + - - -GP Info: -- GP Friendly name: *Create symbolic links* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreateToken** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create symbolic links | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreateToken -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreateToken +``` + - - -This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System. + + +This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System > [!CAUTION] -> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. +> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + - - -GP Info: -- GP Friendly name: *Create a token object* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/DebugPrograms** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create a token object | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DebugPrograms -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DebugPrograms +``` + - - -This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. + + +This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Debug programs* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/DenyAccessFromNetwork** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Debug programs | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyAccessFromNetwork -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyAccessFromNetwork +``` + - - -This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access to this computer from the network policy setting if a user account is subject to both policies. + + +This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. + - - -GP Info: -- GP Friendly name: *Deny access to this computer from the network* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/DenyLocalLogOn** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Deny access to this computer from the network | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyLocalLogOn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn +``` + - - -This security setting determines which users are prevented from logging on to the computer. This policy setting supersedes the **Allow log on locally** policy setting if an account is subject to both policies. + + +This security setting determines which service accounts are prevented from registering a process as a service > [!NOTE] -> If you apply this security policy to the **Everyone** group, no one will be able to log on locally. +> This security setting does not apply to the System, Local Service, or Network Service accounts. + - - -GP Info: -- GP Friendly name: *Deny log on Locally* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/DenyRemoteDesktopServicesLogOn** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Deny log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyLogOnAsBatchJob -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLogOnAsBatchJob +``` + - - -This user right determines which users and groups are prohibited from logging on as Remote Desktop Services clients. + + +This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. + - - -GP Info: -- GP Friendly name: *Deny log on through Remote Desktop Services* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/EnableDelegation** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Deny log on as a batch job | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyRemoteDesktopServicesLogOn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyRemoteDesktopServicesLogOn +``` + - - -This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set. + + +This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Deny log on through Remote Desktop Services | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## EnableDelegation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/EnableDelegation +``` + + + + +This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set > [!CAUTION] > Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. + - - -GP Info: -- GP Friendly name: *Enable computer and user accounts to be trusted for delegation* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/GenerateSecurityAudits** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Enable computer and user accounts to be trusted for delegation | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GenerateSecurityAudits -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/GenerateSecurityAudits +``` + - - + + This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. + - - -GP Info: -- GP Friendly name: *Generate security audits* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ImpersonateClient** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Generate security audits | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ImpersonateClient -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ImpersonateClient +``` + - - -Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. + + +Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Only assign this user right to trusted users > [!NOTE] -> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. - -1. The access token that is being impersonated is for this user. -1. The user, in this sign-in session, created the access token by signing in to the network with explicit credentials. -1. The requested level is less than Impersonate, such as Anonymous or Identify. - -Because of these factors, users don't usually need this user right. +> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users do not usually need this user right > [!WARNING] -> If you enable this setting, programs that previously had the Impersonate privilege might lose it, and they might not run. +> If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. + - - -GP Info: -- GP Friendly name: *Impersonate a client after authentication* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/IncreaseSchedulingPriority** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Impersonate a client after authentication | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IncreaseProcessWorkingSet -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/IncreaseProcessWorkingSet +``` + - - + + +Increase a process working set. This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process + +> [!WARNING] +> Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Increase a process working set | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## IncreaseSchedulingPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/IncreaseSchedulingPriority +``` + + + + This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. + - - -GP Info: -- GP Friendly name: *Increase scheduling priority* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + > [!WARNING] -> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers don't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers won't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 or later and that use the Intel GFX driver. > > On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/LoadUnloadDeviceDrivers** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Increase scheduling priority | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LoadUnloadDeviceDrivers -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers +``` + - - -This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users. + + +This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users > [!CAUTION] -> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. +> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + - - -GP Info: -- GP Friendly name: *Load and unload device drivers* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/LockMemory** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Load and unload device drivers | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockMemory -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LockMemory +``` + - - -This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege might significantly affect system performance by decreasing the amount of available random access memory (RAM). + + +This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). + - - -GP Info: -- GP Friendly name: *Lock pages in memory* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ManageAuditingAndSecurityLog** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Lock pages in memory | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LogOnAsBatchJob -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LogOnAsBatchJob +``` + - - -This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting doesn't allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege also can view and clear the security log. + + +This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user. + - - -GP Info: -- GP Friendly name: *Manage auditing and security log* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ManageVolume** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Log on as a batch job | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LogOnAsService -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LogOnAsService +``` + - - -This user right determines which users and groups can run maintenance tasks on a volume, such as remote de-fragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + + +This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right. + - - -GP Info: -- GP Friendly name: *Perform volume maintenance tasks* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ModifyFirmwareEnvironment** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ManageAuditingAndSecurityLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ManageAuditingAndSecurityLog +``` + - - -This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should be modified only by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. + + +This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Manage auditing and security log | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## ManageVolume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ManageVolume +``` + + + + +This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Perform volume maintenance tasks | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## ModifyFirmwareEnvironment + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyFirmwareEnvironment +``` + + + + +This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows > [!NOTE] -> This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. +> This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. + - - -GP Info: -- GP Friendly name: *Modify firmware environment values* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ModifyObjectLabel** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Modify firmware environment values | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ModifyObjectLabel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyObjectLabel +``` + - - + + This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. + - - -GP Info: -- GP Friendly name: *Modify an object label* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ProfileSingleProcess** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Modify an object label | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProfileSingleProcess -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ProfileSingleProcess +``` + - - + + This user right determines which users can use performance monitoring tools to monitor the performance of system processes. + - - -GP Info: -- GP Friendly name: *Profile single process* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/RemoteShutdown** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Profile single process | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProfileSystemPerformance -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ProfileSystemPerformance +``` + - - + + +This security setting determines which users can use performance monitoring tools to monitor the performance of system processes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Profile system performance | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## RemoteShutdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/RemoteShutdown +``` + + + + This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. + - - -GP Info: -- GP Friendly name: *Force shutdown from a remote system* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/RestoreFilesAndDirectories** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Force shutdown from a remote system | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ReplaceProcessLevelToken -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ReplaceProcessLevelToken +``` + - - -This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and it determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Write. + + +This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Replace a process level token | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## RestoreFilesAndDirectories + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/RestoreFilesAndDirectories +``` + + + + +This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the systemTraverse Folder/Execute File, Write > [!CAUTION] -> Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, assign this user right to trusted users only. +> Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Restore files and directories* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/TakeOwnership** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Restore files and directories | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShutDownTheSystem -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ShutDownTheSystem +``` + - - -This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. + + +This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Shut down the system | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## TakeOwnership + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/TakeOwnership +``` + + + + +This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads > [!CAUTION] -> Assigning this user right can be a security risk. Since owners of objects have full control of them, assign this user right to trusted users only. +> Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Take ownership of files or other objects* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -## Related topics + +**Group policy mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | Take ownership of files or other objects | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index cfbe252574..055490b65d 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -1,139 +1,158 @@ --- -title: Policy CSP - VirtualizationBasedTechnology -description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. +title: VirtualizationBasedTechnology Policy CSP +description: Learn more about the VirtualizationBasedTechnology Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/25/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - VirtualizationBasedTechnology -
    + + + - -## VirtualizationBasedTechnology policies + +## HypervisorEnforcedCodeIntegrity -
    -
    - VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity -
    -
    - VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity +``` + - -**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity** + + +Hypervisor-Protected Code Integrity: 0 - Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock, 1 - Turns on Hypervisor-Protected Code Integrity with UEFI lock, 2 - Turns on Hypervisor-Protected Code Integrity without UEFI lock. + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock. | +| 1 | (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock. | +| 2 | (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock. | + -
    + +**Group policy mapping**: - - -Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Virtualization Based Protection of Code Integrity | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + ->[!NOTE] ->After the policy is pushed, a system reboot will be required to change the state of HVCI. + + + - - -The following are the supported values: + -- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock. -- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock. -- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock. + +## RequireUEFIMemoryAttributesTable - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable +``` + - - -
    + + +Require UEFI Memory Attributes Table + - -**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | Do not require UEFI Memory Attributes Table. | +| 1 | Require UEFI Memory Attributes Table. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Require UEFI Memory Attributes Table | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + - - -Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). + + + ->[!NOTE] ->After the policy is pushed, a system reboot will be required to change the state of HVCI. + - - + + + -The following are the supported values: + -- 0: (Disabled) Do not require UEFI Memory Attributes Table. -- 1: (Enabled) Require UEFI Memory Attributes Table. +## Related articles - - - - - - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index 95465df853..2862cf0565 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -1,233 +1,361 @@ --- -title: Policy CSP - WebThreatDefense -description: Learn about the Policy CSP - WebThreatDefense. -ms.author: v-aljupudi -ms.topic: article +title: WebThreatDefense Policy CSP +description: Learn more about the WebThreatDefense Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: alekyaj -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WebThreatDefense + + +> [!NOTE] +> In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category. + + + +## CaptureThreatWindow + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/CaptureThreatWindow +``` + + + + +Configures Enhanced Phishing Protection notifications to allow to capture the suspicious window on client machines for further threat analysis. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CaptureThreatWindow | +| Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense | + + + + + + + + + +## NotifyMalicious + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate. + +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. + +- If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn your users if they type their work or school password into one of the malicious scenarios described above. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NotifyMalicious | +| Friendly Name | Notify Malicious | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | NotifyMalicious | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + +## NotifyPasswordReuse + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password. + +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns users if they reuse their work or school password and encourages them to change it. + +- If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they reuse their work or school password. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NotifyPasswordReuse | +| Friendly Name | Notify Password Reuse | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | NotifyPasswordReuse | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + +## NotifyUnsafeApp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc. + +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps. + +- If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NotifyUnsafeApp | +| Friendly Name | Notify Unsafe App | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | NotifyUnsafeApp | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + +## ServiceEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. Users do not see notifications for any protection scenarios when Enhanced Phishing Protection in Microsoft Defender is in audit mode. Audit mode captures unsafe password entry events and sends telemetry through Microsoft Defender. + +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is enabled in audit mode and your users are unable to turn it off. + +- If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it will not capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. + +- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: -
    - - -## WebThreatDefense policies - -
    -
    - WebThreatDefense/EnableService -
    -
    - WebThreatDefense/NotifyMalicious -
    -
    - WebThreatDefense/NotifyPasswordReuse -
    -
    - WebThreatDefense/NotifyUnsafeApp -
    -
    - ->[!NOTE] ->In Microsoft Intune, this CSP is under the “Enhanced Phishing Protection” category. - - -**WebThreatDefense/EnableService** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender. - -If you enable this policy setting or don’t configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off. - -If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. - - - -ADMX Info: -- GP Friendly name: *Configure Web Threat Defense* -- GP name: *EnableWebThreatDefenseService* -- GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections* -- GP ADMX file name: *WebThreatDefense.admx* - - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection. -- 1: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users. - - - - - -
    - - -**WebThreatDefense/NotifyMalicious** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. - -If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above, and encourages them to change their password. - -If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above. - - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school password into one of the following malicious scenarios: a reported phishing site, a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. -- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. - - - -
    - - -**WebThreatDefense/NotifyPasswordReuse** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password. - -If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it. - -If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password. - - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection notifications when users reuse their work or school password. -- 1: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. - - - - -
    - - -**WebThreatDefense/NotifyUnsafeApp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc. - -If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps. - -If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps. - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc. -- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps. - - - -
    - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | ServiceEnabled | +| Friendly Name | Service Enabled | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | ServiceEnabled | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 09a9eb148e..62d4b45e2a 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,336 +1,378 @@ --- -title: Policy CSP - Wifi -description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots. +title: Wifi Policy CSP +description: Learn more about the Wifi Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Wifi + + + -
    + +## AllowAutoConnectToWiFiSenseHotspots - -## Wifi policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    -
    - WiFi/AllowWiFiHotSpotReporting -
    -
    - Wifi/AllowAutoConnectToWiFiSenseHotspots -
    -
    - Wifi/AllowInternetSharing -
    -
    - Wifi/AllowManualWiFiConfiguration -
    -
    - Wifi/AllowWiFi -
    -
    - Wifi/AllowWiFiDirect -
    -
    - Wifi/WLANScanMode -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowAutoConnectToWiFiSenseHotspots +``` + + + +This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". -
    +"Connect to suggested open hotspots" enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to. - -**WiFi/AllowWiFiHotSpotReporting** +"Connect to networks shared by my contacts" enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts. -
    +"Enable paid services" enables Windows to temporarily connect to open hotspots to determine if paid services are available. - -This policy has been deprecated. +- If this policy setting is disabled, both "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services" will be turned off and users on this device will be prevented from enabling them. - - +- If this policy setting is not configured or is enabled, users can choose to enable or disable either "Connect to suggested open hotspots" or "Connect to networks shared by my contacts". + -
    + + + - -**Wifi/AllowAutoConnectToWiFiSenseHotspots** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | WiFiSense | +| Friendly Name | Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services | +| Location | Computer Configuration | +| Path | Network > WLAN Service > WLAN Settings | +| Registry Key Name | Software\Microsoft\wcmsvc\wifinetworkmanager\config | +| Registry Value Name | AutoConnectAllowedOEM | +| ADMX File Name | wlansvc.admx | + -
    + + + - - -Allow or disallow the device to automatically connect to Wi-Fi hotspots. + -Most restricted value is 0. + +## AllowInternetSharing - - -ADMX Info: -- GP Friendly name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services* -- GP name: *WiFiSense* -- GP path: *Network/WLAN Service/WLAN Settings* -- GP ADMX file name: *wlansvc.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowInternetSharing +``` + -- 0 – Not allowed. -- 1 (default) – Allowed. + + +Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. - - +ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. -
    +- If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. - -**Wifi/AllowInternetSharing** +- If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allow or disallow internet sharing. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Prohibit use of Internet Connection Sharing on your DNS domain network* -- GP name: *NC_ShowSharedAccessUI* -- GP path: *Network/Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -The following list shows the supported values: - -- 0 – Do not allow the use of Internet Sharing. -- 1 (default) – Allow the use of Internet Sharing. - - - - -
    - - -**Wifi/AllowManualWiFiConfiguration** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. - -Most restricted value is 0. +By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. > [!NOTE] -> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. +> Internet Connection Sharing is only available when two or more network connections are present. - - -The following list shows the supported values: +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. -- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed. -- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed. +> [!NOTE] +> Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. - - +> [!NOTE] +> Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. + -
    + + + - -**Wifi/AllowWiFi** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | NC_ShowSharedAccessUI | +| Friendly Name | Prohibit use of Internet Connection Sharing on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_ShowSharedAccessUI | +| ADMX File Name | NetworkConnections.admx | + -
    + + + - - -Allow or disallow WiFi connection. + -Most restricted value is 0. + +## AllowManualWiFiConfiguration - - -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -- 0 – WiFi connection is not allowed. -- 1 (default) – WiFi connection is allowed. + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowManualWiFiConfiguration +``` + - - + + +Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. Most restricted value is 0 -
    +> [!NOTE] +> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. + - -**Wifi/AllowWiFiDirect** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | No Wi-Fi connection outside of MDM provisioned network is allowed. | +| 1 (Default) | Adding new network SSIDs beyond the already MDM provisioned ones is allowed. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Allow WiFi Direct connection.. + +## AllowWiFi - - -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -- 0 - WiFi Direct connection is not allowed. -- 1 - WiFi Direct connection is allowed. + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWiFi +``` + - - + + +This policy has been deprecated. + -
    + + + - -**Wifi/WLANScanMode** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowWiFiDirect - - -Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency. + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWiFiDirect +``` + -The default value is 0. + + +Allow WiFi Direct connection. . + -Supported operations are Add, Delete, Get, and Replace. + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## WLANScanMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/WLANScanMode +``` + + + + +Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency. The default value is 0. Supported operations are Add, Delete, Get, and Replace. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-500]` | +| Default Value | 0 | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 01a6430be0..1780b6b35e 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -1,78 +1,80 @@ --- -title: Policy CSP - WindowsAutoPilot -description: Learn to use the Policy CSP - WindowsAutoPilot setting to enable or disable Autopilot Agility feature. +title: WindowsAutopilot Policy CSP +description: Learn more about the WindowsAutopilot Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/25/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - WindowsAutoPilot + + +# Policy CSP - WindowsAutopilot + + + -
    + +## EnableAgilityPostEnrollment - -## WindowsAutoPilot policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - WindowsAutoPilot/EnableAgilityPostEnrollment -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsAutopilot/EnableAgilityPostEnrollment +``` + + + +Specifies whether to check for Windows Autopilot updates after enrollment. Most restricted value is 0. + -
    + + + - -**WindowsAutoPilot/EnableAgilityPostEnrollment** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Not enabled. | +| 1 | Enabled. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + + + - - -This policy enables Windows Autopilot to be kept up-to-date during the out-of-box experience after MDM enrollment. + - - +## Related articles - - - - - - - - -
    - - - -## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 803dc874b5..3b51c6bc44 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,98 +1,104 @@ --- -title: Policy CSP - WindowsConnectionManager -description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain-based network and a non-domain-based network simultaneously. +title: WindowsConnectionManager Policy CSP +description: Learn more about the WindowsConnectionManager Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsConnectionManager -
    - - -## WindowsConnectionManager policies - -
    -
    - WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork -
    -
    - - -
    - - -**WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. - -If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: - -Automatic connection attempts: - -- When the computer is already connected to a domain-based network, all automatic connection attempts to non-domain networks are blocked. -- When the computer is already connected to a non-domain-based network, automatic connection attempts to domain-based networks are blocked. - -Manual connection attempts: - -- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing network connection is disconnected and the manual connection is allowed. -- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing Ethernet connection is maintained and the manual connection attempt is blocked. - -If this policy setting isn't configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. - - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -ADMX Info: -- GP Friendly name: *Prohibit connection to non-domain networks when connected to domain authenticated network* -- GP name: *WCM_BlockNonDomain* -- GP path: *Network/Windows Connection Manager* -- GP ADMX file name: *WCM.admx* + + + - - -
    + +## ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork +``` + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + +This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. + +- If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: + +Automatic connection attempts +- When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. +- When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked. + +Manual connection attempts +- When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. +- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. + +- If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WCM_BlockNonDomain | +| Friendly Name | Prohibit connection to non-domain networks when connected to domain authenticated network | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fBlockNonDomain | +| ADMX File Name | WCM.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 106c5f63e4..020c169b11 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,1254 +1,1558 @@ --- -title: Policy CSP - WindowsDefenderSecurityCenter -description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. +title: WindowsDefenderSecurityCenter Policy CSP +description: Learn more about the WindowsDefenderSecurityCenter Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsDefenderSecurityCenter -
    + + + - + +## CompanyName -## WindowsDefenderSecurityCenter policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    -
    - WindowsDefenderSecurityCenter/CompanyName -
    -
    - WindowsDefenderSecurityCenter/DisableAccountProtectionUI -
    -
    - WindowsDefenderSecurityCenter/DisableAppBrowserUI -
    -
    - WindowsDefenderSecurityCenter/DisableClearTpmButton -
    -
    - WindowsDefenderSecurityCenter/DisableDeviceSecurityUI -
    -
    - WindowsDefenderSecurityCenter/DisableEnhancedNotifications -
    -
    - WindowsDefenderSecurityCenter/DisableFamilyUI -
    -
    - WindowsDefenderSecurityCenter/DisableHealthUI -
    -
    - WindowsDefenderSecurityCenter/DisableNetworkUI -
    -
    - WindowsDefenderSecurityCenter/DisableNotifications -
    -
    - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning -
    -
    - WindowsDefenderSecurityCenter/DisableVirusUI -
    -
    - WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride -
    -
    - WindowsDefenderSecurityCenter/Email -
    -
    - WindowsDefenderSecurityCenter/EnableCustomizedToasts -
    -
    - WindowsDefenderSecurityCenter/EnableInAppCustomization -
    -
    - WindowsDefenderSecurityCenter/HideRansomwareDataRecovery -
    -
    - WindowsDefenderSecurityCenter/HideSecureBoot -
    -
    - WindowsDefenderSecurityCenter/HideTPMTroubleshooting -
    -
    - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl -
    -
    - WindowsDefenderSecurityCenter/Phone -
    -
    - WindowsDefenderSecurityCenter/URL -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/CompanyName +``` + -
    + + +The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. + - -**WindowsDefenderSecurityCenter/CompanyName** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_CompanyName | +| Friendly Name | Specify contact company name | +| Element Name | Company name | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display the contact options. + +## DisableAccountProtectionUI -- Supported value type is string. -- Supported operations are Add, Get, Replace and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableAccountProtectionUI +``` + -ADMX Info: -- GP Friendly name: *Specify contact company name* -- GP name: *EnterpriseCustomization_CompanyName* -- GP element: *Presentation_EnterpriseCustomization_CompanyName* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + +Hide the Account protection area in Windows Security. - - +Enabled: +The Account protection area will be hidden. -
    +Disabled: +The Account protection area will be shown. - -**WindowsDefenderSecurityCenter/DisableAccountProtectionUI** +Not configured: +Same as Disabled. + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the Account protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the Account protection area in Windows Defender Security Center. | + -
    + +**Group policy mapping**: - - -Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. +| Name | Value | +|:--|:--| +| Name | AccountProtection_UILockdown | +| Friendly Name | Hide the Account protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Account protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - - -ADMX Info: -- GP Friendly name: *Hide the Account protection area* -- GP name: *AccountProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Account protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + - - -Valid values: + -- 0 - (Disable) The users can see the display of the Account protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the Account protection area in Windows Defender Security Center. + +## DisableAppBrowserUI - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableAppBrowserUI +``` + - -**WindowsDefenderSecurityCenter/DisableAppBrowserUI** + + +Hide the App and browser protection area in Windows Security. - -The table below shows the applicability of Windows: +Enabled: +The App and browser protection area will be hidden. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Disabled: +The App and browser protection area will be shown. - -
    +Not configured: +Same as Disabled. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. + +**Allowed values**: -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the app and browser protection area in Windows Defender Security Center. | + - - -ADMX Info: -- GP Friendly name: *Hide the App and browser protection area* -- GP name: *AppBrowserProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +**Group policy mapping**: - - -The following list shows the supported values: +| Name | Value | +|:--|:--| +| Name | AppBrowserProtection_UILockdown | +| Friendly Name | Hide the App and browser protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > App and browser protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + -- 0 - (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the app and browser protection area in Windows Defender Security Center. + + + - - + -
    + +## DisableClearTpmButton - -**WindowsDefenderSecurityCenter/DisableClearTpmButton** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - -The table below shows the applicability of Windows: + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableClearTpmButton +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Disable the Clear TPM button in Windows Security. -- Enabled: The Clear TPM button will be unavailable for use. -- Disabled: The Clear TPM button will be available for use on supported systems. -- Not configured: Same as Disabled. - -Supported values: - -- 0 - Disabled (default) -- 1 - Enabled - - - -ADMX Info: -- GP Friendly name: *Disable the Clear TPM button* -- GP name: *DeviceSecurity_DisableClearTpmButton* -- GP path: *Windows Components/Windows Security/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - - - - - - - - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableDeviceSecurityUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - - - -ADMX Info: -- GP Friendly name: *Hide the Device security area* -- GP name: *DeviceSecurity_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable) The users can see the display of the Device security area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the Device security area in Windows Defender Security Center. - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableEnhancedNotifications** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy if you want Windows Defender Security Center to only display notifications that are considered critical. If you disable or don't configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. - -> [!NOTE] -> If Suppress notification is enabled then users won't see critical or non-critical messages. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide non-critical notifications* -- GP name: *Notifications_DisableEnhancedNotifications* -- GP path: *Windows Components/Windows Defender Security Center/Notifications* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Windows Defender Security Center will display critical and non-critical notifications to users. -- 1 - (Enable) Windows Defender Security Center only display notifications that are considered critical on clients. - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableFamilyUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Family options area* -- GP name: *FamilyOptions_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Family options* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the family options area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the family options area in Windows Defender Security Center. - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableHealthUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Device performance and health area* -- GP name: *DevicePerformanceHealth_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Device performance and health* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the device performance and health area in Windows Defender Security Center. - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableNetworkUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Firewall and network protection area* -- GP name: *FirewallNetworkProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the firewall and network protection area in Windows Defender Security Center. - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableNotifications** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or don't configure this setting, Windows Defender Security Center notifications will display on devices. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide all notifications* -- GP name: *Notifications_DisableNotifications* -- GP path: *Windows Components/Windows Defender Security Center/Notifications* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of Windows Defender Security Center notifications. -- 1 - (Enable) The users can't see the display of Windows Defender Security Center notifications. - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +Enabled: +The Clear TPM button will be unavailable for use. + +Disabled: +The Clear TPM button will be available for use. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled or not configured) The security processor troubleshooting page shows a button that initiates the process to clear the security processor (TPM). | +| 1 | (Enabled) The security processor troubleshooting page will not show a button to initiate the process to clear the security processor (TPM). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_DisableClearTpmButton | +| Friendly Name | Disable the Clear TPM button | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | DisableClearTpmButton | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableDeviceSecurityUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableDeviceSecurityUI +``` + + + + +Hide the Device security area in Windows Security. + +Enabled: +The Device security area will be hidden. + +Disabled: +The Device security area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the Device security area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the Device security area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_UILockdown | +| Friendly Name | Hide the Device security area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableEnhancedNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableEnhancedNotifications +``` + + + + +Only show critical notifications from Windows Security. + +If the Suppress all notifications GP setting has been enabled, this setting will have no effect. + +Enabled: +Local users will only see critical notifications from Windows Security. They will not see other types of notifications, such as regular PC or device health information. + +Disabled: +Local users will see all types of notifications from Windows Security. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) Windows Defender Security Center will display critical and non-critical notifications to users.. | +| 1 | (Enable) Windows Defender Security Center only display notifications which are considered critical on clients. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Notifications_DisableEnhancedNotifications | +| Friendly Name | Hide non-critical notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | +| Registry Value Name | DisableEnhancedNotifications | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableFamilyUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableFamilyUI +``` + + + + +Hide the Family options area in Windows Security. + +Enabled: +The Family options area will be hidden. + +Disabled: +The Family options area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the family options area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the family options area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | FamilyOptions_UILockdown | +| Friendly Name | Hide the Family options area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Family options | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableHealthUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableHealthUI +``` + + + + +Hide the Device performance and health area in Windows Security. + +Enabled: +The Device performance and health area will be hidden. + +Disabled: +The Device performance and health area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the device performance and health area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DevicePerformanceHealth_UILockdown | +| Friendly Name | Hide the Device performance and health area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device performance and health | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableNetworkUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableNetworkUI +``` + + + + +Hide the Firewall and network protection area in Windows Security. + +Enabled: +The Firewall and network protection area will be hidden. + +Disabled: +The Firewall and network protection area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the firewall and network protection area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | FirewallNetworkProtection_UILockdown | +| Friendly Name | Hide the Firewall and network protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Firewall and network protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableNotifications +``` + + + + +Hide notifications from Windows Security. + +Enabled: +Local users will not see notifications from Windows Security. + +Disabled: +Local users can see notifications from Windows Security. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of Windows Defender Security Center notifications. | +| 1 | (Enable) The users cannot see the display of Windows Defender Security Center notifications. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Notifications_DisableNotifications | +| Friendly Name | Hide all notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | +| Registry Value Name | DisableNotifications | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableTpmFirmwareUpdateWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning +``` + + + + Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. -- Enabled: Users won't be shown a recommendation to update their TPM Firmware. -- Disabled: Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. -- Not configured: Same as Disabled. - -Supported values: - -- 0 - Disabled (default) -- 1 - Enabled - - - -ADMX Info: -- GP Friendly name: *Hide the TPM Firmware Update recommendation.* -- GP name: *DeviceSecurity_DisableTpmFirmwareUpdateWarning* -- GP path: *Windows Components/Windows Security/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - - - - - - - - - - - -
    - - -**WindowsDefenderSecurityCenter/DisableVirusUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Virus and threat protection area* -- GP name: *VirusThreatProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the virus and threat protection area in Windows Defender Security Center. - - - - -
    - - -**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or don't configure this setting, local users can make changes in the exploit protection settings area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Prevent users from modifying settings* -- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride* -- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Local users are allowed to make changes in the exploit protection settings area. -- 1 - (Enable) Local users can't make changes in the exploit protection settings area. - - - - -
    - - -**WindowsDefenderSecurityCenter/Email** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. - -- Supported value type is string. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Specify contact email address or Email ID* -- GP name: *EnterpriseCustomization_Email* -- GP element: *Presentation_EnterpriseCustomization_Email* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - - -
    - - -**WindowsDefenderSecurityCenter/EnableCustomizedToasts** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enable this policy to display your company name and contact options in the notifications. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP Friendly name: *Configure customized notifications* -- GP name: *EnterpriseCustomization_EnableCustomizedToasts* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Notifications contain a default notification text. -- 1 - (Enable) Notifications contain the company name and contact options. - - - - -
    - - -**WindowsDefenderSecurityCenter/EnableInAppCustomization** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center won't display the contact card fly out notification. - -- Support value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP Friendly name: *Configure customized contact information* -- GP name: *EnterpriseCustomization_EnableInAppCustomization* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Don't display the company name and contact options in the card fly out notification. -- 1 - (Enable) Display the company name and contact options in the card fly out notification. - - - - -
    - - -**WindowsDefenderSecurityCenter/HideRansomwareDataRecovery** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. - - - -ADMX Info: -- GP Friendly name: *Hide the Ransomware data recovery area* -- GP name: *VirusThreatProtection_HideRansomwareRecovery* -- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable or not configured) The Ransomware data recovery area will be visible. -- 1 - (Enable) The Ransomware data recovery area is hidden. - - - - -
    - - -**WindowsDefenderSecurityCenter/HideSecureBoot** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy to hide the Secure boot area in the Windows Defender Security Center. - - - -ADMX Info: -- GP Friendly name: *Hide the Secure boot area* -- GP name: *DeviceSecurity_HideSecureBoot* -- GP path: *Windows Components/Windows Defender Security Center/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable or not configured) The Secure boot area is displayed. -- 1 - (Enable) The Secure boot area is hidden. - - - - -
    - - -**WindowsDefenderSecurityCenter/HideTPMTroubleshooting** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center. - - - -ADMX Info: -- GP Friendly name: *Hide the Security processor (TPM) troubleshooter page* -- GP name: *DeviceSecurity_HideTPMTroubleshooting* -- GP path: *Windows Components/Windows Defender Security Center/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed. -- 1 - (Enable) The Security processor (TPM) troubleshooting area is hidden. - - - - -
    - - -**WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +Enabled: +Users will not be shown a recommendation to update their TPM Firmware. + +Disabled: +Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or Not configured) A warning will be displayed if the firmware of the security processor (TPM) should be updated for TPMs that have a vulnerability. | +| 1 | (Enabled) No warning will be displayed if the firmware of the security processor (TPM) should be updated. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_DisableTpmFirmwareUpdateWarning | +| Friendly Name | Hide the TPM Firmware Update recommendation. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | DisableTpmFirmwareUpdateWarning | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableVirusUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableVirusUI +``` + + + + +Hide the Virus and threat protection area in Windows Security. + +Enabled: +The Virus and threat protection area will be hidden. + +Disabled: +The Virus and threat protection area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the virus and threat protection area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirusThreatProtection_UILockdown | +| Friendly Name | Hide the Virus and threat protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Virus and threat protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisallowExploitProtectionOverride + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride +``` + + + + +Prevent users from making changes to the Exploit protection settings area in Windows Security. + +Enabled: +Local users can not make changes in the Exploit protection settings area. + +Disabled: +Local users are allowed to make changes in the Exploit protection settings area. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) Local users are allowed to make changes in the exploit protection settings area. | +| 1 | (Enable) Local users cannot make changes in the exploit protection settings area. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppBrowserProtection_DisallowExploitProtectionOverride | +| Friendly Name | Prevent users from modifying settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > App and browser protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection | +| Registry Value Name | DisallowExploitProtectionOverride | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## Email + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/Email +``` + + + + +The email address that is displayed to users. The default mail application is used to initiate email actions. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_Email | +| Friendly Name | Specify contact email address or Email ID | +| Element Name | Email address or email ID | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## EnableCustomizedToasts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/EnableCustomizedToasts +``` + + + + +Display specified contact information to local users in Windows Security notifications. + +Enabled: +Your company contact information will be displayed in notifications that come from Windows Security. + +After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: +-Specify contact phone number or Skype ID +-Specify contact email number or email ID +-Specify contact website +Please note that in some cases we will be limiting the contact options that are displayed based on the notification space available. + +Disabled: +No contact information will be shown on notifications. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Notification text. | +| 1 | (Enable) Notifications contain the company name and contact options. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_EnableCustomizedToasts | +| Friendly Name | Configure customized notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| Registry Value Name | EnableForToasts | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## EnableInAppCustomization + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/EnableInAppCustomization +``` + + + + +Display specified contact information to local users in a contact card flyout menu in Windows Security + +Enabled: +Your company contact information will be displayed in a flyout menu in Windows Security. + +After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: +-Specify contact phone number or Skype ID +-Specify contact email number or email ID +-Specify contact website + +Disabled: +No contact information will be shown in Windows Security. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) Do not display the company name and contact options in the card fly out notification. | +| 1 | (Enable) Display the company name and contact options in the card fly out notification. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_EnableInAppCustomization | +| Friendly Name | Configure customized contact information | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| Registry Value Name | EnableInApp | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideRansomwareDataRecovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideRansomwareDataRecovery +``` + + + + +Hide the Ransomware data recovery area in Windows Security. + +Enabled: +The Ransomware data recovery area will be hidden. + +Disabled: +The Ransomware data recovery area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or not configured) The Ransomware data recovery area will be visible. | +| 1 | (Enable) The Ransomware data recovery area is hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirusThreatProtection_HideRansomwareRecovery | +| Friendly Name | Hide the Ransomware data recovery area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Virus and threat protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection | +| Registry Value Name | HideRansomwareRecovery | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideSecureBoot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideSecureBoot +``` + + + + +Hide the Secure boot area in Windows Security. + +Enabled: +The Secure boot area will be hidden. + +Disabled: +The Secure boot area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or not configured) The Secure boot area is displayed. | +| 1 | (Enable) The Secure boot area is hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_HideSecureBoot | +| Friendly Name | Hide the Secure boot area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | HideSecureBoot | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideTPMTroubleshooting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideTPMTroubleshooting +``` + + + + +Hide the Security processor (TPM) troubleshooting area in Windows Security. + +Enabled: +The Security processor (TPM) troubleshooting area will be hidden. + +Disabled: +The Security processor (TPM) troubleshooting area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed. | +| 1 | (Enable) The Security processor (TPM) troubleshooting area is hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_HideTPMTroubleshooting | +| Friendly Name | Hide the Security processor (TPM) troubleshooter page | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | HideTPMTroubleshooting | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideWindowsSecurityNotificationAreaControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl +``` + + + + This policy setting hides the Windows Security notification area control. The user needs to either sign out and sign in or reboot the computer for this setting to take effect. -- Enabled: Windows Security notification area control will be hidden. -- Disabled: Windows Security notification area control will be shown. -- Not configured: Same as Disabled. +Enabled: +Windows Security notification area control will be hidden. -Supported values: +Disabled: +Windows Security notification area control will be shown. -- 0 - Disabled (default) -- 1 - Enabled +Not configured: +Same as Disabled. + - - -ADMX Info: -- GP Friendly name: *Hide Windows Security Systray* -- GP name: *Systray_HideSystray* -- GP path: *Windows Components/Windows Security/Systray* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | . | +| 1 | Enabled. | + -
    + +**Group policy mapping**: - -**WindowsDefenderSecurityCenter/Phone** +| Name | Value | +|:--|:--| +| Name | Systray_HideSystray | +| Friendly Name | Hide Windows Security Systray | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Systray | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray | +| Registry Value Name | HideSystray | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Phone - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/Phone +``` + -
    + + +The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace, and Delete. + - - -The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. + + + -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Specify contact phone number or Skype ID* -- GP name: *EnterpriseCustomization_Phone* -- GP element: *Presentation_EnterpriseCustomization_Phone* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_Phone | +| Friendly Name | Specify contact phone number or Skype ID | +| Element Name | Phone number or Skype ID | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - -**WindowsDefenderSecurityCenter/URL** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## URL - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/URL +``` + -> [!div class = "checklist"] -> * Device + + +The help portal URL this is displayed to users. The default browser is used to initiate this action. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. + -
    + + + - - -The help portal URL that is displayed to users. The default browser is used to initiate this action. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device won't display contact options. + +**Description framework properties**: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -ADMX Info: -- GP Friendly name: *Specify contact website* -- GP name: *EnterpriseCustomization_URL* -- GP element: *Presentation_EnterpriseCustomization_URL* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +**Group policy mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_URL | +| Friendly Name | Specify contact website | +| Element Name | IT or support website | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 403b33ba76..c2a2419ae6 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,138 +1,158 @@ --- -title: Policy CSP - WindowsInkWorkspace -description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace. +title: WindowsInkWorkspace Policy CSP +description: Learn more about the WindowsInkWorkspace Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsInkWorkspace -
    + + + - -## WindowsInkWorkspace policies + +## AllowSuggestedAppsInWindowsInkWorkspace -
    -
    - WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace -
    -
    - WindowsInkWorkspace/AllowWindowsInkWorkspace -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace +``` + - -**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** + + +Allow suggested apps in Windows Ink Workspace + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + +**Group policy mapping**: - - -Show recommended app suggestions in the ink workspace. +| Name | Value | +|:--|:--| +| Name | AllowSuggestedAppsInWindowsInkWorkspace | +| Friendly Name | Allow suggested apps in Windows Ink Workspace | +| Location | Computer Configuration | +| Path | Windows Components > Windows Ink Workspace | +| Registry Key Name | Software\Policies\Microsoft\WindowsInkWorkspace | +| Registry Value Name | AllowSuggestedAppsInWindowsInkWorkspace | +| ADMX File Name | WindowsInkWorkspace.admx | + - - -ADMX Info: -- GP Friendly name: *Allow suggested apps in Windows Ink Workspace* -- GP name: *AllowSuggestedAppsInWindowsInkWorkspace* -- GP path: *Windows Components/Windows Ink Workspace* -- GP ADMX file name: *WindowsInkWorkspace.admx* + + + - - -The following list shows the supported values: + -- 0 - app suggestions are not allowed. -- 1 (default) -allow app suggestions. + +## AllowWindowsInkWorkspace - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace +``` + - -**WindowsInkWorkspace/AllowWindowsInkWorkspace** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies whether to allow the user to access the ink workspace. + - - -ADMX Info: -- GP Friendly name: *Allow Windows Ink Workspace* -- GP name: *AllowWindowsInkWorkspace* -- GP element: *AllowWindowsInkWorkspaceDropdown* -- GP path: *Windows Components/Windows Ink Workspace* -- GP ADMX file name: *WindowsInkWorkspace.admx* + + + - - -Supported value type is int. The following list shows the supported values: + +**Description framework properties**: -- 0 - access to ink workspace is disabled. The feature is turned off. -- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. -- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + - - -
    + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | Access to ink workspace is disabled. The feature is turned off. | +| 1 | Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. | +| 2 (Default) | Ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. | + -## Related topics + +**Group policy mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | AllowWindowsInkWorkspace | +| Friendly Name | Allow Windows Ink Workspace | +| Element Name | Choose one of the following actions | +| Location | Computer Configuration | +| Path | Windows Components > Windows Ink Workspace | +| Registry Key Name | Software\Policies\Microsoft\WindowsInkWorkspace | +| ADMX File Name | WindowsInkWorkspace.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 15d68c57a4..51b6c8cc5e 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,10 +1,10 @@ --- title: WindowsLogon Policy CSP -description: Learn more about the WindowsLogon Area in Policy CSP +description: Learn more about the WindowsLogon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - WindowsLogon > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,15 +44,15 @@ ms.topic: reference This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. -This only occurs if the last interactive user didn’t sign out before the restart or shutdown.​ +This only occurs if the last interactive user didn't sign out before the restart or shutdown. -If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.​ +If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns. -If you don’t configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ +- If you don't configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. -After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. +After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot . -If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. +- If you disable this policy setting, the device does not configure automatic sign in. The user's lock screen apps are not restarted after the system restarts. @@ -72,13 +70,13 @@ If you disable this policy setting, the device does not configure automatic sign > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AutomaticRestartSignOnDescription | +| Name | AutomaticRestartSignOn | | Friendly Name | Sign-in and lock last interactive user automatically after a restart | | Location | Computer Configuration | | Path | Windows Components > Windows Logon Options | @@ -110,17 +108,18 @@ If you disable this policy setting, the device does not configure automatic sign -This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured. +This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign on will not occur and this policy does not need to be configured. -If you enable this policy setting, you can choose one of the following two options: +- If you enable this policy setting, you can choose one of the following two options: -1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: -- The device doesn’t have TPM 2.0 and PCR7, or -- The device doesn’t use a TPM-only protector -2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. +- The device doesn't have TPM 2.0 and PCR7, or +- The device doesn't use a TPM-only protector -If you disable or don’t configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior. +2. "Always Enabled" specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. + +- If you disable or don't configure this setting, automatic sign on will default to the "Enabled if BitLocker is on and not suspended" behavior. @@ -138,13 +137,13 @@ If you disable or don’t configure this setting, automatic sign on will default > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ConfigAutomaticRestartSignOnDescription | +| Name | ConfigAutomaticRestartSignOn | | Friendly Name | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot | | Location | Computer Configuration | | Path | Windows Components > Windows Logon Options | @@ -177,9 +176,9 @@ If you disable or don’t configure this setting, automatic sign on will default This policy setting allows you to prevent app notifications from appearing on the lock screen. -If you enable this policy setting, no app notifications are displayed on the lock screen. +- If you enable this policy setting, no app notifications are displayed on the lock screen. -If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. +- If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. @@ -197,7 +196,7 @@ If you disable or do not configure this policy setting, users can choose which a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -237,9 +236,9 @@ If you disable or do not configure this policy setting, users can choose which a This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. -If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. +- If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. -If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. +- If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. @@ -257,7 +256,7 @@ If you disable or don't configure this policy setting, any user can disconnect t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -323,13 +322,14 @@ Here's an example to enable this policy: This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. +- If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. +- If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. +- If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. +> [!NOTE] +> The first sign-in animation will not be shown on Server, so this policy will have no effect. @@ -394,9 +394,9 @@ Note: The first sign-in animation will not be shown on Server, so this policy wi This policy controls the configuration under which winlogon sends MPR notifications in the system. -If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured. +- If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured. -If you disable this setting, winlogon does not send MPR notifications. +- If you disable this setting, winlogon does not send MPR notifications. @@ -414,7 +414,7 @@ If you disable this setting, winlogon does not send MPR notifications. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -454,9 +454,9 @@ If you disable this setting, winlogon does not send MPR notifications. This policy setting allows local users to be enumerated on domain-joined computers. -If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. +- If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. -If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. +- If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. @@ -474,7 +474,7 @@ If you disable or do not configure this policy setting, the Logon UI will not en > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -514,11 +514,11 @@ If you disable or do not configure this policy setting, the Logon UI will not en This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. -If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. +- If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. -If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. +- If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. @@ -588,7 +588,7 @@ The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell does not have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. -If you disable or do not configure this policy setting, then the default shell will be launched. +- If you disable or do not configure this policy setting, then the default shell will be launched. @@ -611,8 +611,8 @@ If you disable or do not configure this policy setting, then the default shell w | Value | Description | |:--|:--| -| 0 (Default) | Not Configured | -| 1 | Apply Lightweight shell | +| 0 (Default) | Not Configured. | +| 1 | Apply Lightweight shell. | diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 259cea10dc..7547dce65b 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,92 +1,106 @@ --- -title: Policy CSP - WindowsPowerShell -description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. +title: WindowsPowerShell Policy CSP +description: Learn more about the WindowsPowerShell Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsPowerShell -
    - - -## WindowsPowerShell policies - -
    -
    - WindowsPowerShell/TurnOnPowerShellScriptBlockLogging -
    -
    - - -
    - - -**WindowsPowerShell/TurnOnPowerShellScriptBlockLogging** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. - -If you disable this policy setting, logging of PowerShell script input is disabled. - -If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. - -> [!NOTE] -> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. - - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -ADMX Info: -- GP Friendly name: *Turn on PowerShell Script Block Logging* -- GP name: *EnableScriptBlockLogging* -- GP path: *Windows Components/Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + - - -
    + +## TurnOnPowerShellScriptBlockLogging - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -## Related topics + +```User +./User/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging +``` -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging +``` + + + + +This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. +- If you enable this policy setting, +Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. + +- If you disable this policy setting, logging of PowerShell script input is disabled. + +If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script +starts or stops. Enabling Invocation Logging generates a high volume of event logs. + +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableScriptBlockLogging | +| Friendly Name | Turn on PowerShell Script Block Logging | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | +| Registry Value Name | EnableScriptBlockLogging | +| ADMX File Name | PowerShellExecutionPolicy.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index c6271913c6..9dcfc90191 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,465 +1,417 @@ --- -title: Policy CSP - WindowsSandbox -description: Policy CSP - WindowsSandbox +title: WindowsSandbox Policy CSP +description: Learn more about the WindowsSandbox Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/14/2020 +ms.topic: reference --- + + + # Policy CSP - WindowsSandbox + + + -
    + +## AllowAudioInput - -## WindowsSandbox policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - WindowsSandbox/AllowAudioInput -
    -
    - WindowsSandbox/AllowClipboardRedirection -
    -
    - WindowsSandbox/AllowNetworking -
    -
    - WindowsSandbox/AllowPrinterRedirection -
    -
    - WindowsSandbox/AllowVGPU -
    -
    - WindowsSandbox/AllowVideoInput -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowAudioInput +``` + -
    + + +This policy setting enables or disables audio input to the Sandbox. - -**WindowsSandbox/AllowAudioInput** +- If you enable this policy setting, Windows Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting. -Available in the latest Windows 10 insider preview build. +- If you disable this policy setting, Windows Sandbox will not be able to receive audio input from the user. Applications using a microphone may not function properly with this setting. - -The table below shows the applicability of Windows: +- If you do not configure this policy setting, audio input will be enabled. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the IT admin to enable or disable audio input to the Sandbox. - -> [!NOTE] -> There may be security implications of exposing host audio input to the container. - -If this policy isn't configured, end-users get the default behavior (audio input enabled). - -If audio input is disabled, a user won't be able to enable audio input from their own configuration file. - -If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure. +**Note** that there may be security implications of exposing host audio input to the container. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow audio input in Windows Sandbox* -- GP name: *AllowAudioInput* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 - Disabled -- 1 (default) - Enabled +| Name | Value | +|:--|:--| +| Name | AllowAudioInput | +| Friendly Name | Allow audio input in Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowAudioInput | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + - - + +## AllowClipboardRedirection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowClipboardRedirection +``` + - -**WindowsSandbox/AllowClipboardRedirection** + + +This policy setting enables or disables clipboard sharing with the sandbox. -Available in the latest Windows 10 insider preview build. +- If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted. - -The table below shows the applicability of Windows: +- If you disable this policy setting, copy and paste in and out of Sandbox will be restricted. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox. - -If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled). - -If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file. - -If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure. +- If you do not configure this policy setting, clipboard sharing will be enabled. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow clipboard sharing with Windows Sandbox* -- GP name: *AllowClipboardRedirection* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 - Disabled -- 1 (default) - Enabled +| Name | Value | +|:--|:--| +| Name | AllowClipboardRedirection | +| Friendly Name | Allow clipboard sharing with Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowClipboardRedirection | +| ADMX File Name | WindowsSandbox.admx | + + + + - - + - - + +## AllowNetworking - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowNetworking +``` + - -**WindowsSandbox/AllowNetworking** + + +This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. -Available in the latest Windows 10 insider preview build. +- If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtual NIC. - -The table below shows the applicability of Windows: +- If you disable this policy setting, networking is disabled in Windows Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, networking will be enabled. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network. - -If this policy isn't configured, end-users get the default behavior (networking enabled). - -If networking is disabled, a user won't be able to enable networking from their own configuration file. - -If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure. +**Note** that enabling networking can expose untrusted applications to the internal network. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow networking in Windows Sandbox* -- GP name: *AllowNetworking* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: -- 0 - Disabled -- 1 (default) - Enabled + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AllowNetworking | +| Friendly Name | Allow networking in Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowNetworking | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + -
    + +## AllowPrinterRedirection - -**WindowsSandbox/AllowPrinterRedirection** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Available in the latest Windows 10 insider preview build. + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowPrinterRedirection +``` + - -The table below shows the applicability of Windows: + + +This policy setting enables or disables printer sharing from the host into the Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, host printers will be shared into Windows Sandbox. - -
    +- If you disable this policy setting, Windows Sandbox will not be able to view printers from the host. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. - -If this policy isn't configured, end-users get the default behavior (printer sharing disabled). - -If printer sharing is disabled, a user won't be able to enable printer sharing from their own configuration file. - -If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure. +- If you do not configure this policy setting, printer redirection will be disabled. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow printer sharing with Windows Sandbox* -- GP name: *AllowPrinterRedirection* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 - Disabled -- 1 (default) - Enabled +| Name | Value | +|:--|:--| +| Name | AllowPrinterRedirection | +| Friendly Name | Allow printer sharing with Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowPrinterRedirection | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + - - + +## AllowVGPU -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**WindowsSandbox/AllowVGPU** + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVGPU +``` + -Available in the latest Windows 10 insider preview build. + + +This policy setting is to enable or disable the virtualized GPU. - -The table below shows the applicability of Windows: +- If you enable this policy setting, vGPU will be supported in the Windows Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this policy setting, Windows Sandbox will use software rendering, which can be slower than virtualized GPU. - -
    +- If you do not configure this policy setting, vGPU will be enabled. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox. - -> [!NOTE] -> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox. - -If this policy isn't configured, end-users get the default behavior (vGPU is disabled). - -If vGPU is disabled, a user won't be able to enable vGPU support from their own configuration file. - -If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure. +**Note** that enabling virtualized GPU can potentially increase the attack surface of the sandbox. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow vGPU sharing for Windows Sandbox* -- GP name: *AllowVGPU* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 (default) - Disabled -- 1 - Enabled +| Name | Value | +|:--|:--| +| Name | AllowVGPU | +| Friendly Name | Allow vGPU sharing for Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowVGPU | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + - - + +## AllowVideoInput -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**WindowsSandbox/AllowVideoInput** + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVideoInput +``` + -Available in the latest Windows 10 insider preview build. + + +This policy setting enables or disables video input to the Sandbox. - -The table below shows the applicability of Windows: +- If you enable this policy setting, video input is enabled in Windows Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you disable this policy setting, video input is disabled in Windows Sandbox. Applications using video input may not function properly in Windows Sandbox. - -
    +- If you do not configure this policy setting, video input will be disabled. Applications that use video input may not function properly in Windows Sandbox. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the IT admin to enable or disable video input to the Sandbox. - -> [!NOTE] -> There may be security implications of exposing host video input to the container. - -If this policy isn't configured, users get the default behavior (video input disabled). - -If video input is disabled, users won't be able to enable video input from their own configuration file. - -If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure. +**Note** that there may be security implications of exposing host video input to the container. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: -- GP Friendly name: *Allow video input in Windows Sandbox* -- GP name: *AllowVideoInput* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* + +**Description framework properties**: - - -The following are the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + -- 0 (default) - Disabled -- 1 - Enabled + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AllowVideoInput | +| Friendly Name | Allow video input in Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowVideoInput | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + -
    + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 854f98de60..2bfc6d28b5 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,468 +1,621 @@ --- -title: Policy CSP - WirelessDisplay -description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. +title: WirelessDisplay Policy CSP +description: Learn more about the WirelessDisplay Area in Policy CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WirelessDisplay -
    + + + - -## WirelessDisplay policies + +## AllowMdnsAdvertisement -
    -
    - WirelessDisplay/AllowMdnsAdvertisement -
    -
    - WirelessDisplay/AllowMdnsDiscovery -
    -
    - WirelessDisplay/AllowMovementDetectionOnInfrastructure -
    -
    - WirelessDisplay/AllowProjectionFromPC -
    -
    - WirelessDisplay/AllowProjectionFromPCOverInfrastructure -
    -
    - WirelessDisplay/AllowProjectionToPC -
    -
    - WirelessDisplay/AllowProjectionToPCOverInfrastructure -
    -
    - WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver -
    -
    - WirelessDisplay/RequirePinForPairing -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowMdnsAdvertisement +``` + -
    + + +This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. + - -**WirelessDisplay/AllowMdnsAdvertisement** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement. + +## AllowMdnsDiscovery - - -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -- 0 - Don't allow -- 1 - Allow + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowMdnsDiscovery +``` + - - + + +This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. + -
    + + + - -**WirelessDisplay/AllowMdnsDiscovery** + +**Description framework properties**: - -The table below shows the applicability of Windows: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowMovementDetectionOnInfrastructure - - -This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowMovementDetectionOnInfrastructure +``` + -- 0 - Doesn't allow -- 1 - Allow - - - - -
    - - -**WirelessDisplay/AllowMovementDetectionOnInfrastructure** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to disable the infrastructure movement detection feature. +If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. +If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. + -- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. + + + -- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. + +**Description framework properties**: -The default value is 1. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -- 0 - Doesn't allow -- 1 (Default) - Allow + + + - - + -
    + +## AllowPCReceiverToBeTCPServer - -**WirelessDisplay/AllowProjectionFromPC** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -The table below shows the applicability of Windows: + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowPCReceiverToBeTCPServer +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting allows a PC acting as a Wireless Display receiver to be a TCP server for the TCP session carrying the projection stream to the receiver. +If you set it to 0, your PC receiver will start the outbound connection as a TCP client. +If you set it to 1, your PC may receive the incoming projection as a TCP server. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowPCSenderToBeTCPClient + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowPCSenderToBeTCPClient +``` + + + + +This policy setting allows a PC acting as a Wireless Display sender to be a TCP client for the TCP session carrying the projection stream to the receiver. +If you set it to 0, your PC will only participate in an outgoing projection as a TCP server. +If you set it to 1, your PC may start an outgoing projection as a TCP client. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowProjectionFromPC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionFromPC +``` + + + + This policy allows you to turn off projection from a PC. +If you set it to 0, your PC cannot discover or project to other devices. +If you set it to 1, your PC can discover and project to other devices. + - - -The following list shows the supported values: + + + -- 0 - your PC can't discover or project to other devices. -- 1 - your PC can discover and project to other devices + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**WirelessDisplay/AllowProjectionFromPCOverInfrastructure** +| Value | Description | +|:--|:--| +| 0 | Your PC cannot discover or project to other devices. | +| 1 (Default) | Your PC can discover and project to other devices. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowProjectionFromPCOverInfrastructure - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionFromPCOverInfrastructure +``` + -
    - - - + + This policy allows you to turn off projection from a PC over infrastructure. +If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. +If you set it to 1, your PC can discover and project to other devices over infrastructure. + - - -The following list shows the supported values: + + + -- 0 - your PC can't discover or project to other infrastructure devices, although it's possible to discover and project over WiFi Direct. -- 1 - your PC can discover and project to other devices over infrastructure. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**WirelessDisplay/AllowProjectionToPC** +| Value | Description | +|:--|:--| +| 0 | Your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. | +| 1 (Default) | Your PC can discover and project to other devices over infrastructure. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowProjectionToPC - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionToPC +``` + -
    + + +This policy setting allows you to turn off projection to a PC. - - -Allow or disallow turning off the projection to a PC. +If you turn it on, your PC isn't discoverable and can't be projected to except if the user manually launches the Wireless Display app. -If you set it to 0 (zero), your PC isn't discoverable and you can't project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. +If you turn it off or don't configure it, your PC is discoverable and can be projected to above lock screen only. The user has an option to turn it always on or off except for manual launch, too. + -Supported value type is integer. + + + - - -ADMX Info: -- GP Friendly name: *Don't allow this PC to be projected to* -- GP name: *AllowProjectionToPC* -- GP path: *Windows Components/Connect* -- GP ADMX file name: *WirelessDisplay.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 - projection to PC isn't allowed. Always off and the user can't enable it. -- 1 (default) - projection to PC is allowed. Enabled only above the lock screen. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Projection to PC is not allowed. Always off and the user cannot enable it. | +| 1 (Default) | Projection to PC is allowed. Enabled only above the lock screen. | + -
    + +**Group policy mapping**: - -**WirelessDisplay/AllowProjectionToPCOverInfrastructure** +| Name | Value | +|:--|:--| +| Name | AllowProjectionToPC | +| Friendly Name | Don't allow this PC to be projected to | +| Location | Computer Configuration | +| Path | Windows Components > Connect | +| Registry Key Name | Software\Policies\Microsoft\Windows\Connect | +| Registry Value Name | AllowProjectionToPC | +| ADMX File Name | WirelessDisplay.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowProjectionToPCOverInfrastructure - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionToPCOverInfrastructure +``` + -
    - - - + + This policy setting allows you to turn off projection to a PC over infrastructure. +If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. +If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. + - - -The following list shows the supported values: + + + -- 0 - your PC isn't discoverable and other devices can't project to it over infrastructure, although it's possible to project to it over WiFi Direct. -- 1 - your PC is discoverable and other devices can project to it over infrastructure. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** +| Value | Description | +|:--|:--| +| 0 | Your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. | +| 1 (Default) | Your PC is discoverable and other devices can project to it over infrastructure. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowUserInputFromWirelessDisplayReceiver - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver +``` + -
    + + +Setting this policy controls whether or not the wireless display can send input-keyboard, mouse, pen, and touch input if the display supports it-back to the source device. + - - -Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 - Wireless display input disabled. -- 1 (default) - Wireless display input enabled. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Wireless display input disabled. | +| 1 (Default) | Wireless display input enabled. | + - -**WirelessDisplay/RequirePinForPairing** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## RequirePinForPairing - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/RequirePinForPairing +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to require a pin for pairing. -
    +If you set this to 'Never', a pin isn't required for pairing. - - -Allow or disallow requirement for a PIN for pairing. +If you set this to 'First Time', the pairing ceremony for new devices will always require a PIN. -If you turn on this policy, the pairing ceremony for new devices will always require a PIN. If you turn off this policy or don't configure it, a PIN isn't required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. +If you set this to 'Always', all pairings will require PIN. + -Supported value type is integer. + + + - - -ADMX Info: -- GP Friendly name: *Require pin for pairing* -- GP name: *RequirePinForPairing* -- GP path: *Windows Components/Connect* -- GP ADMX file name: *WirelessDisplay.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) - PIN isn't required. -- 1 - PIN is required. + +**Allowed values**: - - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | PIN is not required. | +| 1 | Pairing ceremony for new devices will always require a PIN. | +| 2 | All pairings will require PIN. | + - + +**Group policy mapping**: -CSP Article: +| Name | Value | +|:--|:--| +| Name | RequirePinForPairing | +| Friendly Name | Require pin for pairing | +| Location | Computer Configuration | +| Path | Windows Components > Connect | +| Registry Key Name | Software\Policies\Microsoft\Windows\Connect | +| Registry Value Name | RequirePinForPairing | +| ADMX File Name | WirelessDisplay.admx | + -## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md deleted file mode 100644 index 07c6ded973..0000000000 --- a/windows/client-management/mdm/policy-ddf-file.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Policy DDF file -description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/28/2020 ---- - -# Policy DDF file - -This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -You can view various Policy DDF files by clicking the following links: - -- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) -- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) -- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) -- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) -- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) -- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) -- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - -You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-ddf.md). diff --git a/windows/client-management/mdm/printerprovisioning-csp.md b/windows/client-management/mdm/printerprovisioning-csp.md new file mode 100644 index 0000000000..ff490d38c4 --- /dev/null +++ b/windows/client-management/mdm/printerprovisioning-csp.md @@ -0,0 +1,318 @@ +--- +title: PrinterProvisioning CSP +description: Learn more about the PrinterProvisioning CSP. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/28/2023 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# PrinterProvisioning CSP + + + + + + +The following list shows the PrinterProvisioning configuration service provider nodes: + +- ./User/Vendor/MSFT/PrinterProvisioning + - [UPPrinterInstalls](#upprinterinstalls) + - [{PrinterSharedID}](#upprinterinstallsprintersharedid) + - [CloudDeviceID](#upprinterinstallsprintersharedidclouddeviceid) + - [ErrorCode](#upprinterinstallsprintersharediderrorcode) + - [Install](#upprinterinstallsprintersharedidinstall) + - [PrinterSharedName](#upprinterinstallsprintersharedidprintersharedname) + - [Status](#upprinterinstallsprintersharedidstatus) + + + +## UPPrinterInstalls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls +``` + + + + +This setting will take the action on the specified user account to install or uninstall the specified printer. Install action is selected by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### UPPrinterInstalls/{PrinterSharedID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID} +``` + + + + +Identifies the Universal Print printer, by its Share ID, you wish to install on the targeted user account. The printer's Share ID can be found in the printer's properties via the Universal Print portal. **Note** the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: PrinterSharedID from the Universal Print system, which is used to discover and install Univeral Print printer | + + + + + + + + + +#### UPPrinterInstalls/{PrinterSharedID}/CloudDeviceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/CloudDeviceID +``` + + + + +Identifies the Universal Print printer, by its Printer ID, you wish to install on the targeted user account. The printer's Printer ID can be found in the printer's properties via the Universal Print portal. **Note** the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### UPPrinterInstalls/{PrinterSharedID}/ErrorCode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/ErrorCode +``` + + + + +HRESULT of the last installation returned code. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### UPPrinterInstalls/{PrinterSharedID}/Install + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/Install +``` + + + + +Support async execute. Install Universal Print printer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec, Get | + + + + + + + + + +#### UPPrinterInstalls/{PrinterSharedID}/PrinterSharedName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/PrinterSharedName +``` + + + + +Identifies the Universal Print printer, by its Share Name, you wish to install on the targeted user account. The printer's Share Name can be found in the printer's properties via the Universal Print portal. **Note** the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### UPPrinterInstalls/{PrinterSharedID}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1806] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1806] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1806] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/PrinterProvisioning/UPPrinterInstalls/{PrinterSharedID}/Status +``` + + + + +1 finished installation successfully, 2 installation in progress after receiving execute cmd, 4 installation failed, 8 installation initial status, 32 unknown (not used). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md new file mode 100644 index 0000000000..811b19bdc0 --- /dev/null +++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md @@ -0,0 +1,224 @@ +--- +title: PrinterProvisioning DDF file +description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider. +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 02/17/2023 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + +# PrinterProvisioning DDF file + +The following XML file contains the device description framework (DDF) for the PrinterProvisioning configuration service provider. + +```xml + +]> + + 1.2 + + + + PrinterProvisioning + ./User/Vendor/MSFT + + + + + Printer Provisioning + + + + + + + + + + + + + + 10.0.22000, 10.0.19044.1806, 10.0.19043.1806, 10.0.19042.1806 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + UPPrinterInstalls + + + + + This setting will take the action on the specified user account to install or uninstall the specified printer. Install action is selected by default. + + + + + + + + + + + + + + + + + + + + + + + Identifies the Universal Print printer, by its Share ID, you wish to install on the targeted user account. The printer's Share ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + + + + PrinterSharedID + + + + + PrinterSharedID from the Universal Print system, which is used to discover and install Univeral Print printer + + + + CloudDeviceID + + + + + + + + Identifies the Universal Print printer, by its Printer ID, you wish to install on the targeted user account. The printer's Printer ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + + + + + + + + + + + + Install + + + + + + Support async execute. Install Universal Print printer. + + + + + + + + + + + + + + + + Status + + + + + 1 finished installation successfully, 2 installation in progress after receiving execute cmd, 4 installation failed, 8 installation initial status, 32 unknown (not used). + + + + + + + + + + + + + + + + ErrorCode + + + + + HRESULT of the last installation returned code. + + + + + + + + + + + + + + + + PrinterSharedName + + + + + + + + Identifies the Universal Print printer, by its Share Name, you wish to install on the targeted user account. The printer's Share Name can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + + + + + + + + + + + + + + +``` + +## Related articles + +[PrinterProvisioning configuration service provider reference](printerprovisioning-csp.md) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 1f1ced6498..c341176e4b 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -1,79 +1,198 @@ --- title: Reboot CSP -description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings. -ms.reviewer: +description: Learn more about the Reboot CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.topic: reference --- + + + # Reboot CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The Reboot configuration service provider is used to configure reboot settings. + -The following shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +The following list shows the Reboot configuration service provider nodes: +- ./Device/Vendor/MSFT/Reboot + - [RebootNow](#rebootnow) + - [Schedule](#schedule) + - [DailyRecurrent](#scheduledailyrecurrent) + - [Single](#schedulesingle) + + + +## RebootNow + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Reboot/RebootNow ``` -./Device/Vendor/MSFT -Reboot -----RebootNow -----Schedule ---------Single ---------DailyRecurrent + + + + +This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. If this node is set to execute during a sync session, the device will reboot at the end of the sync session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec, Get | + + + + + + + + + +## Schedule + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Reboot/Schedule ``` + -**./Vendor/MSFT/Reboot** - -The root node for the Reboot configuration service provider. - + + The supported operation is Get. + -**RebootNow** + + + -This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. + +**Description framework properties**: -> [!NOTE] -> If this node is set to execute during a sync session, the device will reboot at the end of the sync session. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -The supported operations are Execute and Get. + + + -**Schedule** + -The supported operation is Get. + +### Schedule/DailyRecurrent -**Schedule/Single** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required. -Example to configure: 2018-10-25T18:00:00 + +```Device +./Device/Vendor/MSFT/Reboot/Schedule/DailyRecurrent +``` + -Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00. + + +Value in ISO8601, time is required. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule. + -- The supported operations are Get, Add, Replace, and Delete. -- The supported data type is "String". + + + -**Schedule/DailyRecurrent** + +**Description framework properties**: -This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. -Example to configure: 2018-10-25T18:00:00 +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- The supported operations are Get, Add, Replace, and Delete. -- The supported data type is "String". + + + -## Related topics + -[Configuration service provider reference](index.yml) + +### Schedule/Single + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Reboot/Schedule/Single +``` + + + + +Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 0b5f03a5ba..a1f1988804 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -1,158 +1,157 @@ --- title: Reboot DDF file -description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # Reboot DDF file -This topic shows the OMA DM device description framework (DDF) for the **Reboot** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the Reboot configuration service provider. ```xml -]> +]> 1.2 + + + + Reboot + ./Device/Vendor/MSFT + + + + + The root node for the Reboot configuration service provider. + + + + + + + + + + + + + + 10.0.14393 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + RebootNow + + + + + + This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. If this node is set to execute during a sync session, the device will reboot at the end of the sync session. + + + + + + + + + + RebootNow + + + + + + + Schedule + + + + + The supported operation is Get. + + + + + + + + + + + + + - Reboot - ./Device/Vendor/MSFT + Single + + + + Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule. - + - + + Single - + + + - - RebootNow - - - - - - - - - - - - - - - RebootNow - - text/plain - - - - - Schedule - - - - - - - - - - - - - - - - - - - Single - - - - - - - - Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule. - - - - - - - - - - Single - - text/plain - - - - - DailyRecurrent - - - - - - - - Value in ISO8601, time is required. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule. - - - - - - - - - - DailyRecurrent - - text/plain - - - - + + DailyRecurrent + + + + + + + + Value in ISO8601, time is required. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule. + + + + + + + + + + DailyRecurrent + + + + + + + + + - ``` -## Related topics - -[Reboot CSP](reboot-csp.md) - -  - -  - - - - - +## Related articles +[Reboot configuration service provider reference](reboot-csp.md) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index f1ad46c81f..89cac77fc9 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -1,104 +1,485 @@ --- title: RemoteWipe CSP -description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device. -ms.reviewer: +description: Learn more about the RemoteWipe CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2018 +ms.topic: reference --- + + + # RemoteWipe CSP -The table below shows the applicability of Windows: + + +The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. Enterprise IT Professionals can update these settings by using the Exchange Server. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +The following list shows the RemoteWipe configuration service provider nodes: -The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. +- ./Device/Vendor/MSFT/RemoteWipe + - [AutomaticRedeployment](#automaticredeployment) + - [doAutomaticRedeployment](#automaticredeploymentdoautomaticredeployment) + - [LastError](#automaticredeploymentlasterror) + - [Status](#automaticredeploymentstatus) + - [doWipe](#dowipe) + - [doWipeCloud](#dowipecloud) + - [doWipeCloudPersistProvisionedData](#dowipecloudpersistprovisioneddata) + - [doWipeCloudPersistUserData](#dowipecloudpersistuserdata) + - [doWipePersistProvisionedData](#dowipepersistprovisioneddata) + - [doWipePersistUserData](#dowipepersistuserdata) + - [doWipeProtected](#dowipeprotected) + -The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. + +## AutomaticRedeployment + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment ``` -./Vendor/MSFT -RemoteWipe -----doWipe -----doWipePersistProvisionedData -----doWipeProtected -----doWipePersistUserData -----AutomaticRedeployment ---------doAutomaticRedeployment ---------LastError ---------Status + + + + +Node for the Autopilot Reset operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### AutomaticRedeployment/doAutomaticRedeployment + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment/doAutomaticRedeployment ``` + -**doWipe** -Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled. + + +Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. + -When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. + + + -Supported operation is Exec. + +**Description framework properties**: -**doWipePersistProvisionedData** -Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + -When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. + + + -Supported operation is Exec. + -The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. + +### AutomaticRedeployment/LastError -**doWipeProtected** -Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios. + +```Device +./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment/LastError +``` + -Supported operation is Exec. + + +Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT). + -**doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. + + + -**AutomaticRedeployment** -Added in Windows 10, version 1809. Node for the Autopilot Reset operation. + +**Description framework properties**: -**AutomaticRedeployment/doAutomaticRedeployment** -Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This node works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + -**AutomaticRedeployment/LastError** -Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). + + + -**AutomaticRedeployment/Status** -Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation. + -Supported values: + +### AutomaticRedeployment/Status -- 0: Never run (not started). The default state. -- 1: Complete. -- 10: Reset has been scheduled. -- 20: Reset is scheduled and waiting for a reboot. -- 30: Failed during CSP Execute ("Exec" in SyncML). -- 40: Failed: power requirements not met. -- 50: Failed: reset internals failed during reset attempt. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/RemoteWipe/AutomaticRedeployment/Status +``` + -[Configuration service provider reference](index.yml) + + +Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt. + -  + + + -  + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + +## doWipe + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```Device +./Device/Vendor/MSFT/RemoteWipe/doWipe +``` + + + + +Exec on this node will perform a remote wipe on the device. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. + + + + +A remote reset is equivalent to running **Reset this PC** > **Remove everything** from the **Settings** app, with **Clean Data** set to No and **Delete Files** set to Yes. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## doWipeCloud + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/doWipeCloud +``` + + + + +Exec on this node will perform a cloud-based remote wipe on the device. The return status code shows whether the device accepted the Exec command. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## doWipeCloudPersistProvisionedData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/doWipeCloudPersistProvisionedData +``` + + + + +Exec on this node will back up provisioning data to a persistent location and perform a cloud-based remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## doWipeCloudPersistUserData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/doWipeCloudPersistUserData +``` + + + + +Exec on this node will perform a cloud-based remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## doWipePersistProvisionedData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/doWipePersistProvisionedData +``` + + + + +Exec on this node will back up provisioning data to a persistent location and perform a remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. + + + + +Provisioning packages are persisted in `%SystemDrive%\ProgramData\Microsoft\Provisioning` directory. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## doWipePersistUserData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/doWipePersistUserData +``` + + + + +Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + + + + This setting is equivalent to selecting **Reset this PC** > **Keep my files** when manually starting a reset from the Settings app. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## doWipeProtected + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/RemoteWipe/doWipeProtected +``` + + + + +Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it's done. + + + + +> [!NOTE] +> Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index 26bd073966..1bc56998aa 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -1,225 +1,319 @@ --- title: RemoteWipe DDF file -description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the RemoteWipe configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2018 +ms.topic: reference --- + + # RemoteWipe DDF file -This topic shows the OMA DM device description framework (DDF) for the **RemoteWipe** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the DDF for Windows 10, version 1809. +The following XML file contains the device description framework (DDF) for the RemoteWipe configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + RemoteWipe + ./Device/Vendor/MSFT + + + + + The root node for remote wipe function. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF; + + - RemoteWipe - ./Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/1.1/MDM/RemoteWipe - - The root node for remote wipe function. - - - doWipe - - - - - - - - - - - - - - - text/plain - - Exec on this node will perform a remote wipe on the device. The return status code shows whether the device accepted the Exec command. - - - - doWipePersistProvisionedData - - - - - - - - - - - - - - - text/plain - - Exec on this node will back up provisioning data to a persistent location and perform a remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. - - - - doWipeProtected - - - - - - - - - - - - - - - text/plain - - Exec on this node will perform a remote wipe on the device, and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. - - - - doWipePersistUserData - - - - - - - - - - - - - - - text/plain - - Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. - - - - AutomaticRedeployment - - - - - - - - - - - - - - - - - - - doAutomaticRedeployment - - - - - - - - - - - - - - - - text/plain - - - - - LastError - - - - - 0 - Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT). - - - - - - - - - - - text/plain - - - - - Status - - - - - 0 - Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt. - - - - - - - - - - - text/plain - - - - + doWipe + + + + + Exec on this node will perform a remote wipe on the device. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. + + + + + + + + + + + + + + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF; + + + + doWipePersistProvisionedData + + + + + Exec on this node will back up provisioning data to a persistent location and perform a remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. + + + + + + + + + + + + + + + + doWipeProtected + + + + + Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. + + + + + + + + + + + + + + 10.0.15063 + 1.1 + + + + + doWipePersistUserData + + + + + Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + + + + + + + + + + + + + 10.0.16299 + 1.1 + + + + + doWipeCloud + + + + + Exec on this node will perform a cloud-based remote wipe on the device. The return status code shows whether the device accepted the Exec command. + + + + + + + + + + + + + + 10.0.22621 + 1.1 + + + + + doWipeCloudPersistUserData + + + + + Exec on this node will perform a cloud-based remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + + + + + + + + + + + + + 10.0.22621 + 1.1 + + + + + doWipeCloudPersistProvisionedData + + + + + Exec on this node will back up provisioning data to a persistent location and perform a cloud-based remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. + + + + + + + + + + + + + + 10.0.22621 + 1.1 + + + + + AutomaticRedeployment + + + + + Node for the Autopilot Reset operation. + + + + + + + + + + + + + + 10.0.17763 + 1.1 + + + + doAutomaticRedeployment + + + + + Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. + + + + + + + + + + + + + + + + LastError + + + + + 0 + Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT). + + + + + + + + + + + + + + + + Status + + + + + 0 + Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt. + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles -[RemoteWipe CSP](remotewipe-csp.md) \ No newline at end of file +[RemoteWipe configuration service provider reference](remotewipe-csp.md) diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 13ec3d35cc..4375aed8a9 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -1,120 +1,3573 @@ --- title: RootCATrustedCertificates CSP -description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates. -ms.reviewer: +description: Learn more about the RootCATrustedCertificates CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/06/2018 +ms.topic: reference --- + + + # RootCATrustedCertificates CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates. -> [!Note] -> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**. +> [!NOTE] +> `./User` configuration is not supported for `RootCATrustedCertificates/Root`. + -The following example shows the RootCATrustedCertificates configuration service provider in tree format. + +The following list shows the RootCATrustedCertificates configuration service provider nodes: -Detailed specification of the principal root nodes: +- ./Device/Vendor/MSFT/RootCATrustedCertificates + - [CA](#deviceca) + - [{CertHash}](#devicecacerthash) + - [EncodedCertificate](#devicecacerthashencodedcertificate) + - [IssuedBy](#devicecacerthashissuedby) + - [IssuedTo](#devicecacerthashissuedto) + - [TemplateName](#devicecacerthashtemplatename) + - [ValidFrom](#devicecacerthashvalidfrom) + - [ValidTo](#devicecacerthashvalidto) + - [OemEsim](#deviceoemesim) + - [{CertHash}](#deviceoemesimcerthash) + - [EncodedCertificate](#deviceoemesimcerthashencodedcertificate) + - [IssuedBy](#deviceoemesimcerthashissuedby) + - [IssuedTo](#deviceoemesimcerthashissuedto) + - [TemplateName](#deviceoemesimcerthashtemplatename) + - [ValidFrom](#deviceoemesimcerthashvalidfrom) + - [ValidTo](#deviceoemesimcerthashvalidto) + - [Root](#deviceroot) + - [{CertHash}](#devicerootcerthash) + - [EncodedCertificate](#devicerootcerthashencodedcertificate) + - [IssuedBy](#devicerootcerthashissuedby) + - [IssuedTo](#devicerootcerthashissuedto) + - [TemplateName](#devicerootcerthashtemplatename) + - [ValidFrom](#devicerootcerthashvalidfrom) + - [ValidTo](#devicerootcerthashvalidto) + - [TrustedPeople](#devicetrustedpeople) + - [{CertHash}](#devicetrustedpeoplecerthash) + - [EncodedCertificate](#devicetrustedpeoplecerthashencodedcertificate) + - [IssuedBy](#devicetrustedpeoplecerthashissuedby) + - [IssuedTo](#devicetrustedpeoplecerthashissuedto) + - [TemplateName](#devicetrustedpeoplecerthashtemplatename) + - [ValidFrom](#devicetrustedpeoplecerthashvalidfrom) + - [ValidTo](#devicetrustedpeoplecerthashvalidto) + - [TrustedPublisher](#devicetrustedpublisher) + - [{CertHash}](#devicetrustedpublishercerthash) + - [EncodedCertificate](#devicetrustedpublishercerthashencodedcertificate) + - [IssuedBy](#devicetrustedpublishercerthashissuedby) + - [IssuedTo](#devicetrustedpublishercerthashissuedto) + - [TemplateName](#devicetrustedpublishercerthashtemplatename) + - [ValidFrom](#devicetrustedpublishercerthashvalidfrom) + - [ValidTo](#devicetrustedpublishercerthashvalidto) + - [UntrustedCertificates](#deviceuntrustedcertificates) + - [{CertHash}](#deviceuntrustedcertificatescerthash) + - [EncodedCertificate](#deviceuntrustedcertificatescerthashencodedcertificate) + - [IssuedBy](#deviceuntrustedcertificatescerthashissuedby) + - [IssuedTo](#deviceuntrustedcertificatescerthashissuedto) + - [TemplateName](#deviceuntrustedcertificatescerthashtemplatename) + - [ValidFrom](#deviceuntrustedcertificatescerthashvalidfrom) + - [ValidTo](#deviceuntrustedcertificatescerthashvalidto) +- ./User/Vendor/MSFT/RootCATrustedCertificates + - [CA](#userca) + - [{CertHash}](#usercacerthash) + - [EncodedCertificate](#usercacerthashencodedcertificate) + - [IssuedBy](#usercacerthashissuedby) + - [IssuedTo](#usercacerthashissuedto) + - [TemplateName](#usercacerthashtemplatename) + - [ValidFrom](#usercacerthashvalidfrom) + - [ValidTo](#usercacerthashvalidto) + - [OemEsim](#useroemesim) + - [{CertHash}](#useroemesimcerthash) + - [EncodedCertificate](#useroemesimcerthashencodedcertificate) + - [IssuedBy](#useroemesimcerthashissuedby) + - [IssuedTo](#useroemesimcerthashissuedto) + - [TemplateName](#useroemesimcerthashtemplatename) + - [ValidFrom](#useroemesimcerthashvalidfrom) + - [ValidTo](#useroemesimcerthashvalidto) + - [TrustedPeople](#usertrustedpeople) + - [{CertHash}](#usertrustedpeoplecerthash) + - [EncodedCertificate](#usertrustedpeoplecerthashencodedcertificate) + - [IssuedBy](#usertrustedpeoplecerthashissuedby) + - [IssuedTo](#usertrustedpeoplecerthashissuedto) + - [TemplateName](#usertrustedpeoplecerthashtemplatename) + - [ValidFrom](#usertrustedpeoplecerthashvalidfrom) + - [ValidTo](#usertrustedpeoplecerthashvalidto) + - [TrustedPublisher](#usertrustedpublisher) + - [{CertHash}](#usertrustedpublishercerthash) + - [EncodedCertificate](#usertrustedpublishercerthashencodedcertificate) + - [IssuedBy](#usertrustedpublishercerthashissuedby) + - [IssuedTo](#usertrustedpublishercerthashissuedto) + - [TemplateName](#usertrustedpublishercerthashtemplatename) + - [ValidFrom](#usertrustedpublishercerthashvalidfrom) + - [ValidTo](#usertrustedpublishercerthashvalidto) + - [UntrustedCertificates](#useruntrustedcertificates) + - [{CertHash}](#useruntrustedcertificatescerthash) + - [EncodedCertificate](#useruntrustedcertificatescerthashencodedcertificate) + - [IssuedBy](#useruntrustedcertificatescerthashissuedby) + - [IssuedTo](#useruntrustedcertificatescerthashissuedto) + - [TemplateName](#useruntrustedcertificatescerthashtemplatename) + - [ValidFrom](#useruntrustedcertificatescerthashvalidfrom) + - [ValidTo](#useruntrustedcertificatescerthashvalidto) + + + +## Device/CA + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA ``` -./Vendor/MSFT -RootCATrustedCertificates -----Root ---------CertHash -------------EncodedCertificate -------------IssuedBy -------------IssuedTo -------------ValidFrom -------------ValidTo -------------TemplateName -----CA ---------CertHash -------------EncodedCertificate -------------IssuedBy -------------IssuedTo -------------ValidFrom -------------ValidTo -------------TemplateName -----TrustedPublisher ---------CertHash -------------EncodedCertificate -------------IssuedBy -------------IssuedTo -------------ValidFrom -------------ValidTo -------------TemplateName -----TrustedPeople ---------CertHash -------------EncodedCertificate -------------IssuedBy -------------IssuedTo -------------ValidFrom -------------ValidTo -------------TemplateName -``` -**Device or User** -For device certificates, use **./Device/Vendor/MSFT** path, and for user certificates use **./User/Vendor/MSFT** path. + -**RootCATrustedCertificates** -The root node for the RootCATrustedCertificates configuration service provider. - -**RootCATrustedCertificates/Root/** -Defines the certificate store that contains root or self-signed certificates, in this case, the computer store. - -> [!Note] -> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**. - -**RootCATrustedCertificates/CA** + + Node for CA certificates. + -**RootCATrustedCertificates/TrustedPublisher** -Node for trusted publisher certificates. + + + -**RootCATrustedCertificates/TrustedPeople** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/CA/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### Device/CA/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/CA/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/CA/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/CA/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/CA/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/CA/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Device/OemEsim + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim +``` + + + + +Node for OEM eSIM certificates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/OemEsim/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### Device/OemEsim/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/OemEsim/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/OemEsim/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/OemEsim/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/OemEsim/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/OemEsim/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Device/Root + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root +``` + + + + +Defines the certificate store that contains root, or self-signed certificates, in this case, the computer store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/Root/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | + + + + + + + + + +#### Device/Root/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### Device/Root/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Root/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Root/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Root/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Root/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/Root/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Device/TrustedPeople + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople +``` + + + + Node for trusted people certificates. + -**RootCATrustedCertificates/UntrustedCertificates** -Added in Windows 10, version 1803. Node for certificates that aren't trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. + + + -**_CertHash_** -Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. This node is common for all the principal root nodes. The supported operations are Get and Delete. + +**Description framework properties**: -The following nodes are all common to the **_CertHash_** node: +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -- **/EncodedCertificate** -Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace. + + + -- **/IssuedBy** -Returns the name of the certificate issuer. This name is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get. + -- **/IssuedTo** -Returns the name of the certificate subject. This name is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get. + +### Device/TrustedPeople/{CertHash} -- **/ValidFrom** -Returns the starting date of the certificate's validity. This date is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- **/ValidTo** -Returns the expiration date of the certificate. This date is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get. + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash} +``` + -- **/TemplateName** -Returns the certificate template name. The only supported operation is Get. + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + -## Related topics + + + -[Configuration service provider reference](index.yml) + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### Device/TrustedPeople/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/TrustedPeople/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPeople/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPeople/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPeople/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPeople/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Device/TrustedPublisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher +``` + + + + +Node for trusted publisher certificates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/TrustedPublisher/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### Device/TrustedPublisher/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/TrustedPublisher/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPublisher/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPublisher/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPublisher/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/TrustedPublisher/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## Device/UntrustedCertificates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates +``` + + + + +Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/UntrustedCertificates/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### Device/UntrustedCertificates/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### Device/UntrustedCertificates/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/UntrustedCertificates/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/UntrustedCertificates/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/UntrustedCertificates/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/UntrustedCertificates/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/CA + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA +``` + + + + +Node for CA certificates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/CA/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### User/CA/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/CA/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/CA/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/CA/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/CA/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/CA/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/CA/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/OemEsim + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim +``` + + + + +Node for OEM eSIM certificates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/OemEsim/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### User/OemEsim/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/OemEsim/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/OemEsim/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/OemEsim/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/OemEsim/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/OemEsim/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/OemEsim/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/TrustedPeople + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople +``` + + + + +Node for trusted people certificates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/TrustedPeople/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### User/TrustedPeople/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/TrustedPeople/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPeople/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPeople/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPeople/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPeople/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPeople/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/TrustedPublisher + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher +``` + + + + +Node for trusted publisher certificates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/TrustedPublisher/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### User/TrustedPublisher/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/TrustedPublisher/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPublisher/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPublisher/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPublisher/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/TrustedPublisher/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +## User/UntrustedCertificates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates +``` + + + + +Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/UntrustedCertificates/{CertHash} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash} +``` + + + + +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Delete, Get | +| Dynamic Node Naming | UniqueName: Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. | + + + + + + + + + +#### User/UntrustedCertificates/{CertHash}/EncodedCertificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/EncodedCertificate +``` + + + + +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Add, Get, Replace | + + + + + + + + + +#### User/UntrustedCertificates/{CertHash}/IssuedBy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedBy +``` + + + + +Returns the name of the certificate issuer. This is equivalent to the Issuer member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/UntrustedCertificates/{CertHash}/IssuedTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/IssuedTo +``` + + + + +Returns the name of the certificate subject. This is equivalent to the Subject member in the [CERT_INFO data structure](/windows/win32/api/wincrypt/ns-wincrypt-cert_info). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/UntrustedCertificates/{CertHash}/TemplateName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/TemplateName +``` + + + + +Returns the certificate template name. Supported operation is Get. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/UntrustedCertificates/{CertHash}/ValidFrom + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidFrom +``` + + + + +Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### User/UntrustedCertificates/{CertHash}/ValidTo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/RootCATrustedCertificates/UntrustedCertificates/{CertHash}/ValidTo +``` + + + + +Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index 9f73b6023a..d12b3ffc21 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -1,1990 +1,2284 @@ --- title: RootCATrustedCertificates DDF file -description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/24/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/07/2018 +ms.topic: reference --- + + # RootCATrustedCertificates DDF file -This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1803. +The following XML file contains the device description framework (DDF) for the RootCATrustedCertificates configuration service provider. ```xml -]> +]> 1.2 + + + + RootCATrustedCertificates + ./User/Vendor/MSFT + + + + + The root node for the RootCATrustedCertificates configuration service provider. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + CA + + + + + Node for CA certificates. + + + + + + + + + + + + + + + + - RootCATrustedCertificates - ./User/Vendor/MSFT + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value - + - + + CertHash - com.microsoft/1.1/MDM/RootCATrustedCertificates + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + - Root + EncodedCertificate + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - + - + - - - - + + + - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - - CA + IssuedBy + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - + - + - - - - + - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - text/plain - - - - - TrustedPublisher + IssuedTo + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - + - + - - - - + - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - - TrustedPeople + ValidFrom + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - + - + - - - - + - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - - UntrustedCertificates + ValidTo + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure - + - + - - - - + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - + + + OemEsim + + + + + Node for OEM eSIM certificates. + + + + + + + + + + + + + + + + + 10.0.22000 + 1.2 + + - RootCATrustedCertificates - ./Device/Vendor/MSFT + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value - + - + + CertHash - com.microsoft/1.1/MDM/RootCATrustedCertificates + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + - Root + EncodedCertificate + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - + - + + + + - - - + + - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - - CA + IssuedBy + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - + - + + + + - - - - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - text/plain - - - - - TrustedPublisher + IssuedTo + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - + - + + + + - - - - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - - TrustedPeople + ValidFrom + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - + - + + + + - - - - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - - UntrustedCertificates + ValidTo + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure - + - + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + - - - - - - - - - - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. - - - - - - - - - - - - - CertHash - - - - - - EncodedCertificate - - - - - - - Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - - - - - - - - - - - - - - - - - - - IssuedBy - - - - - Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - IssuedTo - - - - - Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. - - - - - - - - - - - - - - text/plain - - - - - ValidFrom - - - - - Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - ValidTo - - - - - Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure. - - - - - - - - - - - - - - text/plain - - - - - TemplateName - - - - - Returns the certificate template name. Supported operation is Get. - - - - - - - - - - - - - - text/plain - - - - + + + TrustedPublisher + + + + + Node for trusted publisher certificates. + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + TrustedPeople + + + + + Node for trusted people certificates. + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + UntrustedCertificates + + + + + Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + + RootCATrustedCertificates + ./Device/Vendor/MSFT + + + + + The root node for the RootCATrustedCertificates configuration service provider. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Root + + + + + Defines the certificate store that contains root, or self-signed certificates, in this case, the computer store. + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + CA + + + + + Node for CA certificates. + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + OemEsim + + + + + Node for OEM eSIM certificates. + + + + + + + + + + + + + + + + + 10.0.22000 + 1.2 + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + TrustedPublisher + + + + + Node for trusted publisher certificates. + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + TrustedPeople + + + + + Node for trusted people certificates. + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + UntrustedCertificates + + + + + Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + CertHash + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles -[RootCATrustedCertificates CSP](rootcacertificates-csp.md) \ No newline at end of file +[RootCATrustedCertificates configuration service provider reference](rootcacertificates-csp.md) diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index 9ec9fb7703..b899a7c5ee 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -1,194 +1,875 @@ --- title: SharedPC CSP -description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. -ms.reviewer: +description: Learn more about the SharedPC CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2022 +ms.topic: reference --- + + + # SharedPC CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The SharedPC configuration service provider is used to configure settings for Shared PC usage. + -The following example shows the SharedPC configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +The following list shows the SharedPC configuration service provider nodes: + +- ./Vendor/MSFT/SharedPC + - [AccountModel](#accountmodel) + - [DeletionPolicy](#deletionpolicy) + - [DiskLevelCaching](#disklevelcaching) + - [DiskLevelDeletion](#diskleveldeletion) + - [EnableAccountManager](#enableaccountmanager) + - [EnableSharedPCMode](#enablesharedpcmode) + - [EnableSharedPCModeWithOneDriveSync](#enablesharedpcmodewithonedrivesync) + - [EnableWindowsInsiderPreviewFlighting](#enablewindowsinsiderpreviewflighting) + - [InactiveThreshold](#inactivethreshold) + - [KioskModeAUMID](#kioskmodeaumid) + - [KioskModeUserTileDisplayText](#kioskmodeusertiledisplaytext) + - [MaintenanceStartTime](#maintenancestarttime) + - [MaxPageFileSizeMB](#maxpagefilesizemb) + - [RestrictLocalStorage](#restrictlocalstorage) + - [SetEduPolicies](#setedupolicies) + - [SetPowerPolicies](#setpowerpolicies) + - [SignInOnResume](#signinonresume) + - [SleepTimeout](#sleeptimeout) + + + +## AccountModel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/AccountModel ``` -./Vendor/MSFT -SharedPC -----EnableSharedPCMode -----EnableSharedPCModeWithOneDriveSync -----SetEduPolicies -----SetPowerPolicies -----MaintenanceStartTime -----SignInOnResume -----SleepTimeout -----EnableAccountManager -----AccountModel -----DeletionPolicy -----DiskLevelDeletion -----DiskLevelCaching -----RestrictLocalStorage -----KioskModeAUMID -----KioskModeUserTileDisplayText -----InactiveThreshold -----MaxPageFileSizeMB + + + + +Configures which type of accounts are allowed to use the PC. Allowed values: 0 (only guest), 1 (domain-joined only), 2 (domain-joined and guest). If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Only guest accounts are allowed. | +| 1 | Only domain-joined accounts are allowed. | +| 2 | Domain-joined and guest accounts are allowed. | + + + + + + + + + +## DeletionPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/DeletionPolicy ``` -**./Vendor/MSFT/SharedPC** -The root node for the SharedPC configuration service provider. + -The supported operation is Get. + + +Configures when accounts will be deleted. Allowed values: 0 (delete immediately), 1 (delete at disk space threshold), 2 (Delete at disk space threshold and inactive threshold). If used, this value must be set before the action on the EnableSharedPCMode node is taken. + -**EnableSharedPCMode** -A boolean value that specifies whether Shared PC mode is enabled. + + + -The supported operations are Add, Get, Replace, and Delete. + +**Description framework properties**: -Setting this value to True triggers the action to configure a device to Shared PC mode. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -The default value is Not Configured and SharedPC mode is not enabled. + +**Allowed values**: -**EnableSharedPCModeWithOneDriveSync** -Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on. +| Value | Description | +|:--|:--| +| 0 | Delete immediately. | +| 1 (Default) | Delete at disk space threshold. | +| 2 | Delete at disk space threshold and inactive threshold. | + -The supported operations are Add, Get, Replace, and Delete. + + + -The default value is false. + -**SetEduPolicies** + +## DiskLevelCaching + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/DiskLevelCaching +``` + + + + +Stop deleting accounts when available disk space reaches this threshold, given as percent of total disk capacity. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 50 | + + + + + + + + + +## DiskLevelDeletion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/DiskLevelDeletion +``` + + + + +Accounts will start being deleted when available disk space falls below this threshold, given as percent of total disk capacity. Accounts that have been inactive the longest will be deleted first. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + +For example, if the DiskLevelCaching is set to 50 and the DiskLevelDeletion is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under half of the deletion threshold and disk space is low, regardless of whether the PC is actively in use or not. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 25 | + + + + + + + + + +## EnableAccountManager + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/EnableAccountManager +``` + + + + +Enable the account manager for shared PC mode. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | False. | +| true | True. | + + + + + + + + + +## EnableSharedPCMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/EnableSharedPCMode +``` + + + + +Setting this node to "true" triggers the action to configure a device to Shared PC mode. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Not configured. | +| true | Enabled. | + + + + + + + + + +## EnableSharedPCModeWithOneDriveSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync +``` + + + + +Setting this node to "1" triggers the action to configure a device to Shared PC mode with OneDrive sync turned on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Not configured. | +| true | Enabled. | + + + + + + + + + +## EnableWindowsInsiderPreviewFlighting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/SharedPC/EnableWindowsInsiderPreviewFlighting +``` + + + + +Setting this node to "1" enables Windows Insider Preview flighting and the ability to receive insider preview builds. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Not configured. | +| true | WIP builds are Enabled. | + + + + + + + + + +## InactiveThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SharedPC/InactiveThreshold +``` + + + + +Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 30 | + + + + + + + + + +## KioskModeAUMID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SharedPC/KioskModeAUMID +``` + + + + +Specifies the AUMID of the app to use with assigned access. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## KioskModeUserTileDisplayText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText +``` + + + + +Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## MaintenanceStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/MaintenanceStartTime +``` + + + + +Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1440]` | +| Default Value | 0 | + + + + + + + + + +## MaxPageFileSizeMB + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SharedPC/MaxPageFileSizeMB +``` + + + + +Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-32768]` | +| Default Value | 1024 | + + + + + + + + + +## RestrictLocalStorage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SharedPC/RestrictLocalStorage +``` + + + + +Restricts the user from using local storage. This node is optional. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | False. | +| true | True. | + + + + + + + + + +## SetEduPolicies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/SharedPC/SetEduPolicies +``` + + + + +Set a list of EDU policies. + + + + A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment. + -The supported operations are Add, Get, Replace, and Delete. + +**Description framework properties**: -The default value is Not Configured. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + -**SetPowerPolicies** -A boolean value that specifies that the power policies should be set when configuring SharedPC mode. + +**Allowed values**: -The supported operations are Add, Get, Replace, and Delete. +| Value | Description | +|:--|:--| +| false (Default) | Not configured. | +| true | Enabled. | + -The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True. + + + -**MaintenanceStartTime** -An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. + -The supported operations are Add, Get, Replace, and Delete. + +## SetPowerPolicies -The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -**SignInOnResume** -A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. + +```Device +./Vendor/MSFT/SharedPC/SetPowerPolicies +``` + -The supported operations are Add, Get, Replace, and Delete. + + +Set a list of power policies. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + -The default value is Not Configured and its value in the SharedPC provisioning package is True. + + +The default value is Not Configured and the effective power settings are determined by the OS's default power settings. + -**SleepTimeout** -The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. + +**Description framework properties**: -The supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + -The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in SharedPC provisioning package is 300. + +**Allowed values**: -**EnableAccountManager** -A boolean that enables the account manager for shared PC mode. +| Value | Description | +|:--|:--| +| false (Default) | Not configured. | +| true | Enabled. | + -The supported operations are Add, Get, Replace, and Delete. + + + -The default value is Not Configured and its value in the SharedPC provisioning package is True. + -**AccountModel** -Configures which type of accounts are allowed to use the PC. + +## SignInOnResume -The supported operations are Add, Get, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -The following list shows the supported values: + +```Device +./Vendor/MSFT/SharedPC/SignInOnResume +``` + -- 0 (default) - Only guest accounts are allowed. -- 1 - Only domain-joined accounts are enabled. -- 2 - Domain-joined and guest accounts are allowed. + + +Require signing in on waking up from sleep. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + -Its value in the SharedPC provisioning package is 1 or 2. + + + -**DeletionPolicy** -Configures when accounts are deleted. + +**Description framework properties**: -The supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + -This is the list of supported values: + +**Allowed values**: -- 0 - Delete immediately. -- 1 - Delete at disk space threshold. -- 2 - Delete at disk space threshold and inactive threshold. +| Value | Description | +|:--|:--| +| false (Default) | False. | +| true | True. | + -The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2. + + + -**DiskLevelDeletion** -Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first. + -The default value is Not Configured. Its default value in the SharedPC provisioning package is 25. + +## SleepTimeout -For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under half of the deletion threshold and disk space is low, regardless of whether the PC is actively in use or not. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -The supported operations are Add, Get, Replace, and Delete. + +```Device +./Vendor/MSFT/SharedPC/SleepTimeout +``` + -**DiskLevelCaching** -Sets the percentage of available disk space a PC should have before it stops deleting cached accounts. + + +The amount of time before the PC sleeps, giving in seconds. 0 means the PC never sleeps. Default is 5 minutes. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + -The default value is Not Configured. The default value in the SharedPC provisioning package is 25. + + + -For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under the deletion threshold and disk space is low, regardless whether the PC is actively in use or not. + +**Description framework properties**: -The supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 300 | + -**RestrictLocalStorage** -Restricts the user from using local storage. + + + -The default value is Not Configured. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False. + -**KioskModeAUMID** -Specifies the AUMID of the app to use with assigned access. + + + -- Value type is string. -- Supported operations are Add, Get, Replace, and Delete. + -**KioskModeUserTileDisplayText** -Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. +## Related articles -Value type is string. Supported operations are Add, Get, Replace, and Delete. - -**InactiveThreshold** -Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days. - -- The default value is Not Configured. -- Value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - -The default in the SharedPC provisioning package is 30. - -**MaxPageFileSizeMB** -Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. - -- Default value is Not Configured. -- Value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - -The default in the SharedPC provisioning package is 1024. - -## Related topics - -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 764d14a202..0fc3249c8c 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -1,473 +1,683 @@ --- title: SharedPC DDF file -description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/21/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # SharedPC DDF file -This topic shows the OMA DM device description framework (DDF) for the **SharedPC** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the DDF for Windows 10, version 1703. +The following XML file contains the device description framework (DDF) for the SharedPC configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + SharedPC + ./Vendor/MSFT + + + + + The root node for the SharedPC configuration service provider. + + + + + + + + + + + + + + 10.0.14393 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - SharedPC - ./Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/1.1/MDM/SharedPC - - - - EnableSharedPCMode - - - - - - false - Setting this node to "true" triggers the action to configure a device to Shared PC mode. - - - - - - - - - - Enable shared PC mode - - text/plain - - - - - EnableSharedPCModeWithOneDriveSync - - - - - - - - false - Setting this node to "1" triggers the action to configure a device to Shared PC mode with OneDrive sync turned on - - - - - - - - - - Enable Shared PC mode with OneDrive sync - - - - - - - SetEduPolicies - - - - - - false - Set a list of EDU policies. - - - - - - - - - - Set EDU policies - - text/plain - - - - - SetPowerPolicies - - - - - - true - Specify that the power policies should be set when configuring SharedPC mode. This node is optional. - - - - - - - - - - Set power policies - - text/plain - - - - - MaintenanceStartTime - - - - - - 0 - Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). This node is optional. - - - - - - - - - - Maintenance start time - - text/plain - - - - - SignInOnResume - - - - - - true - Require signing in on waking up from sleep. This node is optional. - - - - - - - - - - Sign-in on resume - - text/plain - - - - - SleepTimeout - - - - - - 300 - The amount of time before the PC sleeps, given in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. - - - - - - - - - - Sleep timeout - - text/plain - - - - - EnableAccountManager - - - - - - true - Enable the account manager for shared PC mode. - - - - - - - - - - Enable account manager - - text/plain - - - - - AccountModel - - - - - - 0 - Configures which type of accounts are allowed to use the PC. Allowed values: 0 (only guest), 1 (domain-joined only), 2 (domain-joined and guest). - - - - - - - - - - Account model - - text/plain - - - - - DeletionPolicy - - - - - - 1 - Configures when accounts will be deleted. Allowed values: 0 (delete immediately), 1 (delete at disk space threshold). - - - - - - - - - - Account deletion policy - - text/plain - - - - - DiskLevelDeletion - - - - - - 25 - Accounts will start being deleted when available disk space falls below this threshold, given as percent of total disk capacity. Accounts that have been inactive the longest will be deleted first. - - - - - - - - - - Disk space threshold for account deletion - - text/plain - - - - - DiskLevelCaching - - - - - - 50 - Stop deleting accounts when available disk space reaches this threshold, given as percent of total disk capacity. - - - - - - - - - - Disk space threshold for account caching - - text/plain - - - - - RestrictLocalStorage - - - - - - true - Restricts the user from using local storage. This node is optional. - - - - - - - - - - Restrict local storage - - text/plain - - - - - KioskModeAUMID - - - - - - Specifies the AUMID of the app to use with assigned access. This node is optional. - - - - - - - - - - Kiosk mode AUMID - - text/plain - - - - - KioskModeUserTileDisplayText - - - - - - Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional. - - - - - - - - - - Kiosk mode user tile display text - - text/plain - - - - - InactiveThreshold - - - - - - 30 - Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. - - - - - - - - - - Account inactive threshold - - text/plain - - - - - MaxPageFileSizeMB - - - - - - 1024 - Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. - - - - - - - - - - Maximum PageFile size - - text/plain - - - + EnableSharedPCMode + + + + + + + + false + Setting this node to "true" triggers the action to configure a device to Shared PC mode. + + + + + + + + + + Enable shared PC mode + + + + + + false + Not configured + + + true + Enabled + + + + + EnableSharedPCModeWithOneDriveSync + + + + + + + + false + Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on + + + + + + + + + + Enable Shared PC mode with OneDrive sync + + + + + 10.0.22621 + 1.2 + + + + false + Not configured + + + true + Enabled + + + + + + EnableWindowsInsiderPreviewFlighting + + + + + + + + false + Setting this node to “1” enables Windows Insider Preview flighting and the ability to receive insider preview builds. + + + + + + + + + + Enable WIP Flighting + + + + + 10.0.22621 + 1.2 + + + + false + Not configured + + + true + WIP builds are Enabled + + + + + + SetEduPolicies + + + + + + + + false + Set a list of EDU policies. + + + + + + + + + + Set EDU policies + + + + + + false + Not configured + + + true + Enabled + + + + + + SetPowerPolicies + + + + + + + + false + Set a list of power policies. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Set power policies + + + + + + false + Not configured + + + true + Enabled + + + + + + MaintenanceStartTime + + + + + + + + 0 + Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Maintenance start time + + + + + [0-1440] + + + + + SignInOnResume + + + + + + + + false + Require signing in on waking up from sleep. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Sign-in on resume + + + + + + false + False + + + true + True + + + + + + SleepTimeout + + + + + + + + 300 + The amount of time before the PC sleeps, giving in seconds. 0 means the PC never sleeps. Default is 5 minutes. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Sleep timeout + + + + + [0-4294967295] + + + + + EnableAccountManager + + + + + + + + false + Enable the account manager for shared PC mode. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Enable account manager + + + + + + false + False + + + true + True + + + + + + AccountModel + + + + + + + + 0 + Configures which type of accounts are allowed to use the PC. Allowed values: 0 (only guest), 1 (domain-joined only), 2 (domain-joined and guest). If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Account model + + + + + + 0 + Only guest accounts are allowed. + + + 1 + Only domain-joined accounts are allowed. + + + 2 + Domain-joined and guest accounts are allowed. + + + + + + DeletionPolicy + + + + + + + + 1 + Configures when accounts will be deleted. Allowed values: 0 (delete immediately), 1 (delete at disk space threshold), 2 (Delete at disk space threshold and inactive threshold). If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Account deletion policy + + + + + + 0 + Delete immediately. + + + 1 + Delete at disk space threshold + + + 2 + Delete at disk space threshold and inactive threshold + + + + + + DiskLevelDeletion + + + + + + + + 25 + Accounts will start being deleted when available disk space falls below this threshold, given as percent of total disk capacity. Accounts that have been inactive the longest will be deleted first. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Disk space threshold for account deletion + + + + + [0-100] + + + + + DiskLevelCaching + + + + + + + + 50 + Stop deleting accounts when available disk space reaches this threshold, given as percent of total disk capacity. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Disk space threshold for account caching + + + + + [0-100] + + + + + RestrictLocalStorage + + + + + + + + false + Restricts the user from using local storage. This node is optional. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Restrict local storage + + + + + 10.0.15063 + 1.1 + + + + false + False + + + true + True + + + + + + KioskModeAUMID + + + + + + + + Specifies the AUMID of the app to use with assigned access. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Kiosk mode AUMID + + + + + 10.0.15063 + 1.1 + + + + + + + KioskModeUserTileDisplayText + + + + + + + + Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Kiosk mode user tile display text + + + + + 10.0.15063 + 1.1 + + + + + + + InactiveThreshold + + + + + + + + 30 + Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. + + + + + + + + + + Account inactive threshold + + + + + 10.0.15063 + 1.1 + + + [0-4294967295] + + + + + MaxPageFileSizeMB + + + + + + + + 1024 + Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. If used, this value must be set before the action on the EnableSharedPCMode node is taken. + + + + + + + + + + Maximum PageFile size + + + + + 10.0.15063 + 1.1 + + + [0-32768] + + + + ``` -## Related topics - -[SharedPC configuration service provider](sharedpc-csp.md) - -  - -  - - - - - +## Related articles +[SharedPC configuration service provider reference](sharedpc-csp.md) diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index a14b9afd32..e77c419631 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -1,29 +1,22 @@ --- title: SUPL CSP -description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client. -ms.reviewer: +description: Learn more about the SUPL CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/12/2019 +ms.topic: reference --- + + + # SUPL CSP -The SUPL configuration service provider is used to configure the location client, as shown in the following: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -43,264 +36,1625 @@ The SUPL configuration service provider is used to configure the location client - The positioning method used by the MPC for non-trusted mode. The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted. A new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used. + -The following example shows the SUPL configuration service provider management object in tree format as used by OMA DM and OMA Client Provisioning. + +The following list shows the SUPL configuration service provider nodes: -> [!NOTE] -> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.  +- ./Vendor/MSFT//SUPL + - [SUPL1](#supl1) + - [Addr](#supl1addr) + - [AppID](#supl1appid) + - [Ext](#supl1ext) + - [Microsoft](#supl1extmicrosoft) + - [FullVersion](#supl1extmicrosoftfullversion) + - [HighAccPositioningMethod](#supl1extmicrosofthighaccpositioningmethod) + - [LocMasterSwitchDependencyNII](#supl1extmicrosoftlocmasterswitchdependencynii) + - [MCCMNCPairs](#supl1extmicrosoftmccmncpairs) + - [NIDefaultTimeout](#supl1extmicrosoftnidefaulttimeout) + - [RootCertificate](#supl1extmicrosoftrootcertificate) + - [Data](#supl1extmicrosoftrootcertificatedata) + - [Name](#supl1extmicrosoftrootcertificatename) + - [RootCertificate2](#supl1extmicrosoftrootcertificate2) + - [Data](#supl1extmicrosoftrootcertificate2data) + - [Name](#supl1extmicrosoftrootcertificate2name) + - [RootCertificate3](#supl1extmicrosoftrootcertificate3) + - [Data](#supl1extmicrosoftrootcertificate3data) + - [Name](#supl1extmicrosoftrootcertificate3name) + - [RootCertificate4](#supl1extmicrosoftrootcertificate4) + - [Data](#supl1extmicrosoftrootcertificate4data) + - [Name](#supl1extmicrosoftrootcertificate4name) + - [RootCertificate5](#supl1extmicrosoftrootcertificate5) + - [Data](#supl1extmicrosoftrootcertificate5data) + - [Name](#supl1extmicrosoftrootcertificate5name) + - [RootCertificate6](#supl1extmicrosoftrootcertificate6) + - [Data](#supl1extmicrosoftrootcertificate6data) + - [Name](#supl1extmicrosoftrootcertificate6name) + - [ServerAccessInterval](#supl1extmicrosoftserveraccessinterval) + - [Version](#supl1extmicrosoftversion) + - [V2UPL1](#v2upl1) + - [ApplicationTypeIndicator_MR](#v2upl1applicationtypeindicator_mr) + - [LocMasterSwitchDependencyNII](#v2upl1locmasterswitchdependencynii) + - [MPC](#v2upl1mpc) + - [NIDefaultTimeout](#v2upl1nidefaulttimeout) + - [PDE](#v2upl1pde) + - [PositioningMethod_MR](#v2upl1positioningmethod_mr) + - [ServerAccessInterval](#v2upl1serveraccessinterval) + -```console -./Vendor/MSFT/ -SUPL -----SUPL1 ---------AppID ---------Addr ---------Ext -------------Microsoft -----------------Version -----------------MCCMNPairs -----------------HighAccPositioningMethod -----------------LocMasterSwitchDependencyNII -----------------NIDefaultTimeout -----------------ServerAccessInterval -----------------RootCertificate ---------------------Name ---------------------Data -----------------RootCertificate2 ---------------------Name ---------------------Data -----------------RootCertificate3 ---------------------Name ---------------------Data -----V2UPL1 ---------MPC ---------PDE ---------PositioningMethod_MR ---------LocMasterSwitchDependencyNII ---------ApplicationTypeIndicator_MR ---------NIDefaultTimeout ---------ServerAccessInterval + +## SUPL1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1 ``` + -**SUPL1** + + Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time. + -**AppID** -Required. The AppID for SUPL is automatically set to `"ap0004"`. This value is a read-only value. + + + -**Addr** -Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format *server*: *port*. + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### SUPL1/Addr + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Addr +``` + + + + +Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format server: port. + + + + If this value isn't specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned. But the configuration service provider will continue processing the rest of the parameters. + -**Version** -Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator. + +**Description framework properties**: -**FullVersion** -Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + -**MCCMNCPairs** -Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL. + + + + + + +### SUPL1/AppID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/AppID +``` + + + + +Required. The AppID for SUPL is automatically set to "ap0004". This is a read-only value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### SUPL1/Ext + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### SUPL1/Ext/Microsoft + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### SUPL1/Ext/Microsoft/FullVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/FullVersion +``` + + + + +Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Allowed Values | Regular Expression: `^(\d+\.)?(\d+\.)?(\*|\d+)$` | +| Default Value | 1.0.0 | + + + + + + + + + +##### SUPL1/Ext/Microsoft/HighAccPositioningMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/HighAccPositioningMethod +``` + + + + +Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + + + + +> [!IMPORTANT] +> The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service. | +| 1 | Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device. | +| 2 | Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device. | +| 3 | Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services. | +| 4 | OTDOA. | +| 5 | AFLT. | + + + + + + + + + +##### SUPL1/Ext/Microsoft/LocMasterSwitchDependencyNII + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/LocMasterSwitchDependencyNII +``` + + + + +This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. **Note** that most clients do not support this behavior. This value manages the settings for both SUPL and v2 UPL. If a phone is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. + + + +| Location toggle setting | LocMasterSwitchDependencyNII setting | NI request processing allowed | +|-------------------------|--------------------------------------|------------------------------------| +| On | 0 | Yes | +| On | 1 | Yes | +| Off | 0 | Yes | +| Off | 1 | No (unless privacyOverride is set) | + +When the location toggle is set to Off and this value is set to 1, the following application requests will fail: + +- `noNotificationNoVerification` +- `notificationOnly` +- `notificationAndVerficationAllowedNA` +- `notificationAndVerficationDeniedNA` + +However, if `privacyOverride` is set in the message, the location will be returned. + +When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working. + +For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | The NI behavior is independent from the current location toggle setting. | +| true (Default) | The NI behavior follows the current location toggle setting. | + + + + + + + + + +##### SUPL1/Ext/Microsoft/MCCMNCPairs + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/MCCMNCPairs +``` + + + + +Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the phone uses the default location service and does not use SUPL. + + + + This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC. For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + -**HighAccPositioningMethod** -Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers: + +**Description framework properties**: -|Value|Description| -|--- |--- | -|0|None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service.| -|1|Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.| -|2|Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.| -|3|Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.| -|4|OTDOA| -|5|AFLT| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + -The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. + + + -> [!IMPORTANT] -> The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes. + -For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +##### SUPL1/Ext/Microsoft/NIDefaultTimeout -**LocMasterSwitchDependencyNII** -Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/NIDefaultTimeout +``` + -|Location toggle setting|LocMasterSwitchDependencyNII setting|NI request processing allowed| -|--- |--- |--- | -|On|0|Yes| -|On|1|Yes| -|Off|0|Yes| -|Off|1|No (unless privacyOverride is set)| + + +Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + -When the location toggle is set to Off and this value is set to 1, the following application requests will fail: + + + -- `noNotificationNoVerification` + +**Description framework properties**: -- `notificationOnly` +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 30 | + -- `notificationAndVerficationAllowedNA` + + + -- `notificationAndVerficationDeniedNA` + -However, if `privacyOverride` is set in the message, the location will be returned. + +##### SUPL1/Ext/Microsoft/RootCertificate -When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate +``` + -**NIDefaultTimeout** -Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + + +Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + -This value manages the settings for SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used. + + + -**ServerAccessInterval** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate/Data + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate/Data +``` + + + + +The base 64 encoded blob of the H-SLP root certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get, Replace | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate/Name +``` + + + + +Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### SUPL1/Ext/Microsoft/RootCertificate2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate2 +``` + + + + +Specifies the root certificate for the H-SLP server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate2/Data + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate2/Data +``` + + + + +The base 64 encoded blob of the H-SLP root certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get, Replace | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate2/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate2/Name +``` + + + + +Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### SUPL1/Ext/Microsoft/RootCertificate3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate3 +``` + + + + +Specifies the root certificate for the H-SLP server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate3/Data + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate3/Data +``` + + + + +The base 64 encoded blob of the H-SLP root certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get, Replace | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate3/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate3/Name +``` + + + + +Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### SUPL1/Ext/Microsoft/RootCertificate4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate4 +``` + + + + +Specifies the root certificate for the H-SLP server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate4/Data + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate4/Data +``` + + + + +The base 64 encoded blob of the H-SLP root certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get, Replace | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate4/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate4/Name +``` + + + + +Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### SUPL1/Ext/Microsoft/RootCertificate5 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate5 +``` + + + + +Specifies the root certificate for the H-SLP server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate5/Data + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate5/Data +``` + + + + +The base 64 encoded blob of the H-SLP root certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get, Replace | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate5/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate5/Name +``` + + + + +Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### SUPL1/Ext/Microsoft/RootCertificate6 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate6 +``` + + + + +Specifies the root certificate for the H-SLP server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate6/Data + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate6/Data +``` + + + + +The base 64 encoded blob of the H-SLP root certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | b64 | +| Access Type | Get, Replace | + + + + + + + + + +###### SUPL1/Ext/Microsoft/RootCertificate6/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/RootCertificate6/Name +``` + + + + +Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### SUPL1/Ext/Microsoft/ServerAccessInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/ServerAccessInterval +``` + + + + Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. + -**RootCertificate** -Required. Specifies the root certificate for the H-SLP server. Windows doesn't support a non-secure mode. If this node isn't included, the configuration service provider will fail but may not return a specific error. + + + -**RootCertificate/Name** -Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**Description framework properties**: -**RootCertificate/Data** -The base 64 encoded blob of the H-SLP root certificate. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 60 | + -**RootCertificate2** -Specifies the root certificate for the H-SLP server. + + + -**RootCertificate2/Name** -Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + -**RootCertificate2/Data** -The base 64 encoded blob of the H-SLP root certificate. + +##### SUPL1/Ext/Microsoft/Version -**RootCertificate3** -Specifies the root certificate for the H-SLP server. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**RootCertificate3/Name** -Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +```Device +./Vendor/MSFT//SUPL/SUPL1/Ext/Microsoft/Version +``` + -**RootCertificate3/Data** -The base 64 encoded blob of the H-SLP root certificate. + + +Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define minor verison and service indicator. + -**RootCertificate4** -Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server. + + + -**RootCertificate4/Name** -Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**Description framework properties**: -**RootCertificate4/Data** -Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[1-2]` | +| Default Value | 1 | + -**RootCertificate5** -Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server. + + + -**RootCertificate5/Name** -Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + -**RootCertificate5/Data** -Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate. + +## V2UPL1 -**RootCertificate6** -Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**RootCertificate6/Name** -Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +```Device +./Vendor/MSFT//SUPL/V2UPL1 +``` + -**RootCertificate6/Data** -Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate. - -**V2UPL1** + + Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. + -**MPC** -Optional. Specifies the address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. + + + -**PDE** -Optional. Specifies the address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty. + +**Description framework properties**: -**PositioningMethod\_MR** -Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers: +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -|Value|Description| -|--- |--- | -|0|None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection, and ephemeris data) from the Microsoft Positioning Service.| -|1|Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.| -|2|Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.| -|3|Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.| -|4|AFLT| + + + -The default is 0. The default method provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. + -> [!IMPORTANT] -> The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. + +### V2UPL1/ApplicationTypeIndicator_MR -  -For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**LocMasterSwitchDependencyNII** -Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA devices, this value must be set to 1. The default value is 1. + +```Device +./Vendor/MSFT//SUPL/V2UPL1/ApplicationTypeIndicator_MR +``` + -This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used. + + +Required. This value must always be set to 00000011. + -|Location toggle setting|LocMasterSwitchDependencyNII setting|NI request processing allowed| -|--- |--- |--- | -|On|0|Yes| -|On|1|Yes| -|Off|0|Yes| -|Off|1|No (unless privacyOverride is set)| + + + -When the location toggle is set to Off and this value is set to 1, the following application requests will fail: + +**Description framework properties**: -- `noNotificationNoVerification` +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -- `notificationOnly` + + + -- `notificationAndVerficationAllowedNA` + -- `notificationAndVerficationDeniedNA` + +### V2UPL1/LocMasterSwitchDependencyNII -However, if `privacyOverride` is set in the message, the location will be returned. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working. + +```Device +./Vendor/MSFT//SUPL/V2UPL1/LocMasterSwitchDependencyNII +``` + -For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + + +Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA phones, this value must be set to 1. The default value is 1. + -**ApplicationTypeIndicator\_MR** -Required. This value must always be set to `00000011`. + + + -**NIDefaultTimeout** -Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + +**Description framework properties**: -This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + -**ServerAccessInterval** + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | The NI behavior is independent from the current location toggle setting. | +| true (Default) | The NI behavior follows the current location toggle setting. | + + + + + + + + + +### V2UPL1/MPC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/V2UPL1/MPC +``` + + + + +Optional. The address of the mobile positioning center (MPC), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### V2UPL1/NIDefaultTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/V2UPL1/NIDefaultTimeout +``` + + + + +Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 30 | + + + + + + + + + +### V2UPL1/PDE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/V2UPL1/PDE +``` + + + + +Optional. The address of the Position Determination Entity (PDE), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter must be empty. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### V2UPL1/PositioningMethod_MR + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/V2UPL1/PositioningMethod_MR +``` + + + + +Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection, and ephemeris data) from the Microsoft Positioning Service. | +| 1 | Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device. | +| 2 | Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device. | +| 3 | Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services. | +| 4 | AFLT. | + + + + + + + + + +### V2UPL1/ServerAccessInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Vendor/MSFT//SUPL/V2UPL1/ServerAccessInterval +``` + + + + Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 60 | + + + + + + + + + ## Unsupported Nodes -The following optional nodes aren't supported on Windows devices. +The following optional nodes aren't supported on Windows devices. -- ProviderID - -- Name - -- PrefConRef - -- ToConRef - -- ToConRef/<X> - -- ToConRef/<X>/ConRef - -- AddrType +- ProviderID +- Name +- PrefConRef +- ToConRef +- ToConRef/<X> +- ToConRef/<X>/ConRef +- AddrType If the configuration application tries to set, delete or query these nodes, a response indicating this node isn't implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes. @@ -443,8 +1797,10 @@ The following table shows the Microsoft custom elements that this configuration |--- |--- | |parm-query|Yes| |characteristic-query|Yes

    Recursive query: No

    Top level query: No| + -  -## Related topics + -[Configuration service provider reference](index.yml) +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index ce35649aaf..07296eebc3 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -1,38 +1,129 @@ --- title: SUPL DDF file -description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/03/2020 +ms.topic: reference --- + + # SUPL DDF file -This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider (CSP). - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the DDF for the current version for this CSP. +The following XML file contains the device description framework (DDF) for the SUPL configuration service provider. ```xml -]> +]> 1.2 + + + + SUPL + ./Vendor/MSFT/ + + + + + + + Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time. + + + + + + + + + + + + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + SUPL1 + + + + + Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time. + + + + + + + + + + + + + - SUPL - ./Vendor/MSFT/ + AppID + Required. The AppID for SUPL is automatically set to "ap0004". This is a read-only value. + + + + + + + + + + + + + + + + Addr + + + + + + Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format server: port. + + + + + + + + + + + + + + + + + + Ext + + + + + Insert Description Here @@ -43,16 +134,16 @@ The XML below is the DDF for the current version for this CSP. - com.microsoft/1.2/MDM/SUPL + - SUPL1 + Microsoft - Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time. + Insert Description Here @@ -63,18 +154,20 @@ The XML below is the DDF for the current version for this CSP. - + - AppID + Version + - Required. The AppID for SUPL is automatically set to "ap0004". This is a read-only value. + 1 + Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define minor verison and service indicator - + @@ -83,18 +176,22 @@ The XML below is the DDF for the current version for this CSP. - + + + [1-2] + - Addr + FullVersion - Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format server: port. + 1.0.0 + Optional. Determines the full version (X.Y.Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored @@ -105,586 +202,25 @@ The XML below is the DDF for the current version for this CSP. - text/plain + + + 10.0.19041 + 1.2 + + + ^(\d+\.)?(\d+\.)?(\*|\d+)$ + - Ext - - - - - - - - - - - - - - - - - - - Microsoft - - - - - - - - - - - - - - - - - - - Version - - - - - - 1 - Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator. - - - - - - - - - - - text/plain - - - - - FullVersion - - - - - - 1.0.0 - Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. - - - - - - - - - - - text/plain - - - - - MCCMNCPairs - - - - - - Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the phone uses the default location service and does not use SUPL. - - - - - - - - - - - text/plain - - - - - LocMasterSwitchDependencyNII - - - - - - 1 - This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. Note that most clients do not support this behavior. This value manages the settings for both SUPL and v2 UPL. If a phone is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. - - - - - - - - - - - text/plain - - - - - NIDefaultTimeout - - - - - - 30 - Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. - - - - - - - - - - - text/plain - - - - - ServerAccessInterval - - - - - - 60 - Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. - - - - - - - - - - - text/plain - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate2 - - - - - Specifies the root certificate for the H-SLP server. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate3 - - - - - Specifies the root certificate for the H-SLP server. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate4 - - - - - Specifies the root certificate for the H-SLP server. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate5 - - - - - Specifies the root certificate for the H-SLP server. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate6 - - - - - Specifies the root certificate for the H-SLP server. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - - - - V2UPL1 - - - - - Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. - - - - - - - - - - - - - - - MPC + MCCMNCPairs - Optional. The address of the mobile positioning center (MPC), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. + Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the phone uses the default location service and does not use SUPL. @@ -695,20 +231,23 @@ The XML below is the DDF for the current version for this CSP. - text/plain + + + - PDE + HighAccPositioningMethod - Optional. The address of the Position Determination Entity (PDE), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter must be empty. + 0 + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. - + @@ -717,19 +256,45 @@ The XML below is the DDF for the current version for this CSP. - text/plain + + + + 0 + None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service. + + + 1 + Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device. + + + 2 + Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device. + + + 3 + Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services. + + + 4 + OTDOA + + + 5 + AFLT + + LocMasterSwitchDependencyNII - - + - 1 - Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA phones, this value must be set to 1. The default value is 1. + true + This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. Note that most clients do not support this behavior. This value manages the settings for both SUPL and v2 UPL. If a phone is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. @@ -740,29 +305,18 @@ The XML below is the DDF for the current version for this CSP. - text/plain - - - - - ApplicationTypeIndicator_MR - - - - - Required. This value must always be set to 00000011. - - - - - - - - - - - + + + + false + The NI behavior is independent from the current location toggle setting. + + + true + The NI behavior follows the current location toggle setting. + + @@ -784,8 +338,10 @@ The XML below is the DDF for the current version for this CSP. - text/plain + + + @@ -807,11 +363,663 @@ The XML below is the DDF for the current version for this CSP. - text/plain + + + + + + + + RootCertificate + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + + + + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + + + RootCertificate2 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + + + + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + + + RootCertificate3 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + + + + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + + + RootCertificate4 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + 10.0.17763 + 1.1 + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + + + + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + + + RootCertificate5 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + 10.0.17763 + 1.1 + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + + + + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + + + RootCertificate6 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + 10.0.17763 + 1.1 + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + + + + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + + + V2UPL1 + + + + + Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. + + + + + + + + + + + + + + + MPC + + + + + + Optional. The address of the mobile positioning center (MPC), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. + + + + + + + + + + + + + + + + + + PDE + + + + + + Optional. The address of the Position Determination Entity (PDE), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter must be empty. + + + + + + + + + + + + + + + + + + PositioningMethod_MR + + + + + + 0 + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + + + + + + + + + + + + + + + 0 + None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection, and ephemeris data) from the Microsoft Positioning Service. + + + 1 + Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device. + + + 2 + Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device. + + + 3 + Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services. + + + 4 + AFLT + + + + + + LocMasterSwitchDependencyNII + + + + + + true + Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA phones, this value must be set to 1. The default value is 1. + + + + + + + + + + + + + + + false + The NI behavior is independent from the current location toggle setting. + + + true + The NI behavior follows the current location toggle setting. + + + + + + ApplicationTypeIndicator_MR + + + + + Required. This value must always be set to 00000011. + + + + + + + + + + + + + + + + NIDefaultTimeout + + + + + + 30 + Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + + + + + + + + + + + + + + + + + + ServerAccessInterval + + + + + + 60 + Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. + + + + + + + + + + + + + + + + + + ``` + +## Related articles + +[SUPL configuration service provider reference](supl-csp.md) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 9ddb730b42..1925bbdccc 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -1,96 +1,294 @@ --- title: SurfaceHub CSP -description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. -ms.reviewer: +description: Learn more about the SurfaceHub CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/28/2017 +ms.topic: reference --- + + + # SurfaceHub CSP -The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later. +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. -The following example shows the SurfaceHub CSP management objects in tree format. + + +The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. + + +The following list shows the SurfaceHub configuration service provider nodes: + +- ./Vendor/MSFT/SurfaceHub + - [AutopilotSelfdeploy](#autopilotselfdeploy) + - [FriendlyName](#autopilotselfdeployfriendlyname) + - [Password](#autopilotselfdeploypassword) + - [UserPrincipalName](#autopilotselfdeployuserprincipalname) + - [DeviceAccount](#deviceaccount) + - [CalendarSyncEnabled](#deviceaccountcalendarsyncenabled) + - [DomainName](#deviceaccountdomainname) + - [Email](#deviceaccountemail) + - [ErrorContext](#deviceaccounterrorcontext) + - [ExchangeModernAuthEnabled](#deviceaccountexchangemodernauthenabled) + - [ExchangeServer](#deviceaccountexchangeserver) + - [Password](#deviceaccountpassword) + - [PasswordRotationPeriod](#deviceaccountpasswordrotationperiod) + - [SipAddress](#deviceaccountsipaddress) + - [UserName](#deviceaccountusername) + - [UserPrincipalName](#deviceaccountuserprincipalname) + - [ValidateAndCommit](#deviceaccountvalidateandcommit) + - [Dot3](#dot3) + - [EapUserData](#dot3eapuserdata) + - [LanProfile](#dot3lanprofile) + - [InBoxApps](#inboxapps) + - [Connect](#inboxappsconnect) + - [AutoLaunch](#inboxappsconnectautolaunch) + - [SkypeForBusiness](#inboxappsskypeforbusiness) + - [DomainName](#inboxappsskypeforbusinessdomainname) + - [Teams](#inboxappsteams) + - [Configurations](#inboxappsteamsconfigurations) + - [Welcome](#inboxappswelcome) + - [AutoWakeScreen](#inboxappswelcomeautowakescreen) + - [CurrentBackgroundPath](#inboxappswelcomecurrentbackgroundpath) + - [MeetingInfoOption](#inboxappswelcomemeetinginfooption) + - [Whiteboard](#inboxappswhiteboard) + - [SharingDisabled](#inboxappswhiteboardsharingdisabled) + - [SignInDisabled](#inboxappswhiteboardsignindisabled) + - [TelemetryDisabled](#inboxappswhiteboardtelemetrydisabled) + - [WirelessProjection](#inboxappswirelessprojection) + - [Channel](#inboxappswirelessprojectionchannel) + - [Enabled](#inboxappswirelessprojectionenabled) + - [PINRequired](#inboxappswirelessprojectionpinrequired) + - [MaintenanceHoursSimple](#maintenancehourssimple) + - [Hours](#maintenancehourssimplehours) + - [Duration](#maintenancehourssimplehoursduration) + - [StartTime](#maintenancehourssimplehoursstarttime) + - [Management](#management) + - [GroupName](#managementgroupname) + - [GroupSid](#managementgroupsid) + - [MOMAgent](#momagent) + - [WorkspaceID](#momagentworkspaceid) + - [WorkspaceKey](#momagentworkspacekey) + - [Properties](#properties) + - [AllowAutoProxyAuth](#propertiesallowautoproxyauth) + - [AllowSessionResume](#propertiesallowsessionresume) + - [DefaultVolume](#propertiesdefaultvolume) + - [DisableSigninSuggestions](#propertiesdisablesigninsuggestions) + - [DoNotShowMyMeetingsAndFiles](#propertiesdonotshowmymeetingsandfiles) + - [FriendlyName](#propertiesfriendlyname) + - [ProxyServers](#propertiesproxyservers) + - [ScreenTimeout](#propertiesscreentimeout) + - [SessionTimeout](#propertiessessiontimeout) + - [SleepMode](#propertiessleepmode) + - [SleepTimeout](#propertiessleeptimeout) + - [SurfaceHubMeetingMode](#propertiessurfacehubmeetingmode) + - [VtcAppPackageId](#propertiesvtcapppackageid) + + + +## AutopilotSelfdeploy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy ``` -./Vendor/MSFT -SurfaceHub -----DeviceAccount ---------DomainName ---------UserName ---------UserPrincipalName ---------Password ---------ValidateAndCommit ---------ExchangeServer ---------SipAddress ---------Email ---------CalendarSyncEnabled ---------ErrorContext ---------PasswordRotationEnabled -----MaintenanceHoursSimple ---------Hours -------------StartTime -------------Duration -----InBoxApps ---------SkypeForBusiness -------------DomainName ---------Welcome -------------AutoWakeScreen -------------CurrentBackgroundPath -------------MeetingInfoOption ---------Whiteboard -------------SharingDisabled -------------SigninDisabled -------------TelemeteryDisabled ---------WirelessProjection -------------PINRequired -------------Enabled -------------Channel ---------Connect -------------AutoLaunch -----Properties ---------FriendlyName ---------DefaultVolume ---------DefaultAutomaticFraming ---------ScreenTimeout ---------SessionTimeout ---------SleepTimeout ---------AllowSessionResume ---------AllowAutoProxyAuth ---------ProxyServers ---------DisableSigninSuggestions ---------DoNotShowMyMeetingsAndFiles -----Management ---------GroupName ---------GroupSid -----MOMAgent ---------WorkspaceID ---------WorkspaceKey + + + + +Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Case Sensitive | True | + + + + + + + + + +### AutopilotSelfdeploy/FriendlyName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy/FriendlyName ``` + -**./Vendor/MSFT/SurfaceHub** -The root node for the Surface Hub configuration service provider. + + +The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank. + -**DeviceAccount** -Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. + + + -To use a device account from Azure Active Directory + +**Description framework properties**: -1. Set the UserPrincipalName (for Azure AD). -2. Set a valid Password. -3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. -4. Get the ErrorContext in case something goes wrong during validation. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + +### AutopilotSelfdeploy/Password + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy/Password +``` + + + + +Password for the device account. Get is allowed here, but will always return a blank. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### AutopilotSelfdeploy/UserPrincipalName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/AutopilotSelfdeploy/UserPrincipalName +``` + + + + +User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +## DeviceAccount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount +``` + + + + +Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation. + + + + > [!NOTE] > If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. + + +**Description framework properties**: -Here's a SyncML example. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Case Sensitive | True | + + + + +**Example**: ```xml @@ -139,98 +337,159 @@ Here's a SyncML example. ``` + -To use a device account from Active Directory: + -1. Set the DomainName. -2. Set the UserName. -3. Set a valid Password. -4. Execute the ValidateAndCommit node. + +### DeviceAccount/CalendarSyncEnabled -**DeviceAccount/DomainName** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/CalendarSyncEnabled +``` + -- The data type is string. -- Supported operation is Get and Replace. + + +Specifies whether calendar sync and other Exchange server services is enabled. + -**DeviceAccount/UserName** + + + -Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +**Description framework properties**: -- The data type is string. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + -**DeviceAccount/UserPrincipalName** + +**Allowed values**: -User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + -- The data type is string. -- Supported operation is Get and Replace. + + + -**DeviceAccount/SipAddress** + -Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. + +### DeviceAccount/DomainName -- The data type is string. -- Supported operation is Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**DeviceAccount/Password** + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/DomainName +``` + -Password for the device account. + + +Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + -- The data type is string. -- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. + + + -**DeviceAccount/ValidateAndCommit** + +**Description framework properties**: -This method validates the data provided and then commits the changes. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + -- The data type is string. -- Supported operation is Execute. + + + -**DeviceAccount/Email** + -Email address of the device account. The data type is string. + +### DeviceAccount/Email -**DeviceAccount/ -PasswordRotationEnabled** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/Email +``` + -Valid values: + + +Email address of the device account. + -- 0 - password rotation enabled -- 1 - disabled + + + -It performs the following: -- The data type is integer. -- Supported operation is Get and Replace. + +**Description framework properties**: -**DeviceAccount/ExchangeServer** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + -Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. + + + -- The data type is string. -- Supported operation is Get and Replace. + -**DeviceAccount/ExchangeModernAuthEnabled** + +### DeviceAccount/ErrorContext -Added in KB4598291 for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- The data type is boolean. -- Supported operation is Get and Replace. + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/ErrorContext +``` + -**DeviceAccount/CalendarSyncEnabled** + + +If there is an error calling ValidateAndCommit, there will be additional context for that error in this node. + -Specifies, whether calendar sync and other Exchange server services is enabled. - -- The data type is boolean. -- Supported operation is Get and Replace. - -**DeviceAccount/ErrorContext** - -If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values: + + +Possible error values: | **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** | | --- | --- | --- | @@ -240,315 +499,2350 @@ If there's an error calling ValidateAndCommit, there's another context for that | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. | | 5 | Saving account information | Unable to save account details to the system. | | 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. | + -It performs the following: -- The data type is integer. -- Supported operation is Get. + +**Description framework properties**: -**MaintenanceHoursSimple/Hours** -Node for maintenance schedule. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -**MaintenanceHoursSimple/Hours/StartTime** + + + -Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. + -- The data type is integer. -- Supported operation is Get and Replace. + +### DeviceAccount/ExchangeModernAuthEnabled -**MaintenanceHoursSimple/Hours/Duration** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.789] and later
    :heavy_check_mark: Windows Insider Preview [99.9.9999] | + -Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/ExchangeModernAuthEnabled +``` + -- The data type is integer. -- Supported operation is Get and Replace. + + +Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. + -**InBoxApps** + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | True | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| False | Disabled. | +| True (Default) | Enabled. | + + + + + + + + + +### DeviceAccount/ExchangeServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/ExchangeServer +``` + + + + +Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### DeviceAccount/Password + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/Password +``` + + + + +Password for the device account. Get is allowed here, but will always return a blank. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### DeviceAccount/PasswordRotationPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/PasswordRotationPeriod +``` + + + + +Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Password rotation enabled. | +| 1 | Disabled. | + + + + + + + + + +### DeviceAccount/SipAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/SipAddress +``` + + + + +Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### DeviceAccount/UserName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/UserName +``` + + + + +Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### DeviceAccount/UserPrincipalName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/UserPrincipalName +``` + + + + +User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### DeviceAccount/ValidateAndCommit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/DeviceAccount/ValidateAndCommit +``` + + + + +This method validates the data provided and then commits the changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## Dot3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.64] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Dot3 +``` + + + + +Parent node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Dot3/EapUserData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.64] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Dot3/EapUserData +``` + + + + +Used to specify credentials to authenticate device to the network. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### Dot3/LanProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.64] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Dot3/LanProfile +``` + + + + +Used to specify credentials to authenticate device to the network. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +## InBoxApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps +``` + + + + Node for the in-box app settings. + -**InBoxApps/SkypeForBusiness** + + + -Added in Windows 10, version 1703. Node for the Skype for Business settings. + +**Description framework properties**: -**InBoxApps/SkypeForBusiness/DomainName** +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online. + + + -- The data type is string. -- Supported operation is Get and Replace. + -**InBoxApps/Welcome** + +### InBoxApps/Connect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Connect +``` + + + + +Node for the Connect app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### InBoxApps/Connect/AutoLaunch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Connect/AutoLaunch +``` + + + + +Specifies whether to automatically launch the Connect app whenever a projection is initiated. If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub's settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + + + + + + + + + +### InBoxApps/SkypeForBusiness + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/SkypeForBusiness +``` + + + + +Node for the Skype for Business settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### InBoxApps/SkypeForBusiness/DomainName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/SkypeForBusiness/DomainName +``` + + + + +Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see [Set up your domain and users](/skypeforbusiness/set-up-skype-for-business-online/set-up-skype-for-business-online#3-set-up-your-domain-and-users). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### InBoxApps/Teams + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.450] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Teams +``` + + + + +This node controls policies specific to the Teams App on Surface Hub. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### InBoxApps/Teams/Configurations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.450] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Teams/Configurations +``` + + + + +String to contain Teams policy configs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### InBoxApps/Welcome + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome +``` + + + + Node for the welcome screen. + -**InBoxApps/Welcome/AutoWakeScreen** + + + -Automatically turn on the screen using motion sensors. + +**Description framework properties**: -- The data type is boolean. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**InBoxApps/Welcome/CurrentBackgroundPath** + + + -Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image. + -- The data type is string. -- Supported operation is Get and Replace. + +#### InBoxApps/Welcome/AutoWakeScreen -**InBoxApps/Welcome/MeetingInfoOption** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/AutoWakeScreen +``` + + + + +Setting for the screen to wake up and stay on with sensor activity. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| False | Disabled. | +| True | Enabled. | + + + + + + + + + +#### InBoxApps/Welcome/CurrentBackgroundPath + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath +``` + + + + +Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +#### InBoxApps/Welcome/MeetingInfoOption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/MeetingInfoOption +``` + + + + Meeting information displayed on the welcome screen. + -Valid values: + + + -- 0 - Organizer and time only -- 1 - Organizer, time, and subject. Subject is hidden in private meetings. + +**Description framework properties**: -It performs the following: -- The data type is integer. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + -**InBoxApps/Whiteboard** + +**Allowed values**: -Node for the Whiteboard app settings. +| Value | Description | +|:--|:--| +| 0 | Organizer and time only. | +| 1 | Organizer, time, and subject. Subject is hidden in private meetings. | + -**InBoxApps/Whiteboard/SharingDisabled** + + + -Invitations to collaborate from the Whiteboard app aren't allowed. + -- The data type is boolean. -- Supported operation is Get and Replace. + +### InBoxApps/Whiteboard -**InBoxApps/Whiteboard/SigninDisabled** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + -Sign-ins from the Whiteboard app aren't allowed. + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard +``` + -- The data type is boolean. -- Supported operation is Get and Replace. + + +This node controls policies specific to the Whiteboard App on Surface Hub. + -**InBoxApps/Whiteboard/TelemeteryDisabled** + + + -Telemetry collection from the Whiteboard app isn't allowed. + +**Description framework properties**: -- The data type is boolean. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**InBoxApps/WirelessProjection** + + + + + + +#### InBoxApps/Whiteboard/SharingDisabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard/SharingDisabled +``` + + + + +When enabled, prevents a user from initiating a collaborative session on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| False | Sharing enabled. | +| True | Sharing disabled. | + + + + + + + + + +#### InBoxApps/Whiteboard/SignInDisabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard/SignInDisabled +``` + + + + +When enabled, prevents a user from Signing into Whiteboard on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| False (Default) | Sign in enabled. | +| True | Sign in disabled. | + + + + + + + + + +#### InBoxApps/Whiteboard/TelemetryDisabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362.449] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/Whiteboard/TelemetryDisabled +``` + + + + +When enabled, prevents Whiteboard from sending telemetry from the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| False (Default) | Telemetry enabled. | +| True | Telemetry disabled. | + + + + + + + + + +### InBoxApps/WirelessProjection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection +``` + + + + Node for the wireless projector app settings. + -**InBoxApps/WirelessProjection/PINRequired** + + + -Users must enter a PIN to wireless project to the device. + +**Description framework properties**: -- The data type is boolean. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**InBoxApps/WirelessProjection/Enabled** + + + -Enables wireless projection to the device. + -- The data type is boolean. -- Supported operation is Get and Replace. + +#### InBoxApps/WirelessProjection/Channel -**InBoxApps/WirelessProjection/Channel** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Channel +``` + + + + Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. + + + |**Compatibility**|**Values**| |--- |--- | |Works with all Miracast senders in all regions|1, 3, 4, 5, 6, 7, 8, 9, 10, 11| |Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48| |Works with all 5ghz band Miracast senders in all regions except Japan|149, 153, 157, 161, 165| -The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for). +Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for). + -- The data type is integer. -- Supported operation is Get and Replace. + +**Description framework properties**: -**InBoxApps/Connect** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 255 | + -Added in Windows 10, version 1703. Node for the Connect app. + + + -**InBoxApps/Connect/AutoLaunch** + -Added in Windows 10, version 1703. Specifies, whether to automatically launch the Connect app whenever a projection is initiated. + +#### InBoxApps/WirelessProjection/Enabled -If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- The data type is boolean. -- Supported operation is Get and Replace. + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled +``` + -**Properties** + + +Enables wireless projection to the device. + -Node for the device properties. + + + -**Properties/FriendlyName** + +**Description framework properties**: -Friendly name of the device. Specifies the name that users see when they want wireless project to the device. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + -- The data type is string. -- Supported operation is Get and Replace. + +**Allowed values**: -**Properties/DefaultVolume** +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + -Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. + + + -- The data type is integer. -- Supported operation is Get and Replace. + -**Properties/DefaultAutomaticFraming** + +#### InBoxApps/WirelessProjection/PINRequired -Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- The data type is boolean. -- Supported operation is Get and Replace. + +```Device +./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/PINRequired +``` + -**Properties/ScreenTimeout** + + +Users must enter a PIN to wirelessly project to the device. + -Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. + + + -The following table shows the permitted values. + +**Description framework properties**: -|**Value**|**Description**| -|--- |--- | -|0|Never time out| -|1|1 minute| -|2|2 minutes| -|3|3 minutes| -|5|5 minutes (default)| -|10|10 minutes| -|15|15 minutes| -|30|30 minutes| -|60|1 hour| -|120|2 hours| -|240|4 hours| +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + -It performs the following: -- The data type is integer. -- Supported operation is Get and Replace. + +**Allowed values**: -**Properties/SessionTimeout** +| Value | Description | +|:--|:--| +| false | Pin not required. | +| true | Pin required. | + -Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. + + + -The following table shows the permitted values. + -|**Value**|**Description**| -|--- |--- | -|0|Never time out| -|1|1 minute (default)| -|2|2 minutes| -|3|3 minutes| -|5|5 minutes| -|10|10 minutes| -|15|15 minutes| -|30|30 minutes| -|60|1 hour| -|120|2 hours| -|240|4 hours| + +## MaintenanceHoursSimple -It performs the following: -- The data type is integer. -- Supported operation is Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Properties/SleepTimeout** + +```Device +./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple +``` + -Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. + + +Node for maintenance schedule. + -The following table shows the permitted values. + + + -|**Value**|**Description**| -|--- |--- | -|0|Never time out| -|1|1 minute| -|2|2 minutes| -|3|3 minutes| -|5|5 minutes (default)| -|10|10 minutes| -|15|15 minutes| -|30|30 minutes| -|60|1 hour| -|120|2 hours| -|240|4 hours| + +**Description framework properties**: -It performs the following: -- The data type is integer. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**Properties/SleepMode** + + + -Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. + -Valid values: + +### MaintenanceHoursSimple/Hours -- 0 - Connected Standby (default) -- 1 - Hibernate + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -It performs the following: -- The data type is integer. -- Supported operation is Get and Replace. + +```Device +./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours +``` + -**Properties/AllowSessionResume** + + +Node for maintenance schedule. + -Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. + + + -If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. + +**Description framework properties**: -- The data type is boolean. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**Properties/AllowAutoProxyAuth** + + + -Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. + -If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. + +#### MaintenanceHoursSimple/Hours/Duration -- The data type is boolean. -- Supported operation is Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Properties/ProxyServers** + +```Device +./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/Duration +``` + -Added in KB4499162 for Windows 10, version 1703. Specifies hostnames of proxy servers to automatically provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names (FQDN), without any extra prefixes (for example, https://). + + +Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. + -- The data type is string. -- Supported operation is Get and Replace. + + + -**Properties/DisableSigninSuggestions** + +**Description framework properties**: -Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-1439]` | + -If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate. + + + -- The data type is boolean. -- Supported operation is Get and Replace. + -**Properties/DoNotShowMyMeetingsAndFiles** + +#### MaintenanceHoursSimple/Hours/StartTime -Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown. + +```Device +./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/StartTime +``` + -- The data type is boolean. -- Supported operation is Get and Replace. + + +Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. + -**MOMAgent** + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-1439]` | + + + + + + + + + +## Management + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Management +``` + + + + +Not a supported scenario. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Management/GroupName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Management/GroupName +``` + + + + +The name of the domain admin group to add to the administrators group on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### Management/GroupSid + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Management/GroupSid +``` + + + + +The sid of the domain admin group to add to the administrators group on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +## MOMAgent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/MOMAgent +``` + + + + Node for the Microsoft Operations Management Suite. + -**MOMAgent/WorkspaceID** + + + -GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent. + +**Description framework properties**: -- The data type is string. -- Supported operation is Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**MOMAgent/WorkspaceKey** + + + -Primary key for authenticating with the workspace. + -- The data type is string. -- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. + +### MOMAgent/WorkspaceID -## Related topics + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -[Configuration service provider reference](index.yml) + +```Device +./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceID +``` + + + + +GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### MOMAgent/WorkspaceKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceKey +``` + + + + +Primary key for authenticating with workspace. Will always return an empty string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +## Properties + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties +``` + + + + +Node for the device properties. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Properties/AllowAutoProxyAuth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/AllowAutoProxyAuth +``` + + + + +Specifies whether to use the device account for proxy authentication. If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true (Default) | Enabled. | + + + + + + + + + +### Properties/AllowSessionResume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/AllowSessionResume +``` + + + + +Specifies whether to allow the ability to resume a session when the session times out. If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the "End Session" feature was initiated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true (Default) | Enabled. | + + + + + + + + + +### Properties/DefaultVolume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/DefaultVolume +``` + + + + +Specifies the default volume value for a new session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 45 | + + + + + + + + + +### Properties/DisableSigninSuggestions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/DisableSigninSuggestions +``` + + + + +Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Dialog will auto-populate. | +| true | Sign-in dialog will not be populated. | + + + + + + + + + +### Properties/DoNotShowMyMeetingsAndFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/DoNotShowMyMeetingsAndFiles +``` + + + + +Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. If this setting is true, the "My meetings and files" feature will not be shown. When false, the "My meetings and files" feature will be shown. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | "My meetings and files" feature will not be shown. | +| false (Default) | The "My meetings and files" feature will be shown. | + + + + + + + + + +### Properties/FriendlyName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/FriendlyName +``` + + + + +Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +### Properties/ProxyServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/ProxyServers +``` + + + + +The list of known proxy servers to provide. + + + + +Specifies hostnames of proxy servers to automatically provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names (FQDN), without any extra prefixes (for example, `https://`). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Delete, Get, Replace | + + + + + + + + + +### Properties/ScreenTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/ScreenTimeout +``` + + + + +Specifies the number of minutes until the Hub screen turns off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 5 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Never time out. | +| 1 | 1 minute. | +| 2 | 2 minutes. | +| 3 | 3 minutes. | +| 5 (Default) | 5 minutes. | +| 10 | 10 minutes. | +| 15 | 15 minutes. | +| 30 | 30 minutes. | +| 60 | 1 hour. | +| 120 | 2 hours. | +| 240 | 4 hours. | + + + + + + + + + +### Properties/SessionTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/SessionTimeout +``` + + + + +Specifies the number of minutes until the session times out. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Never time out. | +| 1 (Default) | 1 minute. | +| 2 | 2 minutes. | +| 3 | 3 minutes. | +| 5 | 5 minutes. | +| 10 | 10 minutes. | +| 15 | 15 minutes. | +| 30 | 30 minutes. | +| 60 | 1 hour. | +| 120 | 2 hours. | +| 240 | 4 hours. | + + + + + + + + + +### Properties/SleepMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/SleepMode +``` + + + + +Specifies the type of sleep mode for the Surface Hub. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Connected Standby. | +| 1 | Hibernate. | + + + + + + + + + +### Properties/SleepTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/SleepTimeout +``` + + + + +Specifies the number of minutes until the Hub enters sleep mode. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 5 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Never time out. | +| 1 | 1 minute. | +| 2 | 2 minutes. | +| 3 | 3 minutes. | +| 5 (Default) | 5 minutes. | +| 10 | 10 minutes. | +| 15 | 15 minutes. | +| 30 | 30 minutes. | +| 60 | 1 hour. | +| 120 | 2 hours. | +| 240 | 4 hours. | + + + + + + + + + +### Properties/SurfaceHubMeetingMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode +``` + + + + +Teams mode. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + + + + + + + + + +### Properties/VtcAppPackageId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393.969] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId +``` + + + + +App name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Delete, Get, Replace | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index b641ecada1..0f0117489c 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -1,1016 +1,1881 @@ --- title: SurfaceHub DDF file -description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/24/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # SurfaceHub DDF file -This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the SurfaceHub configuration service provider. ```xml -]> +]> - 1.2 + 1.2 + + + + SurfaceHub + ./Vendor/MSFT + + + + + The root node for the Surface Hub configuration service provider. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - SurfaceHub - ./Vendor/MSFT + AutopilotSelfdeploy + + + + + Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time. + + + + + + + + + + + + + + + + + + UserPrincipalName - - - - - - - - - - - - - - com.microsoft/1.0/MDM/SurfaceHub - + + + + + User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank + + + + + + + + + + + + + + + + + + Password + + + + + + Password for the device account. Get is allowed here, but will always return a blank. + + + + + + + + + + + + + + + + + + FriendlyName + + + + + + The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank + + + + + + + + + + + + + + + + + + + DeviceAccount + + + + + Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation. + + + + + + + + + + + + + + + + + + DomainName + + + + + + Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + + + + + + + + + + + + + + + + + + UserName + + + + + + Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + + + + + + + + + + + + + + + + + + UserPrincipalName + + + + + + User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. + + + + + + + + + + + + + + + + + + Password + + + + + + Password for the device account. Get is allowed here, but will always return a blank. + + + + + + + + + + + + + + + + + + ValidateAndCommit + + + + + This method validates the data provided and then commits the changes. + + + + + + + + + + + + + + + + ExchangeServer + + + + + + Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. + + + + + + + + + + + + + + + + + + SipAddress + + + + + + Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. + + + + + + + + + + + + + + + + + + Email + + + + + + Email address of the device account. + + + + + + + + + + + + + + + + + + CalendarSyncEnabled + + + + + + Specifies whether calendar sync and other Exchange server services is enabled. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + ErrorContext + + + + + If there is an error calling ValidateAndCommit, there will be additional context for that error in this node. + + + + + + + + + + + + + + + + PasswordRotationPeriod + + + + + + Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). + + + + + + + + + + + + + + + 0 + Password rotation enabled + + + 1 + Disabled + + + + + + ExchangeModernAuthEnabled + + + + + + True + Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. + + + + + + + + + + + + + + 10.19041.789, 10.19042.789, 99.9.9999 + 1.0 + + + + False + Disabled + + + True + Enabled + + + + + + + MaintenanceHoursSimple + + + + + Node for maintenance schedule. + + + + + + + + + + + + + + + Hours + + + + + Node for maintenance schedule. + + + + + + + + + + + + - DeviceAccount - - - - - - - - - - - - - - - - - - - - - - DomainName - - - - - - - - - - - - - - - - text/plain - - - - - UserName - - - - - - - - - - - - - - - - text/plain - - - - - UserPrincipalName - - - - - - - - - - - - - - - - text/plain - - - - - Password - - - - - - Get is allowed here, but will always return a blank. - - - - - - - - - - - text/plain - - - - - ValidateAndCommit - - - - - - - - - - - - - - - text/plain - - - - - ExchangeServer - - - - - - - - - - - - - - - - text/plain - - - - - SipAddress - - - - - - - - - - - - - - - - text/plain - - - - - Email - - - - - - - - - - - - - - - - text/plain - - - - - CalendarSyncEnabled - - - - - - - - - - - - - - - - text/plain - - - - - ErrorContext - - - - - If there is an error calling ValidateAndCommit, there will be additional context for that error in this node. - - - - - - - - - - - text/plain - - - - - PasswordRotationEnabled - - - - - - - - - - - - - - - - text/plain - - - + StartTime + + + + + + Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. + + + + + + + + + + + + + + [0-1439] + + - MaintenanceHoursSimple - - - - - - - - - - - - - - - - - - - - Hours - - - - - - - - - - - - - - - - - - - StartTime - - - - - - Start time for maintenance hours in minutes from midnight - - - - - - - - - - - text/plain - - - - - Duration - - - - - - Duration of maintenance window - - - - - - - - - - - text/plain - - - - - - - InBoxApps - - - - - - - - - - - - - - - - - - - SkypeForBusiness - - - - - - - - - - - - - - - - - - - DomainName - - - - - - - - - - - - - - - - text/plain - - - - - - Welcome - - - - - - - - - - - - - - - - - - - AutoWakeScreen - - - - - - Setting for the screen to wake up and stay on with sensor activity. - - - - - - - - - - - text/plain - - - - - CurrentBackgroundPath - - - - - - - - - - - - - - - - - - text/plain - - - - - MeetingInfoOption - - - - - - - - - - - - - - - - text/plain - - - - - - WirelessProjection - - - - - - - - - - - - - - - - - - - PINRequired - - - - - - - - - - - - - - - - text/plain - - - - - Enabled - - - - - - - - - - - - - - - - text/plain - - - - - Channel - - - - - - - - - - - - - - - - text/plain - - - - - - Connect - - - - - - - - - - - - - - - - - - - AutoLaunch - - - - - - - - - - - - - - - - text/plain - - - - - - - Properties - - - - - - - - - - - - - - - - - - - FriendlyName - - - - - - - - - - - - - - - - text/plain - - - - - DefaultVolume - - - - - - 65 - - - - - - - - - - - text/plain - - - - - ScreenTimeout - - - - - - 5 - - - - - - - - - - - text/plain - - - - - SessionTimeout - - - - - - 1 - - - - - - - - - - - text/plain - - - - - SleepTimeout - - - - - - 5 - - - - - - - - - - - text/plain - - - - - AllowSessionResume - - - - - - true - - - - - - - - - - - text/plain - - - - - AllowAutoProxyAuth - - - - - - true - - - - - - - - - - - text/plain - - - - - DisableSigninSuggestions - - - - - - false - - - - - - - - - - - text/plain - - - - - DoNotShowMyMeetingsAndFiles - - - - - - false - - - - - - - - - - - text/plain - - - - - - Management - - - - - - - - - - - - - - - - - - - GroupName - - - - - - The name of the domain admin group to add to the administrators group on the device. - - - - - - - - - - - text/plain - - - - - GroupSid - - - - - - The sid of the domain admin group to add to the administrators group on the device. - - - - - - - - - - - text/plain - - - - - - MOMAgent - - - - - - - - - - - - - - - - - - - WorkspaceID - - - - - - GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. - - - - - - - - - - - text/plain - - - - - WorkspaceKey - - - - - - Primary key for authenticating with workspace. Will always return an empty string. - - - - - - - - - - - text/plain - - - + Duration + + + + + + Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. + + + + + + + + + + + + + + [0-1439] + + + + + InBoxApps + + + + + Node for the in-box app settings. + + + + + + + + + + + + + + + SkypeForBusiness + + + + + Node for the Skype for Business settings. + + + + + + + + + + + + + + + DomainName + + + + + + Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see https://docs.microsoft.com/en-us/SkypeForBusiness/set-up-skype-for-business-online/set-up-skype-for-business-online?redirectSourcePath=%252fen-us%252farticle%252fSet-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e#bkmk_users + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + + + + + Welcome + + + + + Node for the welcome screen. + + + + + + + + + + + + + + + AutoWakeScreen + + + + + + Setting for the screen to wake up and stay on with sensor activity. + + + + + + + + + + + + + + + False + Disabled + + + True + Enabled + + + + + + CurrentBackgroundPath + + + + + + Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. + + + + + + + + + + + + + + + + + + MeetingInfoOption + + + + + + Meeting information displayed on the welcome screen. + + + + + + + + + + + + + + + 0 + Organizer and time only. + + + 1 + Organizer, time, and subject. Subject is hidden in private meetings. + + + + + + + WirelessProjection + + + + + Node for the wireless projector app settings. + + + + + + + + + + + + + + + PINRequired + + + + + + Users must enter a PIN to wirelessly project to the device. + + + + + + + + + + + + + + + false + Pin not required + + + true + Pin required + + + + + + Enabled + + + + + + Enables wireless projection to the device. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + Channel + + + + + + 255 + Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. + + + + + + + + + + + + + + + + + + + Connect + + + + + Node for the Connect app. + + + + + + + + + + + + + + + AutoLaunch + + + + + + Specifies whether to automatically launch the Connect app whenever a projection is initiated. If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + false + Disabled + + + true + Enabled + + + + + + + Whiteboard + + + + + This node controls policies specific to the Whiteboard App on Surface Hub. + + + + + + + + + + + + + + 10.0.18363, 10.0.18362.449 + 1.0 + + + + SignInDisabled + + + + + + False + When enabled, prevents a user from Signing into Whiteboard on the device + + + + + + + + + + + + + + + False + Sign in enabled + + + True + Sign in disabled + + + + + + TelemetryDisabled + + + + + + False + When enabled, prevents Whiteboard from sending telemetry from the device + + + + + + + + + + + + + + + False + Telemetry enabled + + + True + Telemetry disabled + + + + + + SharingDisabled + + + + + + When enabled, prevents a user from initiating a collaborative session on the device + + + + + + + + + + + + + + + False + Sharing enabled + + + True + Sharing disabled + + + + + + + Teams + + + + + This node controls policies specific to the Teams App on Surface Hub + + + + + + + + + + + + + + 10.0.19042, 10.0.19041.450 + 1.0 + + + + Configurations + + + + + + String to contain Teams policy configs + + + + + + + + + + + + + + + + + + + + Properties + + + + + Node for the device properties. + + + + + + + + + + + + + + + FriendlyName + + + + + + Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device. + + + + + + + + + + + + + + + + + + DefaultVolume + + + + + + 45 + Specifies the default volume value for a new session. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + [0-100] + + + + + ScreenTimeout + + + + + + 5 + Specifies the number of minutes until the Hub screen turns off. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + 0 + Never time out + + + 1 + 1 minute + + + 2 + 2 minutes + + + 3 + 3 minutes + + + 5 + 5 minutes + + + 10 + 10 minutes + + + 15 + 15 minutes + + + 30 + 30 minutes + + + 60 + 1 hour + + + 120 + 2 hours + + + 240 + 4 hours + + + + + + SleepMode + + + + + + 0 + Specifies the type of sleep mode for the Surface Hub. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + 0 + Connected Standby + + + 1 + Hibernate + + + + + + SessionTimeout + + + + + + 1 + Specifies the number of minutes until the session times out. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + 0 + Never time out + + + 1 + 1 minute + + + 2 + 2 minutes + + + 3 + 3 minutes + + + 5 + 5 minutes + + + 10 + 10 minutes + + + 15 + 15 minutes + + + 30 + 30 minutes + + + 60 + 1 hour + + + 120 + 2 hours + + + 240 + 4 hours + + + + + + SleepTimeout + + + + + + 5 + Specifies the number of minutes until the Hub enters sleep mode. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + 0 + Never time out + + + 1 + 1 minute + + + 2 + 2 minutes + + + 3 + 3 minutes + + + 5 + 5 minutes + + + 10 + 10 minutes + + + 15 + 15 minutes + + + 30 + 30 minutes + + + 60 + 1 hour + + + 120 + 2 hours + + + 240 + 4 hours + + + + + + AllowSessionResume + + + + + + true + Specifies whether to allow the ability to resume a session when the session times out. If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + false + Disabled + + + true + Enabled + + + + + + AllowAutoProxyAuth + + + + + + true + Specifies whether to use the device account for proxy authentication. If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + false + Disabled + + + true + Enabled + + + + + + DisableSigninSuggestions + + + + + + false + Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + false + Dialog will auto-populate. + + + true + Sign-in dialog will not be populated. + + + + + + SurfaceHubMeetingMode + + + + + + + 0 + Teams mode + + + + + + + + + + + + + + 10.0.15063, 10.0.14393.969 + 1.0 + + + [0-2] + + + + + VtcAppPackageId + + + + + + + App name + + + + + + + + + + + + + + 10.0.15063, 10.0.14393.969 + 1.0 + + + + + + + DoNotShowMyMeetingsAndFiles + + + + + + false + Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. + + + + + + + + + + + + + + 10.0.15063 + 1.0 + + + + true + "My meetings and files" feature will not be shown. + + + false + The "My meetings and files" feature will be shown. + + + + + + ProxyServers + + + + + + + The list of known proxy servers to provide. + + + + + + + + + + + + + + + + + + + Management + + + + + Not a supported scenario + + + + + + + + + + + + + + 10.0.15063, 10.0.14393.969 + 1.0 + + + + GroupName + + + + + + The name of the domain admin group to add to the administrators group on the device. + + + + + + + + + + + + + + + + + + GroupSid + + + + + + The sid of the domain admin group to add to the administrators group on the device. + + + + + + + + + + + + + + + + + + + MOMAgent + + + + + Node for the Microsoft Operations Management Suite. + + + + + + + + + + + + + + + WorkspaceID + + + + + + GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. + + + + + + + + + + + + + + + + + + WorkspaceKey + + + + + + Primary key for authenticating with workspace. Will always return an empty string. + + + + + + + + + + + + + + + + + + + Dot3 + + + + + Parent node + + + + + + + + + + + + + + 10.0.17134, 10.0.16299.64 + 1.0 + + + + + + LanProfile + + + + + + Used to specify credentials to authenticate device to the network. + + + + + + + + + + + + + + + + + + EapUserData + + + + + + Used to specify credentials to authenticate device to the network. + + + + + + + + + + + + + + + + + + ``` -  - -  - - - - - +## Related articles +[SurfaceHub configuration service provider reference](surfacehub-csp.md) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index d1d4e1f569..3a88cd3e96 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -34,7 +34,7 @@ items: href: policy-configuration-service-provider.md items: - name: Policy CSP DDF file - href: policy-ddf-file.md + href: configuration-service-provider-ddf.md - name: Policy CSP support scenarios items: - name: ADMX policies in Policy CSP @@ -118,6 +118,10 @@ items: href: policy-csp-admx-digitallocker.md - name: ADMX_DiskDiagnostic href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DiskNVCache + href: policy-csp-admx-disknvcache.md + - name: ADMX_DiskQuota + href: policy-csp-admx-diskquota.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient @@ -156,7 +160,7 @@ items: href: policy-csp-admx-folderredirection.md - name: ADMX_FramePanes href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC + - name: ADMX_fthsvc href: policy-csp-admx-fthsvc.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md @@ -166,7 +170,7 @@ items: href: policy-csp-admx-help.md - name: ADMX_HelpAndSupport href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth + - name: ADMX_hotspotauth href: policy-csp-admx-hotspotauth.md - name: ADMX_ICM href: policy-csp-admx-icm.md @@ -242,8 +246,12 @@ items: href: policy-csp-admx-printing2.md - name: ADMX_Programs href: policy-csp-admx-programs.md + - name: ADMX_PushToInstall + href: policy-csp-admx-pushtoinstall.md - name: ADMX_QOS href: policy-csp-admx-qos.md + - name: ADMX_Radar + href: policy-csp-admx-radar.md - name: ADMX_Reliability href: policy-csp-admx-reliability.md - name: ADMX_RemoteAssistance @@ -280,6 +288,10 @@ items: href: policy-csp-admx-smartcard.md - name: ADMX_Snmp href: policy-csp-admx-snmp.md + - name: ADMX_SoundRec + href: policy-csp-admx-soundrec.md + - name: ADMX_srmfci + href: policy-csp-admx-srmfci.md - name: ADMX_StartMenu href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore @@ -312,6 +324,8 @@ items: href: policy-csp-admx-wdi.md - name: ADMX_WinCal href: policy-csp-admx-wincal.md + - name: ADMX_WindowsColorSystem + href: policy-csp-admx-windowscolorsystem.md - name: ADMX_WindowsConnectNow href: policy-csp-admx-windowsconnectnow.md - name: ADMX_WindowsExplorer @@ -328,6 +342,8 @@ items: href: policy-csp-admx-wininit.md - name: ADMX_WinLogon href: policy-csp-admx-winlogon.md + - name: ADMX_Winsrv + href: policy-csp-admx-winsrv.md - name: ADMX_wlansvc href: policy-csp-admx-wlansvc.md - name: ADMX_WordWheel @@ -336,8 +352,6 @@ items: href: policy-csp-admx-workfoldersclient.md - name: ADMX_WPN href: policy-csp-admx-wpn.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - name: ApplicationDefaults href: policy-csp-applicationdefaults.md - name: ApplicationManagement @@ -354,7 +368,7 @@ items: href: policy-csp-authentication.md - name: Autoplay href: policy-csp-autoplay.md - - name: BitLocker + - name: Bitlocker href: policy-csp-bitlocker.md - name: BITS href: policy-csp-bits.md @@ -406,7 +420,7 @@ items: href: policy-csp-display.md - name: DmaGuard href: policy-csp-dmaguard.md - - name: EAP + - name: Eap href: policy-csp-eap.md - name: Education href: policy-csp-education.md @@ -420,7 +434,7 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md - - name: Federated Authentication + - name: FederatedAuthentication href: policy-csp-federatedauthentication.md - name: Feeds href: policy-csp-feeds.md @@ -502,6 +516,8 @@ items: href: policy-csp-settings.md - name: SettingsSync href: policy-csp-settingssync.md + - name: SmartScreen + href: policy-csp-smartscreen.md - name: Speech href: policy-csp-speech.md - name: Start @@ -538,14 +554,12 @@ items: href: policy-csp-webthreatdefense.md - name: Wifi href: policy-csp-wifi.md - - name: WindowsAutoPilot + - name: WindowsAutopilot href: policy-csp-windowsautopilot.md - name: WindowsConnectionManager href: policy-csp-windowsconnectionmanager.md - name: WindowsDefenderSecurityCenter href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - name: WindowsInkWorkspace href: policy-csp-windowsinkworkspace.md - name: WindowsLogon @@ -588,8 +602,6 @@ items: items: - name: AppLocker DDF file href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - name: AssignedAccess href: assignedaccess-csp.md items: @@ -654,12 +666,17 @@ items: - name: DeviceManageability href: devicemanageability-csp.md items: - - name: DeviceManageability DDF + - name: DeviceManageability DDF file href: devicemanageability-ddf.md + - name: DevicePreparation + href: devicepreparation-csp.md + items: + - name: DevicePreparation DDF file + href: devicepreparation-ddf-file.md - name: DeviceStatus href: devicestatus-csp.md items: - - name: DeviceStatus DDF + - name: DeviceStatus DDF file href: devicestatus-ddf.md - name: DevInfo href: devinfo-csp.md @@ -719,17 +736,13 @@ items: - name: EnterpriseDesktopAppManagement href: enterprisedesktopappmanagement-csp.md items: - - name: EnterpriseDesktopAppManagement DDF + - name: EnterpriseDesktopAppManagement DDF file href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - name: EnterpriseModernAppManagement href: enterprisemodernappmanagement-csp.md items: - - name: EnterpriseModernAppManagement DDF + - name: EnterpriseModernAppManagement DDF file href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - name: eUICCs href: euiccs-csp.md items: @@ -743,12 +756,17 @@ items: - name: HealthAttestation href: healthattestation-csp.md items: - - name: HealthAttestation DDF + - name: HealthAttestation DDF file href: healthattestation-ddf.md - - name: Local Administrator Password Solution + - name: LanguagePackManagement + href: language-pack-management-csp.md + items: + - name: LanguagePackManagement DDF file + href: language-pack-management-ddf-file.md + - name: LAPS href: laps-csp.md items: - - name: Local Administrator Password Solution DDF + - name: LAPS DDF file href: laps-ddf-file.md - name: MultiSIM href: multisim-csp.md @@ -777,23 +795,28 @@ items: - name: Office href: office-csp.md items: - - name: Office DDF + - name: Office DDF file href: office-ddf.md - name: PassportForWork href: passportforwork-csp.md items: - name: PassportForWork DDF file href: passportforwork-ddf.md - - name: PersonalDataEncryption + - name: PDE href: personaldataencryption-csp.md items: - - name: PersonalDataEncryption DDF file + - name: PDE DDF file href: personaldataencryption-ddf-file.md - name: Personalization href: personalization-csp.md items: - name: Personalization DDF file href: personalization-ddf.md + - name: PrinterProvisioning + href: printerprovisioning-csp.md + items: + - name: PrinterProvisioning DDF file + href: printerprovisioning-ddf-file.md - name: Provisioning href: provisioning-csp.md - name: PXLOGICAL @@ -890,8 +913,6 @@ items: items: - name: VPNv2 DDF file href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - name: EAP configuration href: eap-configuration.md - name: w4 APPLICATION diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 6b3389617f..b6cc17127d 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -31,7 +31,7 @@ The UEFI Configuration Service Provider (CSP) interfaces to UEFI's Device Firmwa > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). > [!NOTE] -> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. +> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. The following shows the UEFI CSP in tree format. ``` diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ea73b10265..ce9204701c 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -1,899 +1,8980 @@ --- title: VPNv2 CSP -description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. -ms.reviewer: pesmith +description: Learn more about the VPNv2 CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/21/2021 +ms.topic: reference --- + + + # VPNv2 CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The VPNv2 configuration service provider allows the Mobile Device Management (MDM) server to configure the VPN profile of the device. Here are the requirements for this CSP: - VPN configuration commands must be wrapped in an Atomic block in SyncML. - For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies. -- Instead of changing individual properties, follow these steps to make any changes: +- In certain conditions you can change some properties directly, but we don't recommend it. Instead, follow these steps to make any changes: - Send a Delete command for the ProfileName to delete the entire profile. - Send the entire profile again with new values wrapped in an Atomic block. - In certain conditions you can change some properties directly, but we don't recommend it. - The XSDs for all EAP methods are shipped in the box and can be found at the following locations: - `C:\Windows\schemas\EAPHost` - `C:\Windows\schemas\EAPMethods` + -The following example shows the VPNv2 configuration service provider in tree format. + +The following list shows the VPNv2 configuration service provider nodes: +- ./Device/Vendor/MSFT/VPNv2 + - [{ProfileName}](#deviceprofilename) + - [AlwaysOn](#deviceprofilenamealwayson) + - [AlwaysOnActive](#deviceprofilenamealwaysonactive) + - [APNBinding](#deviceprofilenameapnbinding) + - [AccessPointName](#deviceprofilenameapnbindingaccesspointname) + - [AuthenticationType](#deviceprofilenameapnbindingauthenticationtype) + - [IsCompressionEnabled](#deviceprofilenameapnbindingiscompressionenabled) + - [Password](#deviceprofilenameapnbindingpassword) + - [ProviderId](#deviceprofilenameapnbindingproviderid) + - [UserName](#deviceprofilenameapnbindingusername) + - [AppTriggerList](#deviceprofilenameapptriggerlist) + - [{appTriggerRowId}](#deviceprofilenameapptriggerlistapptriggerrowid) + - [App](#deviceprofilenameapptriggerlistapptriggerrowidapp) + - [Id](#deviceprofilenameapptriggerlistapptriggerrowidappid) + - [Type](#deviceprofilenameapptriggerlistapptriggerrowidapptype) + - [ByPassForLocal](#deviceprofilenamebypassforlocal) + - [DataEncryption](#deviceprofilenamedataencryption) + - [DeviceCompliance](#deviceprofilenamedevicecompliance) + - [Enabled](#deviceprofilenamedevicecomplianceenabled) + - [Sso](#deviceprofilenamedevicecompliancesso) + - [Eku](#deviceprofilenamedevicecompliancessoeku) + - [Enabled](#deviceprofilenamedevicecompliancessoenabled) + - [IssuerHash](#deviceprofilenamedevicecompliancessoissuerhash) + - [DeviceTunnel](#deviceprofilenamedevicetunnel) + - [DisableAdvancedOptionsEditButton](#deviceprofilenamedisableadvancedoptionseditbutton) + - [DisableDisconnectButton](#deviceprofilenamedisabledisconnectbutton) + - [DisableIKEv2Fragmentation](#deviceprofilenamedisableikev2fragmentation) + - [DnsSuffix](#deviceprofilenamednssuffix) + - [DomainNameInformationList](#deviceprofilenamedomainnameinformationlist) + - [{dniRowId}](#deviceprofilenamedomainnameinformationlistdnirowid) + - [AutoTrigger](#deviceprofilenamedomainnameinformationlistdnirowidautotrigger) + - [DnsServers](#deviceprofilenamedomainnameinformationlistdnirowiddnsservers) + - [DomainName](#deviceprofilenamedomainnameinformationlistdnirowiddomainname) + - [DomainNameType](#deviceprofilenamedomainnameinformationlistdnirowiddomainnametype) + - [Persistent](#deviceprofilenamedomainnameinformationlistdnirowidpersistent) + - [WebProxyServers](#deviceprofilenamedomainnameinformationlistdnirowidwebproxyservers) + - [EdpModeId](#deviceprofilenameedpmodeid) + - [IPv4InterfaceMetric](#deviceprofilenameipv4interfacemetric) + - [IPv6InterfaceMetric](#deviceprofilenameipv6interfacemetric) + - [NativeProfile](#deviceprofilenamenativeprofile) + - [Authentication](#deviceprofilenamenativeprofileauthentication) + - [Certificate](#deviceprofilenamenativeprofileauthenticationcertificate) + - [Eku](#deviceprofilenamenativeprofileauthenticationcertificateeku) + - [Issuer](#deviceprofilenamenativeprofileauthenticationcertificateissuer) + - [Eap](#deviceprofilenamenativeprofileauthenticationeap) + - [Configuration](#deviceprofilenamenativeprofileauthenticationeapconfiguration) + - [Type](#deviceprofilenamenativeprofileauthenticationeaptype) + - [MachineMethod](#deviceprofilenamenativeprofileauthenticationmachinemethod) + - [UserMethod](#deviceprofilenamenativeprofileauthenticationusermethod) + - [CryptographySuite](#deviceprofilenamenativeprofilecryptographysuite) + - [AuthenticationTransformConstants](#deviceprofilenamenativeprofilecryptographysuiteauthenticationtransformconstants) + - [CipherTransformConstants](#deviceprofilenamenativeprofilecryptographysuiteciphertransformconstants) + - [DHGroup](#deviceprofilenamenativeprofilecryptographysuitedhgroup) + - [EncryptionMethod](#deviceprofilenamenativeprofilecryptographysuiteencryptionmethod) + - [IntegrityCheckMethod](#deviceprofilenamenativeprofilecryptographysuiteintegritycheckmethod) + - [PfsGroup](#deviceprofilenamenativeprofilecryptographysuitepfsgroup) + - [DisableClassBasedDefaultRoute](#deviceprofilenamenativeprofiledisableclassbaseddefaultroute) + - [L2tpPsk](#deviceprofilenamenativeprofilel2tppsk) + - [NativeProtocolType](#deviceprofilenamenativeprofilenativeprotocoltype) + - [PlumbIKEv2TSAsRoutes](#deviceprofilenamenativeprofileplumbikev2tsasroutes) + - [ProtocolList](#deviceprofilenamenativeprofileprotocollist) + - [NativeProtocolList](#deviceprofilenamenativeprofileprotocollistnativeprotocollist) + - [{NativeProtocolRowId}](#deviceprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowid) + - [Type](#deviceprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowidtype) + - [RetryTimeInHours](#deviceprofilenamenativeprofileprotocollistretrytimeinhours) + - [RoutingPolicyType](#deviceprofilenamenativeprofileroutingpolicytype) + - [Servers](#deviceprofilenamenativeprofileservers) + - [NetworkOutageTime](#deviceprofilenamenetworkoutagetime) + - [PluginProfile](#deviceprofilenamepluginprofile) + - [CustomConfiguration](#deviceprofilenamepluginprofilecustomconfiguration) + - [PluginPackageFamilyName](#deviceprofilenamepluginprofilepluginpackagefamilyname) + - [ServerUrlList](#deviceprofilenamepluginprofileserverurllist) + - [PrivateNetwork](#deviceprofilenameprivatenetwork) + - [ProfileXML](#deviceprofilenameprofilexml) + - [Proxy](#deviceprofilenameproxy) + - [AutoConfigUrl](#deviceprofilenameproxyautoconfigurl) + - [Manual](#deviceprofilenameproxymanual) + - [Server](#deviceprofilenameproxymanualserver) + - [RegisterDNS](#deviceprofilenameregisterdns) + - [RememberCredentials](#deviceprofilenameremembercredentials) + - [RouteList](#deviceprofilenameroutelist) + - [{routeRowId}](#deviceprofilenameroutelistrouterowid) + - [Address](#deviceprofilenameroutelistrouterowidaddress) + - [ExclusionRoute](#deviceprofilenameroutelistrouterowidexclusionroute) + - [Metric](#deviceprofilenameroutelistrouterowidmetric) + - [PrefixSize](#deviceprofilenameroutelistrouterowidprefixsize) + - [TrafficFilterList](#deviceprofilenametrafficfilterlist) + - [{trafficFilterId}](#deviceprofilenametrafficfilterlisttrafficfilterid) + - [App](#deviceprofilenametrafficfilterlisttrafficfilteridapp) + - [Id](#deviceprofilenametrafficfilterlisttrafficfilteridappid) + - [Type](#deviceprofilenametrafficfilterlisttrafficfilteridapptype) + - [Claims](#deviceprofilenametrafficfilterlisttrafficfilteridclaims) + - [Direction](#deviceprofilenametrafficfilterlisttrafficfilteriddirection) + - [LocalAddressRanges](#deviceprofilenametrafficfilterlisttrafficfilteridlocaladdressranges) + - [LocalPortRanges](#deviceprofilenametrafficfilterlisttrafficfilteridlocalportranges) + - [Protocol](#deviceprofilenametrafficfilterlisttrafficfilteridprotocol) + - [RemoteAddressRanges](#deviceprofilenametrafficfilterlisttrafficfilteridremoteaddressranges) + - [RemotePortRanges](#deviceprofilenametrafficfilterlisttrafficfilteridremoteportranges) + - [RoutingPolicyType](#deviceprofilenametrafficfilterlisttrafficfilteridroutingpolicytype) + - [TrustedNetworkDetection](#deviceprofilenametrustednetworkdetection) + - [UseRasCredentials](#deviceprofilenameuserascredentials) +- ./User/Vendor/MSFT/VPNv2 + - [{ProfileName}](#userprofilename) + - [AlwaysOn](#userprofilenamealwayson) + - [AlwaysOnActive](#userprofilenamealwaysonactive) + - [APNBinding](#userprofilenameapnbinding) + - [AccessPointName](#userprofilenameapnbindingaccesspointname) + - [AuthenticationType](#userprofilenameapnbindingauthenticationtype) + - [IsCompressionEnabled](#userprofilenameapnbindingiscompressionenabled) + - [Password](#userprofilenameapnbindingpassword) + - [ProviderId](#userprofilenameapnbindingproviderid) + - [UserName](#userprofilenameapnbindingusername) + - [AppTriggerList](#userprofilenameapptriggerlist) + - [{appTriggerRowId}](#userprofilenameapptriggerlistapptriggerrowid) + - [App](#userprofilenameapptriggerlistapptriggerrowidapp) + - [Id](#userprofilenameapptriggerlistapptriggerrowidappid) + - [Type](#userprofilenameapptriggerlistapptriggerrowidapptype) + - [ByPassForLocal](#userprofilenamebypassforlocal) + - [DataEncryption](#userprofilenamedataencryption) + - [DeviceCompliance](#userprofilenamedevicecompliance) + - [Enabled](#userprofilenamedevicecomplianceenabled) + - [Sso](#userprofilenamedevicecompliancesso) + - [Eku](#userprofilenamedevicecompliancessoeku) + - [Enabled](#userprofilenamedevicecompliancessoenabled) + - [IssuerHash](#userprofilenamedevicecompliancessoissuerhash) + - [DisableAdvancedOptionsEditButton](#userprofilenamedisableadvancedoptionseditbutton) + - [DisableDisconnectButton](#userprofilenamedisabledisconnectbutton) + - [DisableIKEv2Fragmentation](#userprofilenamedisableikev2fragmentation) + - [DnsSuffix](#userprofilenamednssuffix) + - [DomainNameInformationList](#userprofilenamedomainnameinformationlist) + - [{dniRowId}](#userprofilenamedomainnameinformationlistdnirowid) + - [AutoTrigger](#userprofilenamedomainnameinformationlistdnirowidautotrigger) + - [DnsServers](#userprofilenamedomainnameinformationlistdnirowiddnsservers) + - [DomainName](#userprofilenamedomainnameinformationlistdnirowiddomainname) + - [DomainNameType](#userprofilenamedomainnameinformationlistdnirowiddomainnametype) + - [Persistent](#userprofilenamedomainnameinformationlistdnirowidpersistent) + - [WebProxyServers](#userprofilenamedomainnameinformationlistdnirowidwebproxyservers) + - [EdpModeId](#userprofilenameedpmodeid) + - [IPv4InterfaceMetric](#userprofilenameipv4interfacemetric) + - [IPv6InterfaceMetric](#userprofilenameipv6interfacemetric) + - [NativeProfile](#userprofilenamenativeprofile) + - [Authentication](#userprofilenamenativeprofileauthentication) + - [Certificate](#userprofilenamenativeprofileauthenticationcertificate) + - [Eku](#userprofilenamenativeprofileauthenticationcertificateeku) + - [Issuer](#userprofilenamenativeprofileauthenticationcertificateissuer) + - [Eap](#userprofilenamenativeprofileauthenticationeap) + - [Configuration](#userprofilenamenativeprofileauthenticationeapconfiguration) + - [Type](#userprofilenamenativeprofileauthenticationeaptype) + - [MachineMethod](#userprofilenamenativeprofileauthenticationmachinemethod) + - [UserMethod](#userprofilenamenativeprofileauthenticationusermethod) + - [CryptographySuite](#userprofilenamenativeprofilecryptographysuite) + - [AuthenticationTransformConstants](#userprofilenamenativeprofilecryptographysuiteauthenticationtransformconstants) + - [CipherTransformConstants](#userprofilenamenativeprofilecryptographysuiteciphertransformconstants) + - [DHGroup](#userprofilenamenativeprofilecryptographysuitedhgroup) + - [EncryptionMethod](#userprofilenamenativeprofilecryptographysuiteencryptionmethod) + - [IntegrityCheckMethod](#userprofilenamenativeprofilecryptographysuiteintegritycheckmethod) + - [PfsGroup](#userprofilenamenativeprofilecryptographysuitepfsgroup) + - [DisableClassBasedDefaultRoute](#userprofilenamenativeprofiledisableclassbaseddefaultroute) + - [L2tpPsk](#userprofilenamenativeprofilel2tppsk) + - [NativeProtocolType](#userprofilenamenativeprofilenativeprotocoltype) + - [PlumbIKEv2TSAsRoutes](#userprofilenamenativeprofileplumbikev2tsasroutes) + - [ProtocolList](#userprofilenamenativeprofileprotocollist) + - [NativeProtocolList](#userprofilenamenativeprofileprotocollistnativeprotocollist) + - [{NativeProtocolRowId}](#userprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowid) + - [Type](#userprofilenamenativeprofileprotocollistnativeprotocollistnativeprotocolrowidtype) + - [RetryTimeInHours](#userprofilenamenativeprofileprotocollistretrytimeinhours) + - [RoutingPolicyType](#userprofilenamenativeprofileroutingpolicytype) + - [Servers](#userprofilenamenativeprofileservers) + - [NetworkOutageTime](#userprofilenamenetworkoutagetime) + - [PluginProfile](#userprofilenamepluginprofile) + - [CustomConfiguration](#userprofilenamepluginprofilecustomconfiguration) + - [PluginPackageFamilyName](#userprofilenamepluginprofilepluginpackagefamilyname) + - [ServerUrlList](#userprofilenamepluginprofileserverurllist) + - [PrivateNetwork](#userprofilenameprivatenetwork) + - [ProfileXML](#userprofilenameprofilexml) + - [Proxy](#userprofilenameproxy) + - [AutoConfigUrl](#userprofilenameproxyautoconfigurl) + - [Manual](#userprofilenameproxymanual) + - [Server](#userprofilenameproxymanualserver) + - [RegisterDNS](#userprofilenameregisterdns) + - [RememberCredentials](#userprofilenameremembercredentials) + - [RequireVpnClientAppUI](#userprofilenamerequirevpnclientappui) + - [RouteList](#userprofilenameroutelist) + - [{routeRowId}](#userprofilenameroutelistrouterowid) + - [Address](#userprofilenameroutelistrouterowidaddress) + - [ExclusionRoute](#userprofilenameroutelistrouterowidexclusionroute) + - [Metric](#userprofilenameroutelistrouterowidmetric) + - [PrefixSize](#userprofilenameroutelistrouterowidprefixsize) + - [TrafficFilterList](#userprofilenametrafficfilterlist) + - [{trafficFilterId}](#userprofilenametrafficfilterlisttrafficfilterid) + - [App](#userprofilenametrafficfilterlisttrafficfilteridapp) + - [Id](#userprofilenametrafficfilterlisttrafficfilteridappid) + - [Type](#userprofilenametrafficfilterlisttrafficfilteridapptype) + - [Claims](#userprofilenametrafficfilterlisttrafficfilteridclaims) + - [Direction](#userprofilenametrafficfilterlisttrafficfilteriddirection) + - [LocalAddressRanges](#userprofilenametrafficfilterlisttrafficfilteridlocaladdressranges) + - [LocalPortRanges](#userprofilenametrafficfilterlisttrafficfilteridlocalportranges) + - [Protocol](#userprofilenametrafficfilterlisttrafficfilteridprotocol) + - [RemoteAddressRanges](#userprofilenametrafficfilterlisttrafficfilteridremoteaddressranges) + - [RemotePortRanges](#userprofilenametrafficfilterlisttrafficfilteridremoteportranges) + - [RoutingPolicyType](#userprofilenametrafficfilterlisttrafficfilteridroutingpolicytype) + - [TrustedNetworkDetection](#userprofilenametrustednetworkdetection) + - [UseRasCredentials](#userprofilenameuserascredentials) + + + +## Device/{ProfileName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName} ``` -./Vendor/MSFT -VPNv2 -----ProfileName ---------AppTriggerList -------------appTriggerRowId -----------------App ---------------------Id ---------------------Type ---------RouteList -------------routeRowId -----------------Address -----------------PrefixSize -----------------Metric -----------------ExclusionRoute ---------DomainNameInformationList -------------dniRowId -----------------DomainName -----------------DomainNameType -----------------DnsServers -----------------WebProxyServers -----------------AutoTrigger -----------------Persistent ---------TrafficFilterList -------------trafficFilterId -----------------App ---------------------Id ---------------------Type -----------------Claims -----------------Protocol -----------------LocalPortRanges -----------------RemotePortRanges -----------------LocalAddressRanges -----------------RemoteAddressRanges -----------------RoutingPolicyType -----------------Direction ---------EdpModeId ---------RememberCredentials ---------AlwaysOn ---------LockDown ---------DeviceTunnel ---------RegisterDNS ---------DnsSuffix ---------ByPassForLocal ---------TrustedNetworkDetection ---------ProfileXML ---------Proxy -------------Manual -----------------Server -------------AutoConfigUrl ---------APNBinding -------------ProviderId -------------AccessPointName -------------UserName -------------Password -------------IsCompressionEnabled -------------AuthenticationType ---------DeviceCompliance -------------Enabled -------------Sso -----------------Enabled -----------------IssuerHash -----------------Eku ---------PluginProfile -------------ServerUrlList -------------CustomConfiguration -------------PluginPackageFamilyName -------------CustomStoreUrl -------------WebAuth -----------------Enabled -----------------ClientId ---------NativeProfile -------------Servers -------------RoutingPolicyType -------------NativeProtocolType -------------Authentication -----------------UserMethod -----------------MachineMethod -----------------Eap ---------------------Configuration ---------------------Type -----------------Certificate ---------------------Issuer ---------------------Eku -------------CryptographySuite -----------------AuthenticationTransformConstants -----------------CipherTransformConstants -----------------EncryptionMethod -----------------IntegrityCheckMethod -----------------DHGroup -----------------PfsGroup -------------L2tpPsk -------------DisableClassBasedDefaultRoute -------------PlumbIKEv2TSAsRoutes + + + +Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. + -./User/Vendor/MSFT -VPNv2 -----ProfileName ---------AppTriggerList -------------appTriggerRowId -----------------App ---------------------Id ---------------------Type ---------RouteList -------------routeRowId -----------------Address -----------------PrefixSize -----------------Metric -----------------ExclusionRoute ---------DomainNameInformationList -------------dniRowId -----------------DomainName -----------------DomainNameType -----------------DnsServers -----------------WebProxyServers -----------------AutoTrigger -----------------Persistent ---------TrafficFilterList -------------trafficFilterId -----------------App ---------------------Id ---------------------Type -----------------Claims -----------------Protocol -----------------LocalPortRanges -----------------RemotePortRanges -----------------LocalAddressRanges -----------------RemoteAddressRanges -----------------RoutingPolicyType ---------EdpModeId ---------RememberCredentials ---------AlwaysOn ---------DnsSuffix ---------ByPassForLocal ---------TrustedNetworkDetection ---------ProfileXML ---------Proxy -------------Manual -----------------Server -------------AutoConfigUrl ---------APNBinding -------------ProviderId -------------AccessPointName -------------UserName -------------Password -------------IsCompressionEnabled -------------AuthenticationType ---------DeviceCompliance -------------Enabled -------------Sso -----------------Enabled -----------------IssuerHash -----------------Eku ---------PluginProfile -------------ServerUrlList -------------CustomConfiguration -------------PluginPackageFamilyName -------------CustomStoreUrl -------------WebAuth -----------------Enabled -----------------ClientId ---------NativeProfile -------------Servers -------------RoutingPolicyType -------------NativeProtocolType -------------Authentication -----------------UserMethod -----------------MachineMethod -----------------Eap ---------------------Configuration ---------------------Type -----------------Certificate ---------------------Issuer ---------------------Eku -------------CryptographySuite -----------------AuthenticationTransformConstants -----------------CipherTransformConstants -----------------EncryptionMethod -----------------IntegrityCheckMethod -----------------DHGroup -----------------PfsGroup -------------L2tpPsk -------------DisableClassBasedDefaultRoute -------------PlumbIKEv2TSAsRoutes + + + + +**Description framework properties**: -./Vendor/MSFT -./User/Vendor/MSFT -VPNv2 -----ProfileName ---------AppTriggerList -------------appTriggerRowId -----------------App ---------------------Id ---------------------Type ---------RouteList -------------routeRowId -----------------Address -----------------PrefixSize -----------------Metric -----------------ExclusionRoute ---------DomainNameInformationList -------------dniRowId -----------------DomainName -----------------DomainNameType -----------------DnsServers -----------------WebProxyServers -----------------AutoTrigger -----------------Persistent ---------TrafficFilterList -------------trafficFilterId -----------------App ---------------------Id ---------------------Type -----------------Claims -----------------Protocol -----------------LocalPortRanges -----------------RemotePortRanges -----------------LocalAddressRanges -----------------RemoteAddressRanges -----------------RoutingPolicyType -----------------Direction ---------EdpModeId ---------RememberCredentials ---------AlwaysOn ---------LockDown ---------DeviceTunnel ---------RegisterDNS ---------DnsSuffix ---------ByPassForLocal ---------TrustedNetworkDetection ---------ProfileXML ---------Proxy -------------Manual -----------------Server -------------AutoConfigUrl ---------APNBinding -------------ProviderId -------------AccessPointName -------------UserName -------------Password -------------IsCompressionEnabled -------------AuthenticationType ---------DeviceCompliance -------------Enabled -------------Sso -----------------Enabled -----------------IssuerHash -----------------Eku ---------PluginProfile -------------ServerUrlList -------------CustomConfiguration -------------PluginPackageFamilyName -------------CustomStoreUrl -------------WebAuth -----------------Enabled -----------------ClientId ---------NativeProfile -------------Servers -------------RoutingPolicyType -------------NativeProtocolType -------------Authentication -----------------UserMethod -----------------MachineMethod -----------------Eap ---------------------Configuration ---------------------Type -----------------Certificate ---------------------Issuer ---------------------Eku -------------CryptographySuite -----------------AuthenticationTransformConstants -----------------CipherTransformConstants -----------------EncryptionMethod -----------------IntegrityCheckMethod -----------------DHGroup -----------------PfsGroup -------------L2tpPsk -------------DisableClassBasedDefaultRoute -------------PlumbIKEv2TSAsRoutes +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `^[^/]*$` | + + + + + + + + + +### Device/{ProfileName}/AlwaysOn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn ``` -**Device or User profile** -For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path. + -**VPNv2/**ProfileName -Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). + + +An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. + -Supported operations include Get, Add, and Delete. + + + -> [!NOTE] -> If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. + +**Description framework properties**: -**VPNv2/**ProfileName**/AppTriggerList** -Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + -**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId -A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers. + +**Allowed values**: -Supported operations include Get, Add, Replace, and Delete. +| Value | Description | +|:--|:--| +| false (Default) | Always On is turned off. | +| true | Always On is turned on. | + -**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App** -App Node under the Row ID. + + + -**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id** -App identity, which is either an app’s package family name or file path. The type is inferred by the ID, and therefore can't be specified in the get only App/Type field -**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type** -Returns the type of **App/Id**. This value can be either of the following values: + -- PackageFamilyName - When this value is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. -- FilePath - When this value is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`. + +### Device/{ProfileName}/AlwaysOnActive -Value type is chr. Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**VPNv2/**ProfileName**/RouteList/** -Optional node. List of routes to be added to the routing table for the VPN interface. This information is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface. + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive +``` + -Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length. + + +An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation. + -Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and don't need this information in the VPN Profile. Check with your VPN server administrator to determine whether you need this information in the VPN profile. + + + -**VPNv2/**ProfileName**/RouteList/**routeRowId + +**Description framework properties**: -A sequential integer identifier for the RouteList. This value is required if you're adding routes. Sequencing must start at 0. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -Supported operations include Get, Add, Replace, and Delete. + +**Allowed values**: -**VPNv2/**ProfileName**/RouteList/**routeRowId**/Address** -Subnet address in IPv4/v6 address format which, along with the prefix, will be used to determine the destination prefix to send via the VPN Interface. This subnet address is the IP address part of the destination prefix. +| Value | Description | +|:--|:--| +| 0 | Always On is inactive. | +| 1 (Default) | Always On is activated on provisioning. | + -Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0` + + + -**VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize** -The subnet prefix size part of the destination prefix for the route entry. This subnet prefix, along with the address, will be used to determine the destination prefix to route through the VPN Interface. + -Value type is int. Supported operations include Get, Add, Replace, and Delete. + +### Device/{ProfileName}/APNBinding -**VPNv2/**ProfileName**/RouteList/**routeRowId**/Metric** -Added in Windows 10, version 1607. The route's metric. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Value type is int. Supported operations include Get, Add, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding +``` + -**VPNv2/**ProfileName**/RouteList/**routeRowId**/ExclusionRoute** -Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values: + + +Reserved for future use. + -- False (default) - This route will direct traffic over the VPN -- True - This route will direct traffic over the physical interface. + + + -Supported operations include Get, Add, Replace, and Delete. + +**Description framework properties**: -**VPNv2/**ProfileName**/DomainNameInformationList** -Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before name resolution queries are issued, the DNS client consults the NRPT to determine if any extra flags must be set in the query. After the response is received, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. + + + + + + +#### Device/{ProfileName}/APNBinding/AccessPointName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/APNBinding/AuthenticationType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/APNBinding/IsCompressionEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/APNBinding/Password + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/APNBinding/ProviderId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/APNBinding/UserName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/AppTriggerList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList +``` + + + + +List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Device/{ProfileName}/AppTriggerList/{appTriggerRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId} +``` + + + + +A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. | + + + + + + + + + +##### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App +``` + + + + +App Node under the Row Id. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id +``` + + + + +App Identity. Specified, based on the Type Field. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Device/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type +``` + + + + +Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Device/{ProfileName}/ByPassForLocal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal +``` + + + + +False : Do not Bypass for Local traffic +True : ByPass VPN Interface for Local Traffic + +Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/DataEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption +``` + + + + +Determines the level of data encryption required for the connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Require | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| None | No Data Encryption required. | +| Require (Default) | Data Encryption required. | +| Max | Maximum-strength Data Encryption required. | +| Optional | Perform encryption if possible. | + + + + + + + + + +### Device/{ProfileName}/DeviceCompliance + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance +``` + + + + +Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +#### Device/{ProfileName}/DeviceCompliance/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled +``` + + + + +Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + + + + + + + + + +#### Device/{ProfileName}/DeviceCompliance/Sso + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso +``` + + + + +Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +##### Device/{ProfileName}/DeviceCompliance/Sso/Eku + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku +``` + + + + +Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/DeviceCompliance/Sso/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled +``` + + + + +If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + + + + + + + + + +##### Device/{ProfileName}/DeviceCompliance/Sso/IssuerHash + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash +``` + + + + +Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/DeviceTunnel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DeviceTunnel +``` + + + + +If turned on a device tunnel profile does four things. +First, it automatically becomes an always on profile. +Second, it does not require the presence or logging in of any user to the machine in order for it to connect. +Third, no other Device Tunnel profile maybe be present on the same machine. +A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | This is not a device tunnel profile. | +| true | This is a device tunnel profile. | + + + + + + + + + +### Device/{ProfileName}/DisableAdvancedOptionsEditButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton +``` + + + + +Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Advanced Options Edit Button is available. | +| true | Advanced Options Edit Button is unavailable. | + + + + + + + + + +### Device/{ProfileName}/DisableDisconnectButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton +``` + + + + +Optional. When this setting is True, the Disconnect button will not be visible for connected profiles. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disconnect Button is visible. | +| true | Disconnect Button is not visible. | + + + + + + + + + +### Device/{ProfileName}/DisableIKEv2Fragmentation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation +``` + + + + +Set to disable IKEv2 Fragmentation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | IKEv2 Fragmentation will not be used. | +| false (Default) | IKEv2 Fragmentation is used as normal. | + + + + + + + + + +### Device/{ProfileName}/DnsSuffix + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix +``` + + + + +Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/DomainNameInformationList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList +``` + + + + +NRPT ([Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11))) Rules for the VPN Profile. + + + + > [!NOTE] > Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. + -**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Device/{ProfileName}/DomainNameInformationList/{dniRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId} +``` + + + + A sequential integer identifier for the Domain Name information. Sequencing must start at 0. - -Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainName** -Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: - -- FQDN - Fully qualified domain name -- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend .**.** to the DNS suffix. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType** -Returns the namespace type. This value can be one of the following values: - -- FQDN - If the DomainName wasn't prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host. -- Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains. - -Value type is chr. Supported operation is Get. - -**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers** -List of comma-separated DNS Server IP addresses to use for the namespace. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** -Optional. Web Proxy Server IP address if you're redirecting traffic through your intranet. - -> [!NOTE] -> Currently only one web proxy server is supported. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger** -Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN. - -If set to False, this DomainName rule won't trigger the VPN. - -If set to True, this DomainName rule will trigger the VPN - -By default, this value is false. - -Value type is bool. - -**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent** -Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN isn't connected. Value values: - -- False (default) - This DomainName rule will only be applied when VPN is connected. -- True - This DomainName rule will always be present and applied. - -Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList** -An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface. - -> [!NOTE] -> Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules. - -When multiple rules are being added, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId -A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App** -Per app VPN rule. This property will allow only the apps specified to be allowed over the VPN interface. Value type is chr. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id** -App identity for the app-based traffic filter. - -The value for this node can be one of the following values: - -- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. -- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`. -- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Type** -Returns the type of ID of the **App/Id**. - -Value type is chr. Supported operation is Get. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Claims** -Reserved for future use. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Protocol** -Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17. - -Value type is int. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges** -A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. - -> [!NOTE] -> Ports are only valid when the protocol is set to TCP=6 or UDP=17. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges** -A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. - -> [!NOTE] -> Ports are only valid when the protocol is set to TCP=6 or UDP=17. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges** -A list of comma-separated values specifying local IP address ranges to allow. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges** -A list of comma-separated values specifying remote IP address ranges to allow. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType** -Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following values: - -- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. -- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only. - -This property is only applicable for App ID-based Traffic Filter rules. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction** -Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following values: - -- Outbound - The rule applies to all outbound traffic -- Inbound - The rule applies to all inbound traffic - -If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/EdpModeId** -Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. - -Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/RememberCredentials** -Boolean value (true or false) for caching credentials. Default is false, which means don't cache credentials. If set to true, credentials are cached whenever possible. - -Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/AlwaysOn** -An optional flag to enable Always On mode. This flag will automatically connect the VPN at sign in and will stay connected until the user manually disconnects. - -> [!NOTE] -> Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. - -Preserving user Always On preference - -Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. -Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference. -Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config` -Value: AutoTriggerDisabledProfilesList -Type: REG_MULTI_SZ - - -Valid values: - -- False (default) - Always On is turned off. -- True - Always On is turned on. - -Value type is bool. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile) -Device tunnel profile. - -Valid values: - -- False (default) - this profile isn't a device tunnel profile. -- True - this profile is a device tunnel profile. - -When the DeviceTunnel profile is turned on, it does the following things: - -- First, it automatically becomes an "always on" profile. -- Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect. -- Third, no other device tunnel profile maybe is present on the same machine.- - -A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. - -Value type is bool. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/RegisterDNS** -Allows registration of the connection's address in DNS. - -Valid values: - -- False = Don't register the connection's address in DNS (default). -- True = Register the connection's addresses in DNS. - -**VPNv2/**ProfileName**/DnsSuffix** -Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/ByPassForLocal** -Reserved for future use. - -**VPNv2/**ProfileName**/TrustedNetworkDetection** -Optional. Comma-separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/ProfileXML** -Added in Windows 10, version 1607. The XML schema for provisioning all the fields of a VPN. For the XSD, see [ProfileXML XSD](vpnv2-profile-xsd.md). - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/Proxy** -A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected. - -> [!NOTE] -> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used. - -**VPNv2/**ProfileName**/Proxy/Manual** -Optional node containing the manual server settings. - -**VPNv2/**ProfileName**/Proxy/Manual/Server** -Optional. Proxy server address as a fully qualified hostname or an IP address. You should set this element together with Port. Example, proxy.contoso.com. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/Proxy/AutoConfigUrl** -Optional. URL to automatically retrieve the proxy settings. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/APNBinding** -Reserved for future use. - -**VPNv2/**ProfileName**/APNBinding/ProviderId** -Reserved for future use. Optional node. - -**VPNv2/**ProfileName**/APNBinding/AccessPointName** -Reserved for future use. - -**VPNv2/**ProfileName**/APNBinding/UserName** -Reserved for future use. - -**VPNv2/**ProfileName**/APNBinding/Password** -Reserved for future use. - -**VPNv2/**ProfileName**/APNBinding/IsCompressionEnabled** -Reserved for future use. - -**VPNv2/**ProfileName**/APNBinding/AuthenticationType** -Reserved for future use. - -**VPNv2/**ProfileName**/DeviceCompliance** -Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable Azure Active Directory-based Conditional Access for VPN. - -**VPNv2/**ProfileName**/DeviceCompliance/Enabled** -Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory (AAD). - -Value type is bool. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DeviceCompliance/Sso** -Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication if there's Device Compliance. - -**VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled** -Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication. - -Value type is bool. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DeviceCompliance/Sso/IssuerHash** -Added in Windows 10, version 1607. Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku** -Added in Windows 10, version 1607. Comma-Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/PluginProfile** -Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. - -**VPNv2/**ProfileName**/PluginProfile/ServerUrlList** -Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/PluginProfile/CustomConfiguration** -Optional. This property is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations and defaults. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/PluginProfile/PluginPackageFamilyName** -Required for plug-in profiles. Package family name for the SSL-VPN plug-in. - -Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/PluginProfile/CustomStoreUrl** -Reserved for future use. - -**VPNv2/**ProfileName**/NativeProfile** -Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP). - -**VPNv2/**ProfileName**/NativeProfile/Servers** -Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. - -The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. - -You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType** -Optional for native profiles. Type of routing policy. This value can be one of the following values: - -- SplitTunnel - Traffic can go over any interface as determined by the networking stack. -- ForceTunnel - All IP traffic must go over the VPN interface. - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType** -Required for native profiles. Type of tunneling protocol used. This value can be one of the following values: - -- PPTP -- L2TP -- IKEv2 -- Automatic - -Value type is chr. Supported operations include Get, Add, Replace, and Delete. - -> [!NOTE] -> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order isn't customizable. - -**VPNv2/**ProfileName**/NativeProfile/Authentication** + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. | + + + + + + + + + +##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger +``` + + + + +Boolean to determine whether this domain name rule will trigger the VPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | This DomainName rule will not trigger the VPN. | +| true | This DomainName rule will trigger the VPN. | + + + + + + + + + +##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers +``` + + + + +Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName +``` + + + + +Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType +``` + + + + +Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent +``` + + + + +A boolean value that specifies if the rule being added should persist even when the VPN is not connected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | This DomainName rule will only be applied when VPN is connected. | +| true | This DomainName rule will always be present and applied. | + + + + + + + + + +##### Device/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers +``` + + + + +Web Proxy Server IP address if you are redirecting traffic through your intranet. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/EdpModeId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId +``` + + + + +Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/IPv4InterfaceMetric + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric +``` + + + + +The metric for the IPv4 interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-9999]` | + + + + + + + + + +### Device/{ProfileName}/IPv6InterfaceMetric + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric +``` + + + + +The metric for the IPv6 interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-9999]` | + + + + + + + + + +### Device/{ProfileName}/NativeProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile +``` + + + + +Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/Authentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication +``` + + + + Required node for native profile. It contains authentication information for the native VPN profile. + -**VPNv2/**ProfileName**/NativeProfile/Authentication/UserMethod** -This value can be one of the following: + + + -- EAP -- MSChapv2 (This method isn't supported for IKEv2) + +**Description framework properties**: -Value type is chr. Supported operations include Get, Add, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod** -This is only supported in IKEv2. + + + -This value can be one of the following values: + -- Certificate + +##### Device/{ProfileName}/NativeProfile/Authentication/Certificate -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap** + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Device/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/Authentication/Eap + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap +``` + + + + Required when the native profile specifies EAP authentication. EAP configuration XML. + -Supported operations include Get, Add, Replace, and Delete. + + + -**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Configuration** -HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see [EAP configuration](eap-configuration.md). + +**Description framework properties**: -Value type is chr. Supported operations include Get, Add, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Type** + + + + + + + +###### Device/{ProfileName}/NativeProfile/Authentication/Eap/Configuration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration +``` + + + + +HTML encoded XML of the EAP configuration. For more information,see [EAP configuration](eap-configuration.md). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Device/{ProfileName}/NativeProfile/Authentication/Eap/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type +``` + + + + +Required node for EAP profiles. This specifies the EAP Type ID +13 = EAP-TLS +26 = Ms-Chapv2 +27 = Peap. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/Authentication/MachineMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod +``` + + + + +This is only supported in IKEv2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Certificate | Certificate. | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/Authentication/UserMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod +``` + + + + +Type of user authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| EAP | EAP. | +| MSChapv2 | MSChapv2: This is not supported for IKEv2. | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/CryptographySuite + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite +``` + + + + +Properties of IPSec tunnels. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants +``` + + + + +Type of authentication transform constant. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| MD596 | MD596. | +| SHA196 | SHA196. | +| SHA256128 | SHA256128. | +| GCMAES128 | GCMAES128. | +| GCMAES192 | GCMAES192. | +| GCMAES256 | GCMAES256. | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants +``` + + + + +Type of Cipher transform constant. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| DES | DES. | +| DES3 | DES3. | +| AES128 | AES128. | +| AES192 | AES192. | +| AES256 | AES256. | +| GCMAES128 | GCMAES128. | +| GCMAES192 | GCMAES192. | +| GCMAES256 | GCMAES256. | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/CryptographySuite/DHGroup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup +``` + + + + +Group used for DH (Diffie-Hellman). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| None | None. | +| Group1 | Group1. | +| Group2 | Group2. | +| Group14 | Group14. | +| ECP256 | ECP256. | +| ECP384 | ECP384. | +| Group24 | Group24. | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod +``` + + + + +Type of encryption method. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| DES | DES. | +| DES3 | DES3. | +| AES128 | AES128. | +| AES192 | AES192. | +| AES256 | AES256. | +| AES_GCM_128 | AES_GCM_128. | +| AES_GCM_256 | AES_GCM_256. | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod +``` + + + + +Type of integrity check. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| MD5 | MD5. | +| SHA196 | SHA196. | +| SHA256 | SHA256. | +| SHA384 | SHA384. | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup +``` + + + + +Group used for PFS (Perfect Forward Secrecy). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| None | None. | +| PFS1 | PFS1. | +| PFS2 | PFS2. | +| PFS2048 | PFS2048. | +| ECP256 | ECP256. | +| ECP384 | ECP384. | +| PFSMM | PFSMM. | +| PFS24 | PFS24. | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute +``` + + + + +Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Enabled. | +| true | Disabled. | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/L2tpPsk + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk +``` + + + + +The preshared key used for an L2TP connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/NativeProtocolType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType +``` + + + + +Required for native profiles. Type of tunneling protocol used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| PPTP | PPTP. | +| L2TP | L2TP. | +| IKEv2 | IKEv2. | +| Automatic | Automatic. | +| SSTP | SSTP. | +| ProtocolList | ProtocolList. | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes +``` + + + + +True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/ProtocolList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList +``` + + + + +List of inbox VPN protocols in priority order. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +###### Device/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type +``` + + + + +Inbox VPN protocols type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Pptp | Pptp. | +| L2tp | L2tp. | +| Ikev2 | Ikev2. | +| Sstp | Sstp. | + + + + + + + + + +##### Device/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours +``` + + + + +Default 168, max 500000. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/RoutingPolicyType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType +``` + + + + +Type of routing policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| SplitTunnel | Traffic can go over any interface as determined by the networking stack. | +| ForceTunnel | All IP traffic must go over the VPN interface. | + + + + + + + + + +#### Device/{ProfileName}/NativeProfile/Servers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers +``` + + + + +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/NetworkOutageTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime +``` + + + + +The amount of time in seconds the network is allowed to idle. 0 means no limit. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | + + + + + + + + + +### Device/{ProfileName}/PluginProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile +``` + + + + +Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +#### Device/{ProfileName}/PluginProfile/CustomConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration +``` + + + + +Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/PluginProfile/PluginPackageFamilyName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName +``` + + + + +Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/PluginProfile/ServerUrlList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList +``` + + + + +Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/PrivateNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork +``` + + + + +Determines whether the VPN connection is public or private. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | VPN connection is public. | +| true (Default) | VPN connection is private. | + + + + + + + + + +### Device/{ProfileName}/ProfileXML + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML +``` + + + + +The XML schema for provisioning all the fields of a VPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | See [ProfileXML XSD Schema](#profilexml-xsd-schema) | + + + + + + + + + +### Device/{ProfileName}/Proxy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy +``` + + + + +A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Device/{ProfileName}/Proxy/AutoConfigUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl +``` + + + + +Optional. Set a URL to automatically retrieve the proxy settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/{ProfileName}/Proxy/Manual + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual +``` + + + + +Optional node containing the manual server settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/{ProfileName}/Proxy/Manual/Server + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server +``` + + + + +Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Device/{ProfileName}/RegisterDNS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS +``` + + + + +Allows registration of the connection's address in DNS. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not register the connection's address in DNS. | +| true | Register the connection's addresses in DNS. | + + + + + + + + + +### Device/{ProfileName}/RememberCredentials + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials +``` + + + + +Boolean value (true or false) for caching credentials. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not cache credentials. | +| true | Credentials are cached whenever possible. | + + + + + + + + + +### Device/{ProfileName}/RouteList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList +``` + + + + +List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Device/{ProfileName}/RouteList/{routeRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId} +``` + + + + +A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. | + + + + + + + + + +##### Device/{ProfileName}/RouteList/{routeRowId}/Address + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address +``` + + + + +Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute +``` + + + + +A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | This route will direct traffic over the VPN. | +| true | This route will direct traffic over the physical interface. | + + + + + + + + + +##### Device/{ProfileName}/RouteList/{routeRowId}/Metric + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric +``` + + + + +The route's metric. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/RouteList/{routeRowId}/PrefixSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize +``` + + + + +The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | + + + + + + + + + +### Device/{ProfileName}/TrafficFilterList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList +``` + + + + +A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. + + + + +> [!NOTE] +> Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Device/{ProfileName}/TrafficFilterList/{trafficFilterId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId} +``` + + + + +A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App +``` + + + + +Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id +``` + + + + +App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type +``` + + + + +Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims +``` + + + + +Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction +``` + + + + +Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. +Inbound - The traffic filter allows traffic coming from external locations matching this rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges +``` + + + + +A list of comma separated values specifying local IP address ranges to allow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges +``` + + + + +Comma Separated list of ranges for eg. 100-120,200,300-320. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^[\d]*$` | +| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
    Dependency Allowed Value: `[6,17]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol +``` + + + + +0-255 number representing the ip protocol (TCP = 6, UDP = 17). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-255]` | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges +``` + + + + +A list of comma separated values specifying remote IP address ranges to allow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges +``` + + + + +A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^[\d]*$` | +| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
    Dependency Allowed Value: `[6,17]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +##### Device/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType +``` + + + + +Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. | +| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. | + + + + + + + + + +### Device/{ProfileName}/TrustedNetworkDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection +``` + + + + +Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | `,` | + + + + + + + + + +### Device/{ProfileName}/UseRasCredentials + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials +``` + + + + +Determines whether the credential manager will save ras credentials after a connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Ras Credentials are not saved. | +| true (Default) | Ras Credentials are saved. | + + + + + + + + + +## User/{ProfileName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName} +``` + + + + +Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | +| Allowed Values | Regular Expression: `^[^/]*$` | + + + + + + + + + +### User/{ProfileName}/AlwaysOn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOn +``` + + + + +An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Always On is turned off. | +| true | Always On is turned on. | + + + + + + + + + +### User/{ProfileName}/AlwaysOnActive + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/AlwaysOnActive +``` + + + + +An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Always On is inactive. | +| 1 (Default) | Always On is activated on provisioning. | + + + + + + + + + +### User/{ProfileName}/APNBinding + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding +``` + + + + Reserved for future use. + -**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate** + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/{ProfileName}/APNBinding/AccessPointName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AccessPointName +``` + + + + Reserved for future use. + -**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Issuer** + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/APNBinding/AuthenticationType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/AuthenticationType +``` + + + + Reserved for future use. + -**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Eku** + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/APNBinding/IsCompressionEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/IsCompressionEnabled +``` + + + + Reserved for future use. + -**VPNv2/**ProfileName**/NativeProfile/CryptographySuite** -Added in Windows 10, version 1607. Properties of IPSec tunnels. + + + -[!NOTE] If you specify any of the properties under CryptographySuite, you must specify all of them. It's not valid to specify just some of the properties. + +**Description framework properties**: -**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/AuthenticationTransformConstants** -Added in Windows 10, version 1607. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + -The following list contains the valid values: + + + -- MD596 -- SHA196 -- SHA256128 -- GCMAES128 -- GCMAES192 -- GCMAES256 + -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +#### User/{ProfileName}/APNBinding/Password -**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/CipherTransformConstants** -Added in Windows 10, version 1607. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -The following list contains the valid values: + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/Password +``` + -- DES -- DES3 -- AES128 -- AES192 -- AES256 -- GCMAES128 -- GCMAES192 -- GCMAES256 + + +Reserved for future use. + -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + + + -**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/EncryptionMethod** -Added in Windows 10, version 1607. + +**Description framework properties**: -The following list contains the valid values: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- DES -- DES3 -- AES128 -- AES192 -- AES256 -- AES\_GCM_128 -- AES\_GCM_256 + + + -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + -**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/IntegrityCheckMethod** -Added in Windows 10, version 1607. + +#### User/{ProfileName}/APNBinding/ProviderId -The following list contains the valid values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- MD5 -- SHA196 -- SHA256 -- SHA384 + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/ProviderId +``` + -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + + +Reserved for future use. + -**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/DHGroup** -Added in Windows 10, version 1607. + + + -The following list contains the valid values: + +**Description framework properties**: -- Group1 -- Group2 -- Group14 -- ECP256 -- ECP384 -- Group24 +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + + + -**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/PfsGroup** -Added in Windows 10, version 1607. + -The following list contains the valid values: + +#### User/{ProfileName}/APNBinding/UserName -- PFS1 -- PFS2 -- PFS2048 -- ECP256 -- ECP384 -- PFSMM -- PFS24 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/APNBinding/UserName +``` + -**VPNv2/**ProfileName**/NativeProfile/L2tpPsk** -Added in Windows 10, version 1607. The preshared key used for an L2TP connection. + + +Reserved for future use. + -Value type is chr. Supported operations include Get, Add, Replace, and Delete. + + + -**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute** -Added in Windows 10, version 1607. Specifies the class-based default routes. For example, if the interface IP begins with 10, it assumes a class an IP and pushes the route to 10.0.0.0/8 + +**Description framework properties**: -Value type is bool. Supported operations include Get, Add, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**VPNv2/**ProfileName**/NativeProfile/PlumbIKEv2TSAsRoutes** -Determines whether plumbing IPSec traffic selectors as routes onto VPN interface is enabled. + + + -If set to False, plumbing traffic selectors as routes is disabled. + -If set to True, plumbing traffic selectors as routes is enabled. + +### User/{ProfileName}/AppTriggerList -By default, this value is set to False. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Value type is bool. Supported operations include Get, Add, Replace, and Delete. + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList +``` + + + + +List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/{ProfileName}/AppTriggerList/{appTriggerRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId} +``` + + + + +A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. | + + + + + + + + + +##### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App +``` + + + + +App Node under the Row Id. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Id +``` + + + + +App Identity. Specified, based on the Type Field. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/AppTriggerList/{appTriggerRowId}/App/Type +``` + + + + +Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### User/{ProfileName}/ByPassForLocal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/ByPassForLocal +``` + + + + +False : Do not Bypass for Local traffic +True : ByPass VPN Interface for Local Traffic + +Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/DataEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DataEncryption +``` + + + + +Determines the level of data encryption required for the connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Require | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| None | No Data Encryption required. | +| Require (Default) | Data Encryption required. | +| Max | Maximum-strength Data Encryption required. | +| Optional | Perform encryption if possible. | + + + + + + + + + +### User/{ProfileName}/DeviceCompliance + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance +``` + + + + +Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +#### User/{ProfileName}/DeviceCompliance/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Enabled +``` + + + + +Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + + + + + + + + + +#### User/{ProfileName}/DeviceCompliance/Sso + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso +``` + + + + +Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +##### User/{ProfileName}/DeviceCompliance/Sso/Eku + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Eku +``` + + + + +Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/DeviceCompliance/Sso/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/Enabled +``` + + + + +If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true | Enabled. | + + + + + + + + + +##### User/{ProfileName}/DeviceCompliance/Sso/IssuerHash + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DeviceCompliance/Sso/IssuerHash +``` + + + + +Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/DisableAdvancedOptionsEditButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableAdvancedOptionsEditButton +``` + + + + +Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Advanced Options Edit Button is available. | +| true | Advanced Options Edit Button is unavailable. | + + + + + + + + + +### User/{ProfileName}/DisableDisconnectButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableDisconnectButton +``` + + + + +Optional. When this setting is True, the Disconnect button will not be visible for connected profiles. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disconnect Button is visible. | +| true | Disconnect Button is not visible. | + + + + + + + + + +### User/{ProfileName}/DisableIKEv2Fragmentation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DisableIKEv2Fragmentation +``` + + + + +Set to disable IKEv2 Fragmentation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | IKEv2 Fragmentation will not be used. | +| false (Default) | IKEv2 Fragmentation is used as normal. | + + + + + + + + + +### User/{ProfileName}/DnsSuffix + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DnsSuffix +``` + + + + +Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/DomainNameInformationList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList +``` + + + + +NRPT ([Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11))) Rules for the VPN Profile. + + + + +> [!NOTE] +> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/{ProfileName}/DomainNameInformationList/{dniRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId} +``` + + + + +A sequential integer identifier for the Domain Name information. Sequencing must start at 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Domain Name information. Sequencing must start at 0. | + + + + + + + + + +##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/AutoTrigger +``` + + + + +Boolean to determine whether this domain name rule will trigger the VPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | This DomainName rule will not trigger the VPN. | +| true | This DomainName rule will trigger the VPN. | + + + + + + + + + +##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DnsServers +``` + + + + +Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainName +``` + + + + +Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/DomainNameType +``` + + + + +Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/Persistent +``` + + + + +A boolean value that specifies if the rule being added should persist even when the VPN is not connected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | This DomainName rule will only be applied when VPN is connected. | +| true | This DomainName rule will always be present and applied. | + + + + + + + + + +##### User/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/DomainNameInformationList/{dniRowId}/WebProxyServers +``` + + + + +Web Proxy Server IP address if you are redirecting traffic through your intranet. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/EdpModeId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/EdpModeId +``` + + + + +Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/IPv4InterfaceMetric + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv4InterfaceMetric +``` + + + + +The metric for the IPv4 interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-9999]` | + + + + + + + + + +### User/{ProfileName}/IPv6InterfaceMetric + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/IPv6InterfaceMetric +``` + + + + +The metric for the IPv6 interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-9999]` | + + + + + + + + + +### User/{ProfileName}/NativeProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile +``` + + + + +InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/Authentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication +``` + + + + +Required node for native profile. It contains authentication information for the native VPN profile. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/Authentication/Certificate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/{ProfileName}/NativeProfile/Authentication/Certificate/Eku + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Eku +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Certificate/Issuer +``` + + + + +Reserved for future use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/Authentication/Eap + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap +``` + + + + +Required when the native profile specifies EAP authentication. EAP configuration XML. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/{ProfileName}/NativeProfile/Authentication/Eap/Configuration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Configuration +``` + + + + +HTML encoded XML of the EAP configuration. For more information,see [EAP configuration](eap-configuration.md). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/{ProfileName}/NativeProfile/Authentication/Eap/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/Eap/Type +``` + + + + +Required node for EAP profiles. This specifies the EAP Type ID +13 = EAP-TLS +26 = Ms-Chapv2 +27 = Peap. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/Authentication/MachineMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/MachineMethod +``` + + + + +This is only supported in IKEv2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Certificate | Certificate. | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/Authentication/UserMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Authentication/UserMethod +``` + + + + +This value can be one of the following: EAP or MSChapv2 (This is not supported for IKEv2). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| EAP | EAP. | +| MSChapv2 | MSChapv2: This is not supported for IKEv2. | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/CryptographySuite + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite +``` + + + + +Properties of IPSec tunnels. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/AuthenticationTransformConstants +``` + + + + +Type of authentication transform constant. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| MD596 | MD596. | +| SHA196 | SHA196. | +| SHA256128 | SHA256128. | +| GCMAES128 | GCMAES128. | +| GCMAES192 | GCMAES192. | +| GCMAES256 | GCMAES256. | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/CipherTransformConstants +``` + + + + +Type of Cipher transform constant. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| DES | DES. | +| DES3 | DES3. | +| AES128 | AES128. | +| AES192 | AES192. | +| AES256 | AES256. | +| GCMAES128 | GCMAES128. | +| GCMAES192 | GCMAES192. | +| GCMAES256 | GCMAES256. | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/CryptographySuite/DHGroup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/DHGroup +``` + + + + +Group used for DH (Diffie-Hellman). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| None | None. | +| Group1 | Group1. | +| Group2 | Group2. | +| Group14 | Group14. | +| ECP256 | ECP256. | +| ECP384 | ECP384. | +| Group24 | Group24. | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/EncryptionMethod +``` + + + + +Type of encryption method. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| DES | DES. | +| DES3 | DES3. | +| AES128 | AES128. | +| AES192 | AES192. | +| AES256 | AES256. | +| AES_GCM_128 | AES_GCM_128. | +| AES_GCM_256 | AES_GCM_256. | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/IntegrityCheckMethod +``` + + + + +Type of integrity check. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| MD5 | MD5. | +| SHA196 | SHA196. | +| SHA256 | SHA256. | +| SHA384 | SHA384. | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/CryptographySuite/PfsGroup +``` + + + + +Group used for PFS (Perfect Forward Secrecy). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| None | None. | +| PFS1 | PFS1. | +| PFS2 | PFS2. | +| PFS2048 | PFS2048. | +| ECP256 | ECP256. | +| ECP384 | ECP384. | +| PFSMM | PFSMM. | +| PFS24 | PFS24. | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/DisableClassBasedDefaultRoute +``` + + + + +Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Enabled. | +| true | Disabled. | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/L2tpPsk + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/L2tpPsk +``` + + + + +The preshared key used for an L2TP connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/NativeProtocolType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/NativeProtocolType +``` + + + + +Required for native profiles. Type of tunneling protocol used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| PPTP | PPTP. | +| L2TP | L2TP. | +| IKEv2 | IKEv2. | +| Automatic | Automatic. | +| SSTP | SSTP. | +| ProtocolList | ProtocolList. | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/PlumbIKEv2TSAsRoutes +``` + + + + +True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/ProtocolList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList +``` + + + + +List of inbox VPN protocols in priority order. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +###### User/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/NativeProtocolList/{NativeProtocolRowId}/Type +``` + + + + +Inbox VPN protocols type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| Pptp | Pptp. | +| L2tp | L2tp. | +| Ikev2 | Ikev2. | +| Sstp | Sstp. | + + + + + + + + + +##### User/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/ProtocolList/RetryTimeInHours +``` + + + + +Default 168, max 500000. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/RoutingPolicyType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/RoutingPolicyType +``` + + + + +Type of routing policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| SplitTunnel | Traffic can go over any interface as determined by the networking stack. | +| ForceTunnel | All IP traffic must go over the VPN interface. | + + + + + + + + + +#### User/{ProfileName}/NativeProfile/Servers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NativeProfile/Servers +``` + + + + +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/NetworkOutageTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/NetworkOutageTime +``` + + + + +The amount of time in seconds the network is allowed to idle. 0 means no limit. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | + + + + + + + + + +### User/{ProfileName}/PluginProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile +``` + + + + +Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Get | + + + + + + + + + +#### User/{ProfileName}/PluginProfile/CustomConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/CustomConfiguration +``` + + + + +Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/PluginProfile/PluginPackageFamilyName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/PluginPackageFamilyName +``` + + + + +Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/PluginProfile/ServerUrlList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/PluginProfile/ServerUrlList +``` + + + + +Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/PrivateNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/PrivateNetwork +``` + + + + +Determines whether the VPN connection is public or private. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | VPN connection is public. | +| true (Default) | VPN connection is private. | + + + + + + + + + +### User/{ProfileName}/ProfileXML + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/ProfileXML +``` + + + + +The XML schema for provisioning all the fields of a VPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | See [ProfileXML XSD Schema](#profilexml-xsd-schema) | + + + + + + + + + +### User/{ProfileName}/Proxy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy +``` + + + + +A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/{ProfileName}/Proxy/AutoConfigUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/AutoConfigUrl +``` + + + + +Optional. Set a URL to automatically retrieve the proxy settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/{ProfileName}/Proxy/Manual + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual +``` + + + + +Optional node containing the manual server settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### User/{ProfileName}/Proxy/Manual/Server + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/Proxy/Manual/Server +``` + + + + +Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/RegisterDNS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RegisterDNS +``` + + + + +Allows registration of the connection's address in DNS. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not register the connection's address in DNS. | +| true | Register the connection's addresses in DNS. | + + + + + + + + + +### User/{ProfileName}/RememberCredentials + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RememberCredentials +``` + + + + +Boolean value (true or false) for caching credentials. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not cache credentials. | +| true | Credentials are cached whenever possible. | + + + + + + + + + +### User/{ProfileName}/RequireVpnClientAppUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.19628] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RequireVpnClientAppUI +``` + + + + +Applicable only to AppContainer profiles. + +False : Do not show profile in Settings UI. +True : Show profile in Settings UI. + +Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### User/{ProfileName}/RouteList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList +``` + + + + +List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/{ProfileName}/RouteList/{routeRowId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId} +``` + + + + +A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. | + + + + + + + + + +##### User/{ProfileName}/RouteList/{routeRowId}/Address + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Address +``` + + + + +Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/ExclusionRoute +``` + + + + +A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | This route will direct traffic over the VPN. | +| true | This route will direct traffic over the physical interface. | + + + + + + + + + +##### User/{ProfileName}/RouteList/{routeRowId}/Metric + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/Metric +``` + + + + +The route's metric. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/RouteList/{routeRowId}/PrefixSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/RouteList/{routeRowId}/PrefixSize +``` + + + + +The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | + + + + + + + + + +### User/{ProfileName}/TrafficFilterList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList +``` + + + + +A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. + + + + +> [!NOTE] +> Once a TrafficFilterList is added, all traffic is blocked other than the ones matching the rules. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### User/{ProfileName}/TrafficFilterList/{trafficFilterId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId} +``` + + + + +A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App +``` + + + + +Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +###### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Id +``` + + + + +App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/App/Type +``` + + + + +Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Claims +``` + + + + +Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Direction +``` + + + + +Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. +Inbound - The traffic filter allows traffic coming from external locations matching this rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalAddressRanges +``` + + + + +A list of comma separated values specifying local IP address ranges to allow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/LocalPortRanges +``` + + + + +Comma Separated list of ranges for eg. 100-120,200,300-320. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^[\d]*$` | +| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
    Dependency Allowed Value: `[6,17]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/Protocol +``` + + + + +0-255 number representing the ip protocol (TCP = 6, UDP = 17). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-255]` | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemoteAddressRanges +``` + + + + +A list of comma separated values specifying remote IP address ranges to allow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RemotePortRanges +``` + + + + +A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^[\d]*$` | +| Dependency [ProtocolDependency] | Dependency Type: `DependsOn`
    Dependency URI: `Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol`
    Dependency Allowed Value: `[6,17]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +##### User/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrafficFilterList/{trafficFilterId}/RoutingPolicyType +``` + + + + +Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| SplitTunnel | For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. | +| ForceTunnel | For this traffic rule all IP traffic must go through the VPN Interface only. | + + + + + + + + + +### User/{ProfileName}/TrustedNetworkDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/TrustedNetworkDetection +``` + + + + +Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | `,` | + + + + + + + + + +### User/{ProfileName}/UseRasCredentials + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/VPNv2/{ProfileName}/UseRasCredentials +``` + + + + +Determines whether the credential manager will save ras credentials after a connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Ras Credentials are not saved. | +| true (Default) | Ras Credentials are saved. | + + + + + + + + + + +## ProfileXML XSD Schema + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` ## Examples - Profile example ```xml @@ -1190,7 +9271,7 @@ Persistent TrafficFilterLIst App ```xml - Desktop App + 10013 @@ -1200,7 +9281,7 @@ TrafficFilterLIst App %ProgramFiles%\Internet Explorer\iexplore.exe - Store App + 10014 @@ -1210,7 +9291,7 @@ TrafficFilterLIst App Microsoft.MicrosoftEdge_8wekyb3d8bbwe - SYSTEM + 10015 @@ -1225,7 +9306,7 @@ TrafficFilterLIst App Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection ```xml -Protocol + $CmdID$ @@ -1238,7 +9319,7 @@ Protocol 6 - LocalPortRanges + $CmdID$ @@ -1248,8 +9329,7 @@ Protocol 10,20-50,100-200 - - RemotePortRanges + $CmdID$ @@ -1259,8 +9339,7 @@ Protocol 20-50,100-200,300 - - LocalAddressRanges + $CmdID$ @@ -1270,8 +9349,7 @@ Protocol 3.3.3.3/32,1.1.1.1-2.2.2.2 - - RemoteAddressRanges + $CmdID$ @@ -1281,9 +9359,8 @@ Protocol 30.30.0.0/16,10.10.10.10-20.20.20.20 - - RoutingPolicyType - + + $CmdID$ @@ -1292,20 +9369,18 @@ Protocol ForceTunnel - - EDPModeId - - $CmdID$ - - - ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID - - corp.contoso.com - - - - RememberCredentials - + + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID + + corp.contoso.com + + + + $CmdID$ @@ -1317,8 +9392,7 @@ Protocol true - - AlwaysOn + $CmdID$ @@ -1331,9 +9405,8 @@ Protocol true - - Lockdown - + + $CmdID$ @@ -1345,8 +9418,7 @@ Protocol true - - DnsSuffix + $CmdID$ @@ -1356,8 +9428,7 @@ Protocol Adatum.com - - TrustedNetworkDetection + $CmdID$ @@ -1373,7 +9444,7 @@ Protocol Proxy - Manual or AutoConfigUrl ```xml -Manual + $CmdID$ @@ -1383,8 +9454,7 @@ Manual 192.168.0.100:8888 - - AutoConfigUrl + $CmdID$ @@ -1399,47 +9469,47 @@ Manual Device Compliance - Sso ```xml - Enabled - - 10011 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled - - - bool - - true - - + + + 10011 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled + + + bool + + true + + - IssuerHash - - 10011 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash - - ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee - - + + + 10011 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash + + ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee + + - Eku - - 10011 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU - - 1.3.6.1.5.5.7.3.2 - - + + + 10011 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU + + 1.3.6.1.5.5.7.3.2 + + ``` PluginProfile ```xml -PluginPackageFamilyName + 10001 @@ -1477,8 +9547,8 @@ PluginPackageFamilyName NativeProfile ```xml -Servers - + + 10001 @@ -1488,7 +9558,7 @@ Servers - RoutingPolicyType + 10007 @@ -1499,7 +9569,7 @@ Servers - NativeProtocolType + 10002 @@ -1511,8 +9581,8 @@ Servers - Authentication - UserMethod + + 10003 @@ -1524,7 +9594,7 @@ Servers - MachineMethod + 10004 @@ -1536,7 +9606,7 @@ Servers - CryptographySuite + 10004 @@ -1592,7 +9662,7 @@ Servers - DisableClassBasedDefaultRoute + 10011 @@ -1605,12 +9675,10 @@ Servers ``` + -## See also - -[Configuration service provider reference](index.yml) - - - + +## Related articles +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index 66de42bf56..294b7c1f32 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1,4465 +1,2259 @@ --- title: VPNv2 DDF file -description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. -ms.reviewer: pesmith +description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/27/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/30/2020 +ms.topic: reference --- + + # VPNv2 DDF file - -This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 2004. +The following XML file contains the device description framework (DDF) for the VPNv2 configuration service provider. ```xml - -]> +]> - 1.2 + 1.2 + + + + VPNv2 + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + - VPNv2 - ./Vendor/MSFT + + + + + + + + + + Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. + + + + + + + + + + ProfileName + + + + + + + + ^[^/]*$ + + + + + AppTriggerList - - - - - - - - - - - - - - com.microsoft/1.3/MDM/VPNv2 - + + + + List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect. + + + + + + + + + + + + - + + + + + + + + + A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. + + + + + + + + + + appTriggerRowId + + + + + A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. + + + + App - - - - - - - - - - - - - - - - ProfileName - - - + + + + App Node under the Row Id. + + + + + + + + + + + + - AppTriggerList - - - - - List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - appTriggerRowId - - - - - - App - - - - - - - - - - - - - - - - - - - Id - - - - - - - - App Identity. Specified, based on the Type Field.. - - - - - - - - - - - text/plain - - - - - Type - - - - - - PackageFamilyName - FQBN - FilePath - - - - - - - - - - - - text/plain - - - - - + Id + + + + + + + + App Identity. Specified, based on the Type Field. + + + + + + + + + + + + + + + - RouteList - - - - - List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - routeRowId - - - - - - Address - - - - - - - - Subnet address - - - - - - - - - - - text/plain - - - - - PrefixSize - - - - - - - - Subnet Prefix - - - - - - - - - - - text/plain - - - - - Metric - - - - - - - - The route's metric. - - - - - - - - - - - text/plain - - - - - ExclusionRoute - - - - - - - - - False = This Route will direct traffic over the VPN - True = This Route will direct traffic over the physical interface - By default, this value is false. - - - - - - - - - - - - text/plain - - - - + Type + + + + + Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. + + + + + + + + + + + + + + + + + + + RouteList + + + + + List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface. + + + + + + + + + + + + + + + + + + + + + + + A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. + + + + + + + + + + routeRowId + + + + + A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. + + + + Address + + + + + + + + Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. + + + + + + + + + + + + + + + + + + PrefixSize + + + + + + + + The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. + + + + + + + + + + + + + + [0-4294967295] + + + + + Metric + + + + + + + + The route's metric. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + ExclusionRoute + + + + + + + + false + A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + This route will direct traffic over the VPN. + + + true + This route will direct traffic over the physical interface. + + + + + + + + DomainNameInformationList + + + + + NRPT (Name Resolution Policy Table) Rules for the VPN Profile. + + + + + + + + + + + + + + + + + + + + + + + A sequential integer identifier for the Domain Name information. Sequencing must start at 0. + + + + + + + + + + dniRowId + + + + + A sequential integer identifier for the Domain Name information. Sequencing must start at 0. + + + + DomainName + + + + + + + + Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix. + + + + + + + + + + + + + + + + + + DomainNameType + + + + + Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains. + + + + + + + + + + + + + + + + DnsServers + + + + + + + + Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. + + + + + + + + + + + + + + + + + + WebProxyServers + + + + + + + + Web Proxy Server IP address if you are redirecting traffic through your intranet. + + + + + + + + + + + + + + + + + + AutoTrigger + + + + + + + + false + Boolean to determine whether this domain name rule will trigger the VPN. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + This DomainName rule will not trigger the VPN. + + + true + This DomainName rule will trigger the VPN. + + + + + + Persistent + + + + + + + + false + A boolean value that specifies if the rule being added should persist even when the VPN is not connected. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + This DomainName rule will only be applied when VPN is connected. + + + true + This DomainName rule will always be present and applied. + + + + + + + + TrafficFilterList + + + + + A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. + + + + + + + + + + + + + + + + + + + + + + + A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. + + + + + + + + + + trafficFilterId + + + + + A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. + + + + App + + + + + Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface. + + + + + + + + + + + + + + + Id + + + + + + + + App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). + + + + + + + + + + + + + + + - DomainNameInformationList - - - - - NRPT (Name Resolution Policy Table) Rules for the VPN Profile - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - dniRowId - - - - - - DomainName - - - - - - - - Value based on the DomainNameType field - - - - - - - - - - - text/plain - - - - - DomainNameType - - - - - - a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain. - - b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains. - - c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here. - - d. Any: Use this if the policy applies to all. - - - - - - - - - - - - text/plain - - - - - DnsServers - - - - - - - - Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. - - - - - - - - - - - text/plain - - - - - WebProxyServers - - - - - - - - [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular) - - - - - - - - - - - text/plain - - - - - AutoTrigger - - - - - - - - - False = This DomainName Rule will not trigger the VPN - True = This DomainName Rule will trigger the VPN - By default, this value is false. - - - - - - - - - - - - text/plain - - - - - Persistent - - - - - - - - - False = This DomainName Rule will only be plumbed when the VPN is connected - True = This DomainName Rule will always be plumbed. - By default, this value is false. - - - - - - - - - - - - text/plain - - - - + Type + + + + + Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System. + + + + + + + + + + + + + - - TrafficFilterList - - - - - - A list of rules allowing traffic over the VPN Interface. - - Each Rule ID is ORed. - Within each rule ID each Filter type is AND'ed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - trafficFilterId - - - - - - App - - - - - Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface - - - - - - - - - - - - - - - Id - - - - - - - - App Identity. Specified, based on the Type Field.. - - - - - - - - - - - text/plain - - - - - Type - - - - - - PackageFamilyName - FQBN - FilePath - - - - - - - - - - - - text/plain - - - - - - Claims - - - - - - - - Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token - - - - - - - - - - - text/plain - - - - - Protocol - - - - - - - - - 0-255 number representing the ip protocol (TCP = 6, UDP = 17) - - - - - - - - - - - - text/plain - - - - - LocalPortRanges - - - - - - - - - Comma Separated list of ranges for eg. - 100-120,200,300-320 - - - - - - - - - - - LocalPortRanges - - text/plain - - - - - RemotePortRanges - - - - - - - - - Comma Separated list of ranges for eg. - 100-120,200,300-320 - - - - - - - - - - - - text/plain - - - - - LocalAddressRanges - - - - - - - - Comma Separated list of IP ranges - - - - - - - - - - - text/plain - - - - - RemoteAddressRanges - - - - - - - - Comma Separated list of IP ranges - - - - - - - - - - - text/plain - - - - - RoutingPolicyType - - - - - - - - - SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface. - ForceTunnel - All Traffic matching this rule must go over only the VPN Interface. - - Only Applicable for App and Claims type. - - - - - - - - - - - - text/plain - - - - - Direction - - - - - - - - + + + Claims + + + + + + + + Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token. + + + + + + + + + + + + + + + + + + Protocol + + + + + + + + 0-255 number representing the ip protocol (TCP = 6, UDP = 17). + + + + + + + + + + + + + + [0-255] + + + + + LocalPortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320. + + + + + + + + + + LocalPortRanges + + + + + ^[\d]*$ + + + + + Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol + + [6,17] + + + + + + + + RemotePortRanges + + + + + + + + A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. + + + + + + + + + + + + + + ^[\d]*$ + + + + + Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol + + [6,17] + + + + + + + + LocalAddressRanges + + + + + + + + A list of comma separated values specifying local IP address ranges to allow. + + + + + + + + + + + + + + + + + + RemoteAddressRanges + + + + + + + + A list of comma separated values specifying remote IP address ranges to allow. + + + + + + + + + + + + + + + + + + RoutingPolicyType + + + + + + + + Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. + + + + + + + + + + + + + + + SplitTunnel + For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. + + + ForceTunnel + For this traffic rule all IP traffic must go through the VPN Interface only. + + + + + + Direction + + + + + + + + Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. Inbound - The traffic filter allows traffic coming from external locations matching this rule. - - - - - - - - - - - text/plain - - - - - - - EdpModeId - - - - - - - - - Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with. - - - - - - - - - - - - text/plain - - - - - RememberCredentials - - - - - - - - - False = Remember credentials is turned off - True = Remember credentials is turned on - If True, Credentials will be cached wherever applicable. - - - - - - - - - - - - text/plain - - - - - AlwaysOn - - - - - - - - - False = Always on in not turned On - True = Always is on is turned on - - Note: Always On will work only for the active profile. - - - - - - - - - - - - text/plain - - - - - LockDown - - - - - - - - - False = This is not a LockDown profile. - True = This is a LockDown profile. - - If turned on a lockdown profile does four things. - First, it automatically becomes an always on profile. - Second, it can never be disconnected. - Third, if the profile is not connected, then the user - has no network connectivity. - Fourth, no other profiles may be connected or modified. - - A lockdown profile must be deleted before any other - profiles can be added, removed, or connected. - - - - - - - - - - - - text/plain - - - - - DeviceTunnel - - - - - - - - - False = This is not a Device Tunnel profile and it is the default value. - True = This is a Device Tunnel profile. - - If turned on a device tunnel profile does four things. - First, it automatically becomes an always on profile. - Second, it does not require the presence or logging in - of any user to the machine in order for it to connect. - Third, no other Device Tunnel profile maybe be present on the - Same machine. - - A device tunnel profile must be deleted before another device tunnel - profile can be added, removed, or connected. - - - - - - - - - - - - text/plain - - - - - RegisterDNS - - - - - - - - - False = Do not register the connection's address in DNS (default). - True = Register the connection's addresses in DNS. - - - - - - - - - - - - text/plain - - - - - DnsSuffix - - - - - - - - Connection Specific DNS Suffix. for eg. corp.contoso.com - - - - - - - - - - - text/plain - - - - - ByPassForLocal - - - - - - - - + + + + + + + + + + + + + + 10.0.19041 + 1.3 + + + + + + + EdpModeId + + + + + + + + Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. + + + + + + + + + + + + + + + + + + RememberCredentials + + + + + + + + false + Boolean value (true or false) for caching credentials. + + + + + + + + + + + + + + + false + Do not cache credentials. + + + true + Credentials are cached whenever possible. + + + + + + AlwaysOn + + + + + + + + false + An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. + + + + + + + + + + + + + + + false + Always On is turned off. + + + true + Always On is turned on. + + + + + + AlwaysOnActive + + + + + + + + 1 + An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation. + + + + + + + + + + + + + + + 0 + Always On is inactive. + + + 1 + Always On is activated on provisioning. + + + + + + RegisterDNS + + + + + + + + false + Allows registration of the connection's address in DNS. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + false + Do not register the connection's address in DNS. + + + true + Register the connection's addresses in DNS. + + + + + + DnsSuffix + + + + + + + + Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. + + + + + + + + + + + + + + + + + + ByPassForLocal + + + + + + + + False : Do not Bypass for Local traffic True : ByPass VPN Interface for Local Traffic Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. - - - - - - - - - - - text/plain - - - - - TrustedNetworkDetection - - - - - - - - - String - Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. - - - - - - - - - - - - text/plain - - - - - ProfileXML - - - - - - - - - Xml schema for provisioning all the fields of a VPN - - - - - - - - - - - - text/plain - - - - - Proxy - - - - - - - - - - - - - - - - - - - Manual - - - - - - - - - - - - - - - - - - - Server - - - - - - - - Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80 - - - - - - - - - - - text/plain - - - - - - AutoConfigUrl - - - - - - - - Optional. Set a URL to automatically retrieve the proxy settings. - - - - - - - - - - - text/plain - - - - - - APNBinding - - - - - Reserved for Future Use - - - - - - - - - - - - - - - ProviderId - - - - - - - - - - - - - - - - - - text/plain - - - - - AccessPointName - - - - - - - - - - - - - - - - - - text/plain - - - - - UserName - - - - - - - - - - - - - - - - - - text/plain - - - - - Password - - - - - - - - - - - - - - - - - - text/plain - - - - - IsCompressionEnabled - - - - - - - - - - - - - - - - - - text/plain - - - - - AuthenticationType - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceCompliance - - - - - - Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN - - - - - - - - - - - - - - - Enabled - - - - - - - - Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory - - - - - - - - - - - text/plain - - - - - Sso - - - - - - Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance - - - - - - - - - - - text/plain - - - - Enabled - - - - - - - - If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication - - - - - - - - - - - text/plain - - - - - IssuerHash - - - - - - - - Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication - - - - - - - - - - - text/plain - - - - - Eku - - - - - - - - Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication - - - - - - - - - - - text/plain - - - - - - - PluginProfile - - - - - - - - - - - - - - - - - - - - ServerUrlList - - - - - - - - Required. URL for VPN Server - - - - - - - - - - - text/plain - - - - - CustomConfiguration - - - - - - - - Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins - - - - - - - - - - - text/plain - - - - - PluginPackageFamilyName - - - - - - - - Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app - - - - - - - - - - - text/plain - - - - - CustomStoreUrl - - - - - - - - TO be Deleted - - - - - - - - - - - text/plain - - - - - WebAuth - - - - - - Nodes under WebAuth can be used to enable WebToken based authentication for 3rd Party Plugin VPN Profiles. - - - - - - - - - - - - - - - Enabled - - - - - - - - Enables the WebToken based authentication flow. - - - - - - - - - - - text/plain - - - - - ClientId - - - - - - - - The client ID to specify when communicating with the Web Account provider in retrieving the token. - - - - - - - - - - - text/plain - - - - - - - NativeProfile - - - - - - Inbox VPN Profile - - - - - - - - - - - - - - - Servers - - - - - - - - - Server - - - Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm - Some examples are 208.23.45.130 or vpn.contoso.com. - - - - - - - - - - - - text/plain - - - - - RoutingPolicyType - - - - - - - - - SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack. - - ForceTunnel - All IP Traffic must go over only the VPN Interface. - - - - - - - - - - - - text/plain - - - - - NativeProtocolType - - - - - - - - - Supported Values : - - Pptp - L2tp - Ikev2 - Automatic - - - - - - - - - - - - text/plain - - - - - Authentication - - - - - - - - - - - - - - - - - - - UserMethod - - - - - - - - - Supported Values - - Mschapv2 - Eap - - - - - - - - - - - - text/plain - - - - - MachineMethod - - - - - - - - - Supported Values - - Eap - Certificate - PresharedKey - - - - - - - - - - - - text/plain - - - - - Eap - - - - - - - - - - - - - - - - - - - Configuration - - - - - - - - XML Configuration for EAP Method - - - - - - - - - - - text/plain - - - - - Type - - - - - - - - - Required node for EAP profiles. This specifies the EAP Type ID - 13 = EAP-TLS - 26 = Ms-Chapv2 - 27 = Peap - - - - - - - - - - - - text/plain - - - - - - Certificate - - - - - Reserved for future Use - - - - - - - - - - - - - - - Issuer - - - - - - - - Reserved for future Use - - - - - - - - - - - text/plain - - - - - Eku - - - - - - - - Reserved for future Use - - - - - - - - - - - text/plain - - - - - - - CryptographySuite - - - - - Properties of IPSec tunnels. - - - - - - - - - - - - - - - AuthenticationTransformConstants - - - - - - - - - Choices are: - -- MD596 - -- SHA196 - -- SHA256128 - -- GCMAES128 - -- GCMAES192 - -- GCMAES256 - - - - - - - - - - - - text/plain - - - - - CipherTransformConstants - - - - - - - - - Choices Are: - -- DES - -- DES3 - -- AES128 - -- AES192 - -- AES256 - -- GCMAES128 - -- GCMAES192 - -- GCMAES256 - - - - - - - - - - - - text/plain - - - - - EncryptionMethod - - - - - - - - - Choices are: - -- DES - -- DES3 - -- AES128 - -- AES192 - -- AES256 - -- AES_GCM_128 - -- AES_GCM_256 - - - - - - - - - - - - text/plain - - - - - IntegrityCheckMethod - - - - - - - - - Choices are: - -- MD5 - -- SHA196 - -- SHA256 - -- SHA384 - - - - - - - - - - - - text/plain - - - - - DHGroup - - - - - - - - - Choices are: - -- Group1 - -- Group2 - -- Group14 - -- ECP256 - -- ECP384 - -- Group24 - - - - - - - - - - - - text/plain - - - - - PfsGroup - - - - - - - - - Choices are: - -- PFS1 - -- PFS2 - -- PFS2048 - -- ECP256 - -- ECP384 - -- PFSMM - -- PFS24 - - - - - - - - - - - - text/plain - - - - - - L2tpPsk - - - - - - - - The preshared key used for an L2TP connection - - - - - - - - - - - text/plain - - - - - DisableClassBasedDefaultRoute - - - - - - - - - When false this VPN connection will plumb class based default routes. - i.e. - If the interface IP begins with 10, it assumes a class a IP - and pushes the route 10.0.0.0/8 - - - - - - - - - - - - text/plain - - - - - PlumbIKEv2TSAsRoutes - - - - - - - - - True: Plumb traffic selectors as routes onto VPN interface - False: Do not plumb traffic selectors as routes - - - - - - - - - - - - text/plain - - - - - - - - VPNv2 - ./User/Vendor/MSFT + + + + + + + + + + + + + + + + TrustedNetworkDetection - - - - - - - - - - - - - - com.microsoft/1.3/MDM/VPNv2 - + + + + + + + Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. + + + + + + + + + + + + + + , + + + + + DisableAdvancedOptionsEditButton + + + + + + + + Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info. + + + + + + + + + + + + + + + 10.0.22000 + 1.5 + + + + false + Advanced Options Edit Button is available. + + + true + Advanced Options Edit Button is unavailable. + + + + + + DisableDisconnectButton + + + + + + + + Optional. When this setting is True, the Disconnect button will not be visible for connected profiles. + + + + + + + + + + + + + + + 10.0.22000 + 1.5 + + + + false + Disconnect Button is visible. + + + true + Disconnect Button is not visible. + + + + + + RequireVpnClientAppUI + + + + + + + + + Applicable only to AppContainer profiles. + + False : Do not show profile in Settings UI. + True : Show profile in Settings UI. + + Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method). + + + + + + + + + + + + + + + 10.0.19628 + 1.4 + + + + + ProfileXML + + + + + + + + The XML schema for provisioning all the fields of a VPN. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +]]> + + + + + Proxy + + + + + A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. + + + + + + + + + + + + - + Manual + + + + + Optional node containing the manual server settings. + + + + + + + + + + + + + + + Server - - - - - - - - - - - - - - - - ProfileName - - - + + + + + + + Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80. + + + + + + + + + + + + + + + + + + + AutoConfigUrl + + + + + + + + Optional. Set a URL to automatically retrieve the proxy settings. + + + + + + + + + + + + + + + + + + + APNBinding + + + + + Reserved for future use. + + + + + + + + + + + + + + + ProviderId + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + AccessPointName + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + UserName + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + Password + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + IsCompressionEnabled + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + AuthenticationType + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + + DeviceCompliance + + + + + + Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN. + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + + + Enabled + + + + + + + + Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + Sso + + + + + + Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. + + + + + + + + + + + + + + + Enabled + + + + + + + + If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + IssuerHash + + + + + + + + Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + + + + + + + + + + + + Eku + + + + + + + + Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + + + + + + + + + + + + + + PluginProfile + + + + + + Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. + + + + + + + + + + + + + + + ServerUrlList + + + + + + + + Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. + + + + + + + + + + + + + + + + + + CustomConfiguration + + + + + + + + Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. + + + + + + + + + + + + + + + + + + PluginPackageFamilyName + + + + + + + + Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app. + + + + + + + + + + + + + + + + + + + NativeProfile + + + + + + InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP). + + + + + + + + + + + + + + + Servers + + + + + + + + Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. + + + + + + + + + + + + + + + + RoutingPolicyType + + + + + + + + Type of routing policy. + + + + + + + + + + + + + + + SplitTunnel + Traffic can go over any interface as determined by the networking stack. + + + ForceTunnel + All IP traffic must go over the VPN interface. + + + + + + NativeProtocolType + + + + + + + + Required for native profiles. Type of tunneling protocol used. + + + + + + + + + + + + + + + PPTP + PPTP + + + L2TP + L2TP + + + IKEv2 + IKEv2 + + + Automatic + Automatic + + + SSTP + SSTP + + + ProtocolList + ProtocolList + + + + + + ProtocolList + + + + + + + + + + + + + + + + + + 10.0.20207 + 1.4 + + + + NativeProtocolList + + + + + List of inbox VPN protocols in priority order. + + + + + + + + + + + + - AppTriggerList - - - - - List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - appTriggerRowId - - - - - - App - - - - - - - - - - - - - - - - - - - Id - - - - - - - - App Identity. Specified, based on the Type Field.. - - - - - - - - - - - text/plain - - - - - Type - - - - - - PackageFamilyName - FQBN - FilePath - - - - - - - - - - - - text/plain - - - - - - - - RouteList - - - - - List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - routeRowId - - - - - - Address - - - - - - - - Subnet address - - - - - - - - - - - text/plain - - - - - PrefixSize - - - - - - - - Subnet Prefix - - - - - - - - - - - text/plain - - - - - Metric - - - - - - - - The route's metric. - - - - - - - - - - - text/plain - - - - - ExclusionRoute - - - - - - - - Is this a route to never go over the VPN - - - - - - - - - - - text/plain - - - - - - - DomainNameInformationList - - - - - NRPT (Name Resolution Policy Table) Rules for the VPN Profile - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - dniRowId - - - - - - DomainName - - - - - - - - Value based on the DomainNameType field - - - - - - - - - - - text/plain - - - - - DomainNameType - - - - - - a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain. - - b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains. - - c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here. - - d. Any: Use this if the policy applies to all. - - - - - - - - - - - - text/plain - - - - - DnsServers - - - - - - - - Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. - - - - - - - - - - - text/plain - - - - - WebProxyServers - - - - - - - - [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular) - - - - - - - - - - - text/plain - - - - - AutoTrigger - - - - - - - - - False = This DomainName Rule will not trigger the VPN - True = This DomainName Rule will trigger the VPN - By default, this value is false. - - - - - - - - - - - - text/plain - - - - - Persistent - - - - - - - - - False = This DomainName Rule will only be plumbed when the VPN is connected - True = This DomainName Rule will always be plumbed. - By default, this value is false. - - - - - - - - - - - - text/plain - - - - - - - TrafficFilterList - - - - - - A list of rules allowing traffic over the VPN Interface. - - Each Rule ID is ORed. - Within each rule ID each Filter type is AND'ed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - trafficFilterId - - - - - - App - - - - - Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface - - - - - - - - - - - - - - - Id - - - - - - - - App Identity. Specified, based on the Type Field.. - - - - - - - - - - - text/plain - - - - - Type - - - - - - PackageFamilyName - FQBN - FilePath - - - - - - - - - - - - text/plain - - - - - - Claims - - - - - - - - Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token - - - - - - - - - - - text/plain - - - - - Protocol - - - - - - - - - 0-255 number representing the ip protocol (TCP = 6, UDP = 17) - - - - - - - - - - - - text/plain - - - - - LocalPortRanges - - - - - - - - - Comma Separated list of ranges for eg. - 100-120,200,300-320 - - - - - - - - - - - LocalPortRanges - - text/plain - - - - - RemotePortRanges - - - - - - - - - Comma Separated list of ranges for eg. - 100-120,200,300-320 - - - - - - - - - - - - text/plain - - - - - LocalAddressRanges - - - - - - - - Comma Separated list of IP ranges - - - - - - - - - - - text/plain - - - - - RemoteAddressRanges - - - - - - - - Comma Separated list of IP ranges - - - - - - - - - - - text/plain - - - - - RoutingPolicyType - - - - - - - - - SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface. - ForceTunnel - All Traffic matching this rule must go over only the VPN Interface. - - Only Applicable for App and Claims type. - - - - - - - - - - - - text/plain - - - - - - - EdpModeId - - - - - - - - - Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with. - - - - - - - - - - - - text/plain - - - - - RememberCredentials - - - - - - - - - False = Remember credentials is turned off - True = Remember credentials is turned on - If True, Credentials will be cached wherever applicable. - - - - - - - - - - - - text/plain - - - - - AlwaysOn - - - - - - - - - False = Always on in not turned On - True = Always is on is turned on - - Note: Always On will work only for the active profile. - - - - - - - - - - - - text/plain - - - - - DnsSuffix - - - - - - - - Connection Specific DNS Suffix. for eg. corp.contoso.com - - - - - - - - - - - text/plain - - - - - ByPassForLocal - - - - - - - - - False : Do not Bypass for Local traffic - True : ByPass VPN Interface for Local Traffic - - Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. - - - - - - - - - - - - text/plain - - - - - TrustedNetworkDetection - - - - - - - - - String - Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. - - - - - - - - - - - - text/plain - - - - - ProfileXML + + - - - Xml schema for provisioning all the fields of a VPN - - + - + + NativeProtocolRowId - text/plain + - - - Proxy - - - - - - - - - - - - - - - - - - - Manual - - - - - - - - - - - - - - - - - - - Server - - - - - - - - Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80 - - - - - - - - - - - text/plain - - - - - - AutoConfigUrl - - - - - - - - Optional. Set a URL to automatically retrieve the proxy settings. - - - - - - - - - - - text/plain - - - - - - APNBinding - - - - - Reserved for Future Use - - - - - - - - - - - - - - - ProviderId - - - - - - - - - - - - - - - - - - text/plain - - - - - AccessPointName - - - - - - - - - - - - - - - - - - text/plain - - - - - UserName - - - - - - - - - - - - - - - - - - text/plain - - - - - Password - - - - - - - - - - - - - - - - - - text/plain - - - - - IsCompressionEnabled - - - - - - - - - - - - - - - - - - text/plain - - - - - AuthenticationType - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceCompliance - - - - - - Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN - - - - - - - - - - - - - - - Enabled - - - - - - - - Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory - - - - - - - - - - - text/plain - - - - - Sso - - - - - - Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance - - - - - - - - - - - text/plain - - - - Enabled - - - - - - - - If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication - - - - - - - - - - - text/plain - - - - - IssuerHash - - - - - - - - Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication - - - - - - - - - - - text/plain - - - - - Eku - - - - - - - - Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication - - - - - - - - - - - text/plain - - - - - - - PluginProfile - - - - - - - - - - - - - - - - - - - - ServerUrlList - - - - - - - - Required. URL for VPN Server - - - - - - - - - - - text/plain - - - - - CustomConfiguration - - - - - - - - Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins - - - - - - - - - - - text/plain - - - - - PluginPackageFamilyName - - - - - - - - Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app - - - - - - - - - - - text/plain - - - - - CustomStoreUrl - - - - - - - - TO be Deleted - - - - - - - - - - - text/plain - - - - - WebAuth - - - - - - Nodes under WebAuth can be used to enable WebToken based authentication for 3rd Party Plugin VPN Profiles. - - - - - - - - - - - - - - - Enabled - - - - - - - - Enables the WebToken based authentication flow. - - - - - - - - - - - text/plain - - - - - ClientId - - - - - - - - The client ID to specify when communicating with the Web Account provider in retrieving the token. - - - - - - - - - - - text/plain - - - - - - - NativeProfile - - - - - - Inbox VPN Profile - - - - - - - - - - - - - - - Servers - - - - - - - - - Server - - - Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm - Some examples are 208.23.45.130 or vpn.contoso.com. - - - - - - - - - - - - text/plain - - - - - RoutingPolicyType - - - - - - - - - SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack. - - ForceTunnel - All IP Traffic must go over only the VPN Interface. - - - - - - - - - - - - text/plain - - - - - NativeProtocolType - - - - - - - - - Supported Values : - - Pptp - L2tp - Ikev2 - Automatic - - - - - - - - - - - - text/plain - - - - - Authentication - - - - - - - - - - - - - - - - - - - UserMethod - - - - - - - - - Supported Values - - Mschapv2 - Eap - - - - - - - - - - - - text/plain - - - - - MachineMethod - - - - - - - - - Supported Values - - Eap - Certificate - PresharedKey - - - - - - - - - - - - text/plain - - - - - Eap - - - - - - - - - - - - - - - - - - - Configuration - - - - - - - - XML Configuration for EAP Method - - - - - - - - - - - text/plain - - - - - Type - - - - - - - - - Required node for EAP profiles. This specifies the EAP Type ID - 13 = EAP-TLS - 26 = Ms-Chapv2 - 27 = Peap - - - - - - - - - - - - text/plain - - - - - - Certificate - - - - - Reserved for future Use - - - - - - - - - - - - - - - Issuer - - - - - - - - Reserved for future Use - - - - - - - - - - - text/plain - - - - - Eku - - - - - - - - Reserved for future Use - - - - - - - - - - - text/plain - - - - - - CryptographySuite - - - - - Properties of IPSec tunnels. - - - - - - - - - - - - - - - AuthenticationTransformConstants - - - - - - - - - Choices are: - -- MD596 - -- SHA196 - -- SHA256128 - -- GCMAES128 - -- GCMAES192 - -- GCMAES256 - - - - - - - - - - - - text/plain - - - - - CipherTransformConstants - - - - - - - - - Choices Are: - -- DES - -- DES3 - -- AES128 - -- AES192 - -- AES256 - -- GCMAES128 - -- GCMAES192 - -- GCMAES256 - - - - - - - - - - - - text/plain - - - - - EncryptionMethod - - - - - - - - - Choices are: - -- DES - -- DES3 - -- AES128 - -- AES192 - -- AES256 - -- AES_GCM_128 - -- AES_GCM_256 - - - - - - - - - - - - text/plain - - - - - IntegrityCheckMethod - - - - - - - - - Choices are: - -- MD5 - -- SHA196 - -- SHA256 - -- SHA384 - - - - - - - - - - - - text/plain - - - - - DHGroup - - - - - - - - - Choices are: - -- Group1 - -- Group2 - -- Group14 - -- ECP256 - -- ECP384 - -- Group24 - - - - - - - - - - - - text/plain - - - - - PfsGroup - - - - - - - - - Choices are: - -- PFS1 - -- PFS2 - -- PFS2048 - -- ECP256 - -- ECP384 - -- PFSMM - -- PFS24 - - - - - - - - - - - - text/plain - - - - - - L2tpPsk + Type @@ -4467,7 +2261,7 @@ The XML below is for Windows 10, version 2004. - The preshared key used for an L2TP connection + Inbox VPN protocols type. @@ -4478,12 +2272,3224 @@ The XML below is for Windows 10, version 2004. - text/plain + + + + Pptp + Pptp + + + L2tp + L2tp + + + Ikev2 + Ikev2 + + + Sstp + Sstp + + + + + + RetryTimeInHours + + + + + + + + Default 168, max 500000. + + + + + + + + + + + + + + + + + Authentication + + + + + Required node for native profile. It contains authentication information for the native VPN profile. + + + + + + + + + + + + + + + UserMethod + + + + + + + + This value can be one of the following: EAP or MSChapv2 (This is not supported for IKEv2). + + + + + + + + + + + + + + + EAP + EAP + + + MSChapv2 + MSChapv2: This is not supported for IKEv2 + + + + + + MachineMethod + + + + + + + + This is only supported in IKEv2. + + + + + + + + + + + + + + + Certificate + Certificate + + + + + + Eap + + + + + Required when the native profile specifies EAP authentication. EAP configuration XML. + + + + + + + + + + + + + + + Configuration + + + + + + + + HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration. + + + + + + + + + + + + + + + + + + Type + + + + + + + + + Required node for EAP profiles. This specifies the EAP Type ID + 13 = EAP-TLS + 26 = Ms-Chapv2 + 27 = Peap + + + + + + + + + + + + + + + + + + + + Certificate + + + + + Reserved for future use. + + + + + + + + + + + + + + + Issuer + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + Eku + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + + + CryptographySuite + + + + + Properties of IPSec tunnels. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + AuthenticationTransformConstants + + + + + + + + Type of authentication transform constant. + + + + + + + + + + + + + + + MD596 + MD596 + + + SHA196 + SHA196 + + + SHA256128 + SHA256128 + + + GCMAES128 + GCMAES128 + + + GCMAES192 + GCMAES192 + + + GCMAES256 + GCMAES256 + + + + + + CipherTransformConstants + + + + + + + + Type of Cipher transform constant. + + + + + + + + + + + + + + + DES + DES + + + DES3 + DES3 + + + AES128 + AES128 + + + AES192 + AES192 + + + AES256 + AES256 + + + GCMAES128 + GCMAES128 + + + GCMAES192 + GCMAES192 + + + GCMAES256 + GCMAES256 + + + + + + EncryptionMethod + + + + + + + + Type of encryption method. + + + + + + + + + + + + + + + DES + DES + + + DES3 + DES3 + + + AES128 + AES128 + + + AES192 + AES192 + + + AES256 + AES256 + + + AES_GCM_128 + AES_GCM_128 + + + AES_GCM_256 + AES_GCM_256 + + + + + + IntegrityCheckMethod + + + + + + + + Type of integrity check. + + + + + + + + + + + + + + + MD5 + MD5 + + + SHA196 + SHA196 + + + SHA256 + SHA256 + + + SHA384 + SHA384 + + + + + + DHGroup + + + + + + + + Group used for DH (Diffie-Hellman). + + + + + + + + + + + + + + + None + None + + + Group1 + Group1 + + + Group2 + Group2 + + + Group14 + Group14 + + + ECP256 + ECP256 + + + ECP384 + ECP384 + + + Group24 + Group24 + + + + + + PfsGroup + + + + + + + + Group used for PFS (Perfect Forward Secrecy). + + + + + + + + + + + + + + + None + None + + + PFS1 + PFS1 + + + PFS2 + PFS2 + + + PFS2048 + PFS2048 + + + ECP256 + ECP256 + + + ECP384 + ECP384 + + + PFSMM + PFSMM + + + PFS24 + PFS24 + + + + + + + L2tpPsk + + + + + + + + The preshared key used for an L2TP connection. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + DisableClassBasedDefaultRoute + + + + + + + + Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8 + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + Enabled + + + true + Disabled + + + + + + PlumbIKEv2TSAsRoutes + + + + + + + + True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes. + + + + + + + + + + + + + + 10.0.19041 + 1.3 + + + + + + NetworkOutageTime + + + + + + + + The amount of time in seconds the network is allowed to idle. 0 means no limit. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + [0-4294967295] + + + + + IPv4InterfaceMetric + + + + + + + + The metric for the IPv4 interface. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + [1-9999] + + + + + IPv6InterfaceMetric + + + + + + + + The metric for the IPv6 interface. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + [1-9999] + + + + + UseRasCredentials + + + + + + + + true + Determines whether the credential manager will save ras credentials after a connection. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + false + Ras Credentials are not saved. + + + true + Ras Credentials are saved. + + + + + + DataEncryption + + + + + + + + Require + Determines the level of data encryption required for the connection. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + None + No Data Encryption required. + + + Require + Data Encryption required. + + + Max + Maximum-strength Data Encryption required. + + + Optional + Perform encryption if possible. + + + + + + PrivateNetwork + + + + + + + + true + Determines whether the VPN connection is public or private. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + false + VPN connection is public. + + + true + VPN connection is private. + + + + + + DisableIKEv2Fragmentation + + + + + + + + false + Set to disable IKEv2 Fragmentation. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + true + IKEv2 Fragmentation will not be used. + + + false + IKEv2 Fragmentation is used as normal. + + + + + + + + VPNv2 + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + + + + + + + + + + Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. + + + + + + + + + + ProfileName + + + + + + + + ^[^/]*$ + + + + + AppTriggerList + + + + + List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect. + + + + + + + + + + + + + + + + + + + + + + + A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. + + + + + + + + + + appTriggerRowId + + + + + A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. + + + + App + + + + + App Node under the Row Id. + + + + + + + + + + + + + + + Id + + + + + + + + App Identity. Specified, based on the Type Field. + + + + + + + + + + + + + + + + + + Type + + + + + Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. + + + + + + + + + + + + + + + + + + + RouteList + + + + + List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface. + + + + + + + + + + + + + + + + + + + + + + + A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. + + + + + + + + + + routeRowId + + + + + A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. + + + + Address + + + + + + + + Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. + + + + + + + + + + + + + + + + + + PrefixSize + + + + + + + + The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. + + + + + + + + + + + + + + [0-4294967295] + + + + + Metric + + + + + + + + The route's metric. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + ExclusionRoute + + + + + + + + false + A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + This route will direct traffic over the VPN. + + + true + This route will direct traffic over the physical interface. + + + + + + + + DomainNameInformationList + + + + + NRPT (Name Resolution Policy Table) Rules for the VPN Profile. + + + + + + + + + + + + + + + + + + + + + + + A sequential integer identifier for the Domain Name information. Sequencing must start at 0. + + + + + + + + + + dniRowId + + + + + A sequential integer identifier for the Domain Name information. Sequencing must start at 0. + + + + DomainName + + + + + + + + Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix. + + + + + + + + + + + + + + + + + + DomainNameType + + + + + Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains. + + + + + + + + + + + + + + + + DnsServers + + + + + + + + Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. + + + + + + + + + + + + + + + + + + WebProxyServers + + + + + + + + Web Proxy Server IP address if you are redirecting traffic through your intranet. + + + + + + + + + + + + + + + + + + AutoTrigger + + + + + + + + false + Boolean to determine whether this domain name rule will trigger the VPN. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + This DomainName rule will not trigger the VPN. + + + true + This DomainName rule will trigger the VPN. + + + + + + Persistent + + + + + + + + false + A boolean value that specifies if the rule being added should persist even when the VPN is not connected. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + This DomainName rule will only be applied when VPN is connected. + + + true + This DomainName rule will always be present and applied. + + + + + + + + TrafficFilterList + + + + + A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. + + + + + + + + + + + + + + + + + + + + + + + A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. + + + + + + + + + + trafficFilterId + + + + + A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. + + + + App + + + + + Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface + + + + + + + + + + + + + + + Id + + + + + + + + App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). + + + + + + + + + + + + + + + + + + Type + + + + + Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System. + + + + + + + + + + + + + + + + + Claims + + + + + + + + Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token. + + + + + + + + + + + + + + + + + + Protocol + + + + + + + + 0-255 number representing the ip protocol (TCP = 6, UDP = 17). + + + + + + + + + + + + + + [0-255] + + + + + LocalPortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320. + + + + + + + + + + LocalPortRanges + + + + + ^[\d]*$ + + + + + Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol + + [6,17] + + + + + + + + RemotePortRanges + + + + + + + + A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. + + + + + + + + + + + + + + ^[\d]*$ + + + + + Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol + + [6,17] + + + + + + + + LocalAddressRanges + + + + + + + + A list of comma separated values specifying local IP address ranges to allow. + + + + + + + + + + + + + + + + + + RemoteAddressRanges + + + + + + + + A list of comma separated values specifying remote IP address ranges to allow. + + + + + + + + + + + + + + + + + + RoutingPolicyType + + + + + + + + Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. + + + + + + + + + + + + + + + SplitTunnel + For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. + + + ForceTunnel + For this traffic rule all IP traffic must go through the VPN Interface only. + + + + + + Direction + + + + + + + + + Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. + Inbound - The traffic filter allows traffic coming from external locations matching this rule. + + + + + + + + + + + + + + + 10.0.19041 + 1.3 + + + + + + + EdpModeId + + + + + + + + Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. + + + + + + + + + + + + + + + + + + RememberCredentials + + + + + + + + false + Boolean value (true or false) for caching credentials. + + + + + + + + + + + + + + + false + Do not cache credentials. + + + true + Credentials are cached whenever possible. + + + + + + AlwaysOn + + + + + + + + false + An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. + + + + + + + + + + + + + + + false + Always On is turned off. + + + true + Always On is turned on. + + + + + + AlwaysOnActive + + + + + + + + 1 + An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation. + + + + + + + + + + + + + + + 0 + Always On is inactive. + + + 1 + Always On is activated on provisioning. + + + + + + DeviceTunnel + + + + + + + + false + If turned on a device tunnel profile does four things. + First, it automatically becomes an always on profile. + Second, it does not require the presence or logging in of any user to the machine in order for it to connect. + Third, no other Device Tunnel profile maybe be present on the same machine. +A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + false + This is not a device tunnel profile. + + + true + This is a device tunnel profile. + + + + + + RegisterDNS + + + + + + + + false + Allows registration of the connection's address in DNS. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + false + Do not register the connection's address in DNS. + + + true + Register the connection's addresses in DNS. + + + + + + DnsSuffix + + + + + + + + Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. + + + + + + + + + + + + + + + + + + ByPassForLocal + + + + + + + + + False : Do not Bypass for Local traffic + True : ByPass VPN Interface for Local Traffic + + Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + + + + + + + + + + + + + + + + + TrustedNetworkDetection + + + + + + + + Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. + + + + + + + + + + + + + + , + + + + + DisableAdvancedOptionsEditButton + + + + + + + + + Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info. + + + + + + + + + + + + + + + 10.0.22000 + 1.5 + + + + false + Advanced Options Edit Button is available. + + + true + Advanced Options Edit Button is unavailable. + + + + + + DisableDisconnectButton + + + + + + + + + Optional. When this setting is True, the Disconnect button will not be visible for connected profiles. + + + + + + + + + + + + + + + 10.0.22000 + 1.5 + + + + false + Disconnect Button is visible. + + + true + Disconnect Button is not visible. + + + + + + ProfileXML + + + + + + + + The XML schema for provisioning all the fields of a VPN. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +]]> + + + + + Proxy + + + + + A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. + + + + + + + + + + + + + + + Manual + + + + + Optional node containing the manual server settings. + + + + + + + + + + + + + + + Server + + + + + + + + Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80. + + + + + + + + + + + + + + + + + + + AutoConfigUrl + + + + + + + + Optional. Set a URL to automatically retrieve the proxy settings. + + + + + + + + + + + + + + + + + + + APNBinding + + + + + Reserved for future use. + + + + + + + + + + + + + + + ProviderId + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + AccessPointName + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + UserName + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + Password + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + IsCompressionEnabled + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + AuthenticationType + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + + DeviceCompliance + + + + + + Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN. + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + + + Enabled + + + + + + + + Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + Sso + + + + + + Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. + + + + + + + + + + + + + + + Enabled + + + + + + + + If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + IssuerHash + + + + + + + + Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + + + + + + + + + + + + Eku + + + + + + + + Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. + + + + + + + + + + + + + + + + + + + + PluginProfile + + + + + + Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. + + + + + + + + + + + + + + + ServerUrlList + + + + + + + + Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. + + + + + + + + + + + + + + + + + + CustomConfiguration + + + + + + + + Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. + + + + + + + + + + + + + + + + + + PluginPackageFamilyName + + + + + + + + Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app. + + + + + + + + + + + + + + + + + + + NativeProfile + + + + + + Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP). + + + + + + + + + + + + + + + Servers + + + + + + + + Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. + + + + + + + + + + + + + + + + RoutingPolicyType + + + + + + + + Type of routing policy. + + + + + + + + + + + + + + + SplitTunnel + Traffic can go over any interface as determined by the networking stack. + + + ForceTunnel + All IP traffic must go over the VPN interface. + + + + + + NativeProtocolType + + + + + + + + Required for native profiles. Type of tunneling protocol used. + + + + + + + + + + + + + + + PPTP + PPTP + + + L2TP + L2TP + + + IKEv2 + IKEv2 + + + Automatic + Automatic + + + SSTP + SSTP + + + ProtocolList + ProtocolList + + + + + + ProtocolList + + + + + + + + + + + + + + + + + + 10.0.20207 + 1.4 + + + + NativeProtocolList + + + + + List of inbox VPN protocols in priority order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NativeProtocolRowId + + + + - DisableClassBasedDefaultRoute + Type @@ -4491,55 +5497,998 @@ The XML below is for Windows 10, version 2004. - - When false this VPN connection will plumb class based default routes. - i.e. - If the interface IP begins with 10, it assumes a class a IP - and pushes the route 10.0.0.0/8 - + Inbox VPN protocols type. - + - + - text/plain + + + + Pptp + Pptp + + + L2tp + L2tp + + + Ikev2 + Ikev2 + + + Sstp + Sstp + + - - PlumbIKEv2TSAsRoutes - - - - - - - - - True: Plumb traffic selectors as routes onto VPN interface - False: Do not plumb traffic selectors as routes - - - - - - - - - - - - text/plain - - - + + + RetryTimeInHours + + + + + + + + Default 168, max 500000. + + + + + + + + + + + + + + + + Authentication + + + + + Required node for native profile. It contains authentication information for the native VPN profile. + + + + + + + + + + + + + + + UserMethod + + + + + + + + Type of user authentication. + + + + + + + + + + + + + + + EAP + EAP + + + MSChapv2 + MSChapv2: This is not supported for IKEv2 + + + + + + MachineMethod + + + + + + + + This is only supported in IKEv2. + + + + + + + + + + + + + + + Certificate + Certificate + + + + + + Eap + + + + + Required when the native profile specifies EAP authentication. EAP configuration XML. + + + + + + + + + + + + + + + Configuration + + + + + + + + HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration. + + + + + + + + + + + + + + + + + + Type + + + + + + + + + Required node for EAP profiles. This specifies the EAP Type ID + 13 = EAP-TLS + 26 = Ms-Chapv2 + 27 = Peap + + + + + + + + + + + + + + + + + + + + Certificate + + + + + Reserved for future use. + + + + + + + + + + + + + + + Issuer + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + Eku + + + + + + + + Reserved for future use. + + + + + + + + + + + + + + + + + + CryptographySuite + + + + + Properties of IPSec tunnels. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + AuthenticationTransformConstants + + + + + + + + Type of authentication transform constant. + + + + + + + + + + + + + + + MD596 + MD596 + + + SHA196 + SHA196 + + + SHA256128 + SHA256128 + + + GCMAES128 + GCMAES128 + + + GCMAES192 + GCMAES192 + + + GCMAES256 + GCMAES256 + + + + + + CipherTransformConstants + + + + + + + + Type of Cipher transform constant. + + + + + + + + + + + + + + + DES + DES + + + DES3 + DES3 + + + AES128 + AES128 + + + AES192 + AES192 + + + AES256 + AES256 + + + GCMAES128 + GCMAES128 + + + GCMAES192 + GCMAES192 + + + GCMAES256 + GCMAES256 + + + + + + EncryptionMethod + + + + + + + + Type of encryption method. + + + + + + + + + + + + + + + DES + DES + + + DES3 + DES3 + + + AES128 + AES128 + + + AES192 + AES192 + + + AES256 + AES256 + + + AES_GCM_128 + AES_GCM_128 + + + AES_GCM_256 + AES_GCM_256 + + + + + + IntegrityCheckMethod + + + + + + + + Type of integrity check. + + + + + + + + + + + + + + + MD5 + MD5 + + + SHA196 + SHA196 + + + SHA256 + SHA256 + + + SHA384 + SHA384 + + + + + + DHGroup + + + + + + + + Group used for DH (Diffie-Hellman). + + + + + + + + + + + + + + + None + None + + + Group1 + Group1 + + + Group2 + Group2 + + + Group14 + Group14 + + + ECP256 + ECP256 + + + ECP384 + ECP384 + + + Group24 + Group24 + + + + + + PfsGroup + + + + + + + + Group used for PFS (Perfect Forward Secrecy). + + + + + + + + + + + + + + + None + None + + + PFS1 + PFS1 + + + PFS2 + PFS2 + + + PFS2048 + PFS2048 + + + ECP256 + ECP256 + + + ECP384 + ECP384 + + + PFSMM + PFSMM + + + PFS24 + PFS24 + + + + + + + L2tpPsk + + + + + + + + The preshared key used for an L2TP connection. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + DisableClassBasedDefaultRoute + + + + + + + + Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8 + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + false + Enabled + + + true + Disabled + + + + + + PlumbIKEv2TSAsRoutes + + + + + + + + True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes. + + + + + + + + + + + + + + 10.0.19041 + 1.3 + + + + + + NetworkOutageTime + + + + + + + + The amount of time in seconds the network is allowed to idle. 0 means no limit. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + [0-4294967295] + + + + + IPv4InterfaceMetric + + + + + + + + The metric for the IPv4 interface. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + [1-9999] + + + + + IPv6InterfaceMetric + + + + + + + + The metric for the IPv6 interface. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + [1-9999] + + + + + UseRasCredentials + + + + + + + + true + Determines whether the credential manager will save ras credentials after a connection. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + false + Ras Credentials are not saved. + + + true + Ras Credentials are saved. + + + + + + DataEncryption + + + + + + + + Require + Determines the level of data encryption required for the connection. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + None + No Data Encryption required. + + + Require + Data Encryption required. + + + Max + Maximum-strength Data Encryption required. + + + Optional + Perform encryption if possible. + + + + + + PrivateNetwork + + + + + + + + true + Determines whether the VPN connection is public or private. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + false + VPN connection is public. + + + true + VPN connection is private. + + + + + + DisableIKEv2Fragmentation + + + + + + + + false + Set to disable IKEv2 Fragmentation. + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + true + IKEv2 Fragmentation will not be used. + + + false + IKEv2 Fragmentation is used as normal. + + + + + ``` + +## Related articles + +[VPNv2 configuration service provider reference](vpnv2-csp.md) diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md deleted file mode 100644 index bfca5ab7aa..0000000000 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ /dev/null @@ -1,447 +0,0 @@ ---- -title: ProfileXML XSD -description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/14/2020 ---- - -# ProfileXML XSD - -Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent::AddProfileFromXmlAsync for Windows 10 and some profile examples. - -## XSD for the VPN profile - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Native profile example - -```xml - - corp.contoso.com - true - false - corp.contoso.com - contoso.com - - - Helloworld.Com - - HelloServer - - - - - true - - true - This is my Eku - This is my issuer hash - - - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - - - - C:\windows\system32\ping.exe - - - - - hrsite.corporate.contoso.com - 1.2.3.4,5.6.7.8 - 5.5.5.5 - true - - - .corp.contoso.com - 10.10.10.10,20.20.20.20 - 100.100.100.100 - - - - - %ProgramFiles%\Internet Explorer\iexplore.exe - - 6 - 10,20-50,100-200 - 20-50,100-200,300 - 30.30.0.0/16,10.10.10.10-20.20.20.20 - ForceTunnel - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - 3.3.3.3/32,1.1.1.1-2.2.2.2 - - - - testServer.VPN.com - SplitTunnel - IKEv2 - true - - Eap - - - - - 25 - 0 - 0 - 0 - - - - 25 - - - true - - d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 - d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 - - true - false - - 13 - - - - true - - - - true - - d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 - d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 - - false - true - false - - - - - AAD Conditional Access - 1.3.6.1.4.1.311.87 - - - - - AAD Conditional Access - - - - - - - false - true - - true - false - - - - - - - - - - - -
    192.168.0.0
    - 24 -     - -
    10.10.0.0
    - 16 -     -     -``` - -## Plug-in profile example - -```xml - - - true - false - corp.contoso.com - contoso.com,test.corp.contoso.com - false - false - - - Helloworld.Com - - HelloServer - - - - - - - - - - true - - - - - testserver1.contoso.com;testserver2.contoso..com - true - JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy - - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - - - - %ProgramFiles%\Internet Explorer\iexplore.exe - - - - - corp.contoso.com - 1.2.3.4,5.6.7.8 - 5.5.5.5 - false - - - corp.contoso.com - 10.10.10.10,20.20.20.20 - 100.100.100.100 - - - - - %ProgramFiles%\Internet Explorer\iexplore.exe - - 6 - 10,20-50,100-200 - 20-50,100-200,300 - 30.30.0.0/16,10.10.10.10-20.20.20.20 - - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - 3.3.3.3/32,1.1.1.1-2.2.2.2 - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - O:SYG:SYD:(A;;CC;;;AU) - - - - -
    192.168.0.0
    - 24 -     - -
    10.10.0.0
    - 16 -     -     -``` - -## Related topics - -[Configuration service provider reference](index.yml) \ No newline at end of file diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 0df64e0109..7bc7eec664 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,159 +1,783 @@ --- title: WiFi CSP -description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device. -ms.reviewer: +description: Learn more about the WiFi CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/18/2019 +ms.topic: reference --- + + + # WiFi CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!WARNING] -> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - + + The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it's in range. Programming considerations: -- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. -- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. -- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping aren't supported. -- The \*name\_goes\_here*\\ must match \\ *name\_goes\_here*\\. -- For the WiFi CSP, you can't use the Replace command unless the node already exists. -- Using Proxyis in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure. +- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider doesn't provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it isn't supported in EAP-TLS. +- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it's stored on the device. +- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This condition requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping aren't supported. +- The `name_goes_here\` must match `name_goes_here`. +- For the WiFi CSP, you can't use the Replace command unless the node already exists. +- Using ProxyPacUrl or ProxyWPAD in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure. + -The following example shows the WiFi configuration service provider in tree format. + +The following list shows the WiFi configuration service provider nodes: -```console -./Device/Vendor/MSFT -or -./User/Vendor/MSFT -WiFi ----Profile -------SSID ----------WlanXML ----------WiFiCost +- ./Device/Vendor/MSFT/WiFi + - [Profile](#deviceprofile) + - [{SSID}](#deviceprofilessid) + - [ProfileSource](#deviceprofilessidprofilesource) + - [Proxy](#deviceprofilessidproxy) + - [ProxyPacUrl](#deviceprofilessidproxypacurl) + - [ProxyWPAD](#deviceprofilessidproxywpad) + - [WiFiCost](#deviceprofilessidwificost) + - [WlanXml](#deviceprofilessidwlanxml) +- ./User/Vendor/MSFT/WiFi + - [Profile](#userprofile) + - [{SSID}](#userprofilessid) + - [ProfileSource](#userprofilessidprofilesource) + - [Proxy](#userprofilessidproxy) + - [ProxyPacUrl](#userprofilessidproxypacurl) + - [ProxyWPAD](#userprofilessidproxywpad) + - [WiFiCost](#userprofilessidwificost) + - [WlanXml](#userprofilessidwlanxml) + + + +## Device/Profile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/WiFi/Profile ``` + -The following list shows the characteristics and parameters. + + +Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network - for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. + -**Device or User profile** -For user profile, use `./User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path. + + + -**Profile** -Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase if there's WEP or WPA2 networks. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**\** -Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted. + + + -SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, \./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml\. + -The supported operations are Add, Get, Delete, and Replace. + +### Device/Profile/{SSID} -**WlanXML** -The XML that describes the network configuration and follows the [WLAN\_profile Schema](/windows/win32/nativewifi/wlan-profileschema-schema) on MSDN. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Supported operations are Get, Add, Delete, and Replace. + +```Device +./Device/Vendor/MSFT/WiFi/Profile/{SSID} +``` + -Value type is chr. + + +The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted. + + + +Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. + +SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, `./Vendor/MSFT/WiFi/Profile//WlanXml`. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### Device/Profile/{SSID}/ProfileSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/WiFi/Profile/{SSID}/ProfileSource +``` + + + + +Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enterprise. | +| 1 | Mobile Operator. | + + + + + + + + + +#### Device/Profile/{SSID}/Proxy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/WiFi/Profile/{SSID}/Proxy +``` + + + + +Optional node. The format is url:port. Configuration of the network proxy (if any). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Profile/{SSID}/ProxyPacUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyPacUrl +``` + + + + +Optional node. URL to the PAC file location. + + + + +> [!NOTE] +> Don't use. Using this configuration in Windows 10 client editions will result in failure. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Profile/{SSID}/ProxyWPAD + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyWPAD +``` + + + + +Optional node. The presence of the field enables WPAD for proxy lookup. + + + + +> [!NOTE] +> Don't use. Using this configuration in Windows 10 client editions will result in failure. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disable WPAD for proxy lookup. | +| true | Enable WPAD for proxy lookup. | + + + + + + + + + +#### Device/Profile/{SSID}/WiFiCost + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/WiFi/Profile/{SSID}/WiFiCost +``` + + + + +Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behavior: Unrestricted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Unrestricted - unlimited connection. | +| 2 | Fixed - capacity constraints up to a certain data limit. | +| 3 | Variable - paid on per byte basic. | + + + + + + + + + +#### Device/Profile/{SSID}/WlanXml + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml +``` + + + + +XML describing the network configuration and follows Windows WLAN_profile schema. +Link to schema: + + + + The profile XML must be escaped, as shown in the examples below. If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). > [!NOTE] > If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md). + -The supported operations are Add, Get, Delete, and Replace. + +**Description framework properties**: -**Proxy** -Don't use. Using this configuration in Windows 10 client editions will result in failure. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + + -Optional. Specifies the configuration of the network proxy. A proxy server host and port can be specified per connection for Windows 10 Mobile. This proxy configuration is only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions will result in failure. + -The format is *host:port*, where host can be one of the following: + +## User/Profile -- A registered host name, such as server name, FQDN, or Single Label Name, such as myweb instead of myweb.contoso.com. -- IPV4 address -- IPv6/IPvFuture address. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -If it's an IPvFuture address, then it must be specified as an IP literal as "\[" (IP v6 address / IPvFuture ) "\]", such as "\[2441:4880:28:3:204:76ff:f43f:6eb\]:8080". + +```User +./User/Vendor/MSFT/WiFi/Profile +``` + -Supported operations are Get, Add, Delete, and Replace. ---> + + +Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network - for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. + -**DisableInternetConnectivityChecks** + + + -> [!Note] -> This node has been deprecated since Windows 10, version 1607. + +**Description framework properties**: -Added in Windows 10, version 1511. Optional. Disable the internet connectivity check for the profile. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Value type is chr. + + + -- True - internet connectivity check is disabled. -- False - internet connectivity check is enabled. + -Supported operations are Get, Add, Delete, and Replace. + +### User/Profile/{SSID} -**ProxyPacUrl** -Don't use. Using this configuration in Windows 10 client editions will result in failure. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + - +```User +./User/Vendor/MSFT/WiFi/Profile/{SSID} +``` + -Added in Windows 10, version 1607. Optional. Specifies the value of the URL to the Proxy auto-config (PAC) file location. This proxy configuration is only supported in Windows 10 Mobile. + + +The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted. + -Value type is chr, e.g. http://www.contoso.com/wpad.dat. ---> + + +Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. -**ProxyWPAD** -Don't use. Using this configuration in Windows 10 client editions will result in failure. +SSID is the name of network you're connecting to, while Profile name is the name of the Profile that contains the WiFi settings information. If the Profile name isn't set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, `./Vendor/MSFT/WiFi/Profile//WlanXml`. + - +**Description framework properties**: -Added in Windows 10, version 1607. Optional. When set to true it enables Web Proxy Auto-Discovery Protocol (WPAD) for proxy lookup.This proxy configuration is only supported in Windows 10 Mobile. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | +| Atomic Required | True | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + -Value type is bool. ---> + + + -**WiFiCost** -Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behavior: Unrestricted. + -Supported values: + +#### User/Profile/{SSID}/ProfileSource -- 1 - Unrestricted - unlimited connection -- 2 - Fixed - capacity constraints up to a certain data limit -- 3 - Variable - paid on per byte basic + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -Supported operations are Add, Get, Replace and Delete. Value type is integer. + +```User +./User/Vendor/MSFT/WiFi/Profile/{SSID}/ProfileSource +``` + + + +Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enterprise. | +| 1 | Mobile Operator. | + + + + + + + + + +#### User/Profile/{SSID}/Proxy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/WiFi/Profile/{SSID}/Proxy +``` + + + + +Optional node. The format is url:port. Configuration of the network proxy (if any). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/Profile/{SSID}/ProxyPacUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyPacUrl +``` + + + + +Optional node. URL to the PAC file location. + + + + +> [!NOTE] +> Don't use. Using this configuration in Windows 10 client editions will result in failure. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### User/Profile/{SSID}/ProxyWPAD + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/WiFi/Profile/{SSID}/ProxyWPAD +``` + + + + +Optional node. The presence of the field enables WPAD for proxy lookup. + + + + +> [!NOTE] +> Don't use. Using this configuration in Windows 10 client editions will result in failure. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disable WPAD for proxy lookup. | +| true | Enable WPAD for proxy lookup. | + + + + + + + + + +#### User/Profile/{SSID}/WiFiCost + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/WiFi/Profile/{SSID}/WiFiCost +``` + + + + +Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behavior: Unrestricted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Unrestricted - unlimited connection. | +| 2 | Fixed - capacity constraints up to a certain data limit. | +| 3 | Variable - paid on per byte basic. | + + + + + + + + + +#### User/Profile/{SSID}/WlanXml + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml +``` + + + + +XML describing the network configuration and follows Windows WLAN_profile schema. +Link to schema: + + + + +The profile XML must be escaped, as shown in the examples below. + +If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). + +> [!NOTE] +> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + ## Examples These XML examples show how to perform various tasks using OMA DM. ### Add a network -The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,'. +The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork'. ```xml @@ -210,7 +834,7 @@ The following example shows the response. ### Remove a network -The following example shows how to remove a network with SSID ‘MyNetwork’ and no proxy. Removing all network authentication types is done in this same manner. +The following example shows how to remove a network with SSID 'MyNetwork' and no proxy. Removing all network authentication types is done in this same manner. ```xml @@ -228,7 +852,7 @@ The following example shows how to remove a network with SSID ‘MyNetwork’ an ### Add a network and certification authority for a server certificate -The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetwork’ and root CA validation for server certificate. +The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork' and root CA validation for server certificate. ```xml @@ -247,7 +871,10 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw ``` + -## Related topics + -[Configuration service provider reference](index.yml) +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index a6b9b70daf..c955abb2f5 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -1,37 +1,32 @@ --- title: WiFi DDF file -description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/28/2018 +ms.topic: reference --- + + # WiFi DDF file -> [!WARNING] -> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -The XML below is for Windows 10, version 1809 and later. +The following XML file contains the device description framework (DDF) for the WiFi configuration service provider. ```xml - -]> +]> 1.2 + + WiFi - ./Vendor/MSFT + ./User/Vendor/MSFT @@ -46,8 +41,13 @@ The XML below is for Windows 10, version 1809 and later. - com.microsoft/1.1/MDM/WiFi + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + Profile @@ -55,6 +55,7 @@ The XML below is for Windows 10, version 1809 and later. + Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. @@ -65,11 +66,12 @@ The XML below is for Windows 10, version 1809 and later. - + - + + @@ -77,7 +79,7 @@ The XML below is for Windows 10, version 1809 and later. - The Profile name of the Wi-Fi network. This is added when WlanXML node is added and deleted when Wlanxml is deleted. + The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted. @@ -89,8 +91,12 @@ The XML below is for Windows 10, version 1809 and later. SSID - + + + + + WlanXml @@ -103,7 +109,7 @@ The XML below is for Windows 10, version 1809 and later. XML describing the network configuration and follows Windows WLAN_profile schema. - Link to schema: https://msdn.microsoft.com/library/windows/desktop/ms707341(v=vs.85).aspx + Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx @@ -115,16 +121,480 @@ The XML below is for Windows 10, version 1809 and later. - text/plain + + + Proxy + + + + + + + + Optional node. The format is url:port. Configuration of the network proxy (if any). + + + + + + + + + + + + + + + + + + + + + ProxyPacUrl + + + + + + + + Optional node. URL to the PAC file location. + + + + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + + + + + + ProxyWPAD + + + + + + + + Optional node. The presence of the field enables WPAD for proxy lookup. + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + + + false + Disable WPAD for proxy lookup. + + + true + Enable WPAD for proxy lookop. + + + + + + WiFiCost + + + + + + + + 1 + Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behaviour: Unrestricted + + + + + + + + + + + + + + 10.0.17763 + 1.1 + + + + 1 + Unrestricted - unlimited connection. + + + 2 + Fixed - capacity constraints up to a certain data limit. + + + 3 + Variable - paid on per byte basic. + + + + + + ProfileSource + + + + + + 0 + Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator. + + + + + + + + + + + + + + 10.0.22621 + 1.1 + + + + 0 + Enterprise + + + 1 + Mobile Operator + + + + + + + + + WiFi + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Profile + + + + + Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. + + + + + + + + + + + + + + + + + + + + + + + + The Profile name of the Wi-Fi network. This is added when WlanXml node is added and deleted when WlanXml is deleted. + + + + + + + + + + SSID + + + + + + + + + + WlanXml + + + + + + + + + XML describing the network configuration and follows Windows WLAN_profile schema. + Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx + + + + + + + + + + + + + + + + + Proxy + + + + + + + + Optional node. The format is url:port. Configuration of the network proxy (if any). + + + + + + + + + + + + + + + + + + + + + ProxyPacUrl + + + + + + + + Optional node. URL to the PAC file location. + + + + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + + + + + + ProxyWPAD + + + + + + + + Optional node. The presence of the field enables WPAD for proxy lookup. + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + + + false + Disable WPAD for proxy lookup. + + + true + Enable WPAD for proxy lookop. + + + + + + WiFiCost + + + + + + + + 1 + Optional node. If the policy is active selecting one of the values from the following list will set the cost of WLAN connection for the Wi-Fi profile. (1:Unrestricted - unlimited connection, 2: Fixed - capacity constraints up to a certain data limit, 3: Variable - costed on per byte basic) Default behaviour: Unrestricted + + + + + + + + + + + + + + 10.0.17763 + 1.1 + + + + 1 + Unrestricted - unlimited connection. + + + 2 + Fixed - capacity constraints up to a certain data limit. + + + 3 + Variable - paid on per byte basic. + + + + + + ProfileSource + + + + + + 0 + Allows for defining which administrative entity is setting this Wi-Fi profile. This can currently be set to either 0=Enterprise or 1=Mobile Operator. + + + + + + + + + + + + + + 10.0.22621 + 1.1 + + + + 0 + Enterprise + + + 1 + Mobile Operator + + + + ``` -## Related topics +## Related articles -[WiFi configuration service provider](wifi-csp.md) +[WiFi configuration service provider reference](wifi-csp.md) diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 917d96da7b..fc74d86711 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -40,6 +40,7 @@ WindowsAdvancedThreatProtection ----Configuration --------SampleSharing --------TelemetryReportingFrequency +--------AadDdeviceId ----Offboarding ----DeviceTagging --------Group @@ -48,34 +49,34 @@ WindowsAdvancedThreatProtection The following list describes the characteristics and parameters. -**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** +**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** The root node for the Windows Defender Advanced Threat Protection configuration service provider. Supported operation is Get. -**Onboarding** +**Onboarding** Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**HealthState** +**HealthState** Node that represents the Windows Defender Advanced Threat Protection health state. -**HealthState/LastConnected** +**HealthState/LastConnected** Contains the timestamp of the last successful connection. Supported operation is Get. -**HealthState/SenseIsRunning** +**HealthState/SenseIsRunning** Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. The default value is false. Supported operation is Get. -**HealthState/OnboardingState** +**HealthState/OnboardingState** Represents the onboarding state. Supported operation is Get. @@ -85,15 +86,15 @@ The following list shows the supported values: - 0 (default) – Not onboarded - 1 – Onboarded -**HealthState/OrgId** +**HealthState/OrgId** String that represents the OrgID. Supported operation is Get. -**Configuration** +**Configuration** Represents Windows Defender Advanced Threat Protection configuration. -**Configuration/SampleSharing** +**Configuration/SampleSharing** Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. The following list shows the supported values: @@ -103,7 +104,7 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Configuration/TelemetryReportingFrequency** +**Configuration/TelemetryReportingFrequency** Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. The following list shows the supported values: @@ -113,26 +114,31 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Offboarding** +**Configuration/AadDeviceId** +Returns or sets the Intune's reported known AadDeviceId for the machine + +Supported operations are Get and Replace. + +**Offboarding** Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging** +**DeviceTagging** Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. Supported operation is Get. -**DeviceTagging/Group** +**DeviceTagging/Group** Added in Windows 10, version 1709. Device group identifiers. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging/Criticality** +**DeviceTagging/Criticality** Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal @@ -217,6 +223,16 @@ Supported operations are Get and Replace. + + 7 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/AadDeviceId + + + + 11 diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 32799b0ffd..a92d9f018f 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,382 +1,964 @@ --- title: WindowsDefenderApplicationGuard CSP -description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP). +description: Learn more about the WindowsDefenderApplicationGuard CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/02/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # WindowsDefenderApplicationGuard CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709. + -The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format. + +The following list shows the WindowsDefenderApplicationGuard configuration service provider nodes: -```console -./Device/Vendor/MSFT -WindowsDefenderApplicationGuard -----Settings ---------AllowWindowsDefenderApplicationGuard ---------ClipboardFileType ---------ClipboardSettings ---------PrintingSettings ---------BlockNonEnterpriseContent ---------AllowPersistence ---------AllowVirtualGPU ---------SaveFilesToHost ---------CertificateThumbprints ---------AllowCameraMicrophoneRedirection -----Status -----PlatformStatus -----InstallWindowsDefenderApplicationGuard -----Audit ---------AuditApplicationGuard +- ./Device/Vendor/MSFT/WindowsDefenderApplicationGuard + - [Audit](#audit) + - [AuditApplicationGuard](#auditauditapplicationguard) + - [InstallWindowsDefenderApplicationGuard](#installwindowsdefenderapplicationguard) + - [PlatformStatus](#platformstatus) + - [Settings](#settings) + - [AllowCameraMicrophoneRedirection](#settingsallowcameramicrophoneredirection) + - [AllowPersistence](#settingsallowpersistence) + - [AllowVirtualGPU](#settingsallowvirtualgpu) + - [AllowWindowsDefenderApplicationGuard](#settingsallowwindowsdefenderapplicationguard) + - [BlockNonEnterpriseContent](#settingsblocknonenterprisecontent) + - [CertificateThumbprints](#settingscertificatethumbprints) + - [ClipboardFileType](#settingsclipboardfiletype) + - [ClipboardSettings](#settingsclipboardsettings) + - [PrintingSettings](#settingsprintingsettings) + - [SaveFilesToHost](#settingssavefilestohost) + - [Status](#status) + + + +## Audit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit ``` + -**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard** -Root node. Supported operation is Get. + + +Interior node for Audit. + -**Settings** -Interior node. Supported operation is Get. + + + -**Settings/AllowWindowsDefenderApplicationGuard** -Turn on Microsoft Defender Application Guard in Enterprise Mode. + +**Description framework properties**: -Value type is integer. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operations are Add, Get, Replace, and Delete. + + + -The following list shows the supported values: + -- 0 - Disable Microsoft Defender Application Guard. -- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY. -- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004). -- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004). + +### Audit/AuditApplicationGuard -**Settings/ClipboardFileType** -Determines the type of content that can be copied from the host to Application Guard environment and vice versa. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -Value type is integer. + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard +``` + -Supported operations are Add, Get, Replace, and Delete. + + +This policy setting allows you to decide whether auditing events can be collected from Application Guard. + -This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + + + -The following list shows the supported values: + +**Description framework properties**: -- 1 - Allow text copying. -- 2 - Allow image copying. -- 3 - Allow text and image copying. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -ADMX Info: + +**Allowed values**: -- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* -- GP name: *AppHVSIClipboardFileType* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - +| Value | Description | +|:--|:--| +| 0 (Default) | Audit event logs aren't collected for Application Guard. | +| 1 | Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container. | + -**Settings/ClipboardSettings** -This policy setting allows you to decide how the clipboard behaves while in Application Guard. + +**Group policy mapping**: -Value type is integer. +| Name | Value | +|:--|:--| +| Name | AppHVSI_AuditApplicationGuardConfig | +| Friendly Name | Allow auditing events in Microsoft Defender Application Guard | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| Registry Value Name | AuditApplicationGuard | +| ADMX File Name | AppHVSI.admx | + -Supported operations are Add, Get, Replace, and Delete. + + + -This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + -The following list shows the supported values: + +## InstallWindowsDefenderApplicationGuard -- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard. -- 1 - Turns On clipboard operation from an isolated session to the host. -- 2 - Turns On clipboard operation from the host to an isolated session. -- 3 - Turns On clipboard operation in both the directions. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!IMPORTANT] -> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/InstallWindowsDefenderApplicationGuard +``` + - -ADMX Info: + + +Initiates remote installation of Application Guard feature. + -- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* -- GP name: *AppHVSIClipboardSettings* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + + + -**Settings/PrintingSettings** -This policy setting allows you to decide how the print functionality behaves while in Application Guard. + +**Description framework properties**: -Value type is integer. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + -Supported operations are Add, Get, Replace, and Delete. + +**Allowed values**: -This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. +| Value | Description | +|:--|:--| +| Install | Will initiate feature install. | +| Uninstall | Will initiate feature uninstall. | + -The following list shows the supported values: + + + -- 0 (default) - Disables all print functionality. -- 1 - Enables only XPS printing. -- 2 - Enables only PDF printing. -- 3 - Enables both PDF and XPS printing. -- 4 - Enables only local printing. -- 5 - Enables both local and XPS printing. -- 6 - Enables both local and PDF printing. -- 7 - Enables local, PDF, and XPS printing. -- 8 - Enables only network printing. -- 9 - Enables both network and XPS printing. -- 10 - Enables both network and PDF printing. -- 11 - Enables network, PDF, and XPS printing. -- 12 - Enables both network and local printing. -- 13 - Enables network, local, and XPS printing. -- 14 - Enables network, local, and PDF printing. -- 15 - Enables all printing. + - -ADMX Info: + +## PlatformStatus -- GP Friendly name: *Configure Microsoft Defender Application Guard print settings* -- GP name: *AppHVSIPrintingSettings* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -**Settings/BlockNonEnterpriseContent** -This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/PlatformStatus +``` + -Value type is integer. + + +Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Reserved for Microsoft. Bit 3 - Set to 1 when Application Guard is installed on the client machine. Bit 4 - Reserved for Microsoft. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. + -Supported operations are Add, Get, Replace, and Delete. + + + -This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +**Description framework properties**: -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. -- 1 - Non-enterprise content embedded on enterprise sites is stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. + + + -> [!NOTE] -> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled. + - -ADMX Info: + +## Settings -- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer* -- GP name: *BlockNonEnterpriseContent* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**Settings/AllowPersistence** + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings +``` + + + + +Interior Node for Settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Settings/AllowCameraMicrophoneRedirection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowCameraMicrophoneRedirection +``` + + + + +This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device's camera and microphone when these settings are enabled on the user's device. + +- If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user's device. +- If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user's device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0). | +| 1 | Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppHVSI_AllowCameraMicrophoneRedirectionConfig | +| Friendly Name | Allow camera and microphone access in Microsoft Defender Application Guard | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| Registry Value Name | AllowCameraMicrophoneRedirection | +| ADMX File Name | AppHVSI.admx | + + + + + + + + + +### Settings/AllowPersistence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowPersistence +``` + + + + This policy setting allows you to decide whether data should persist across different sessions in Application Guard. + -Value type is integer. + + + -Supported operations are Add, Get, Replace, and Delete. + +**Description framework properties**: -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user sign out. -- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. + +**Allowed values**: - -ADMX Info: +| Value | Description | +|:--|:--| +| 0 | Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. | +| 1 | Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. | + -- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard* -- GP name: *AllowPersistence* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + +**Group policy mapping**: -**Settings/AllowVirtualGPU** -Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. +| Name | Value | +|:--|:--| +| Name | AppHVSI_AllowPersistence | +| Friendly Name | Allow data persistence for Microsoft Defender Application Guard | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| Registry Value Name | AllowPersistence | +| ADMX File Name | AppHVSI.admx | + -Value type is integer. + + + -Supported operations are Add, Get, Replace, and Delete. + -This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +### Settings/AllowVirtualGPU -If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowVirtualGPU +``` + -- 0 (default) - Can't access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0). -- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container. + + +This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. + + + > [!WARNING] > Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device. + - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard* -- GP name: *AllowVirtualGPU* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -**Settings/SaveFilesToHost** -Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container. + +**Allowed values**: -Value type is integer. +| Value | Description | +|:--|:--| +| 0 (Default) | Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0). | +| 1 | Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. | + -Supported operations are Add, Get, Replace, and Delete. + +**Group policy mapping**: -The following list shows the supported values: +| Name | Value | +|:--|:--| +| Name | AppHVSI_AllowVirtualGPU | +| Friendly Name | Allow hardware-accelerated rendering for Microsoft Defender Application Guard | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| Registry Value Name | AllowVirtualGPU | +| ADMX File Name | AppHVSI.admx | + -- 0 (default) - The user can't download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy isn't configured, it's the same as disabled (0). -- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system. + + + - -ADMX Info: + -- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard* -- GP name: *SaveFilesToHost* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + +### Settings/AllowWindowsDefenderApplicationGuard -**Settings/CertificateThumbprints** -Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -Value type is string. + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowWindowsDefenderApplicationGuard +``` + -Supported operations are Add, Get, Replace, and Delete. + + +Turn on Microsoft Defender Application Guard in Enterprise Mode. + -This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + + + -If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. + +**Description framework properties**: -Here's an example: -b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924 +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -If you disable or don’t configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container. + +**Allowed values**: - -ADMX Info: +| Value | Description | +|:--|:--| +| 0 | Disable Microsoft Defender Application Guard. | +| 1 | Enable Microsoft Defender Application Guard for Microsoft Edge ONLY. | +| 2 | Enable Microsoft Defender Application Guard for isolated Windows environments ONLY. | +| 3 | Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments. | + -- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device* -- GP name: *CertificateThumbprints* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowAppHVSI | +| Path | Windows Components > Microsoft Defender Application Guard | + + + + + + + + + +### Settings/BlockNonEnterpriseContent +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/BlockNonEnterpriseContent +``` + + + + +This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. + + + + +> [!NOTE] +> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. | +| 1 | Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppHVSI_BlockNonEnterpriseContentConfig | +| Friendly Name | Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| Registry Value Name | BlockNonEnterpriseContent | +| ADMX File Name | AppHVSI.admx | + + + + + + + + + +### Settings/CertificateThumbprints + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/CertificateThumbprints +``` + + + + +This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. + +- If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924. +- If you disable or don't configure this setting, certificates are not shared with the Microsoft Defender Application Guard container. + + + + > [!NOTE] > To enforce this policy, device restart or user logon/logoff is required. + -**Settings/AllowCameraMicrophoneRedirection** -Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. + +**Description framework properties**: -Value type is integer. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + -Supported operations are Add, Get, Replace, and Delete. + +**Group policy mapping**: -This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. +| Name | Value | +|:--|:--| +| Name | AppHVSI_CertificateThumbprints | +| Friendly Name | Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user’s device | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| ADMX File Name | AppHVSI.admx | + -If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device. + + + -If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device. + -The following list shows the supported values: + +### Settings/ClipboardFileType -- 0 (default) - Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0). -- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!IMPORTANT] -> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed. + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardFileType +``` + - -ADMX Info: + + +Determines the type of content that can be copied from the host to Application Guard environment and vice versa. + -- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard* -- GP name: *AllowCameraMicrophoneRedirection* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + + + -**Status** -Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device. + +**Description framework properties**: -Value type is integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -Supported operation is Get. + +**Allowed values**: -- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. -- Bit 1 - Set to 1 when the client machine is Hyper-V capable. -- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. -- Bit 3 - Set to 1 when Application Guard is installed on the client machine. -- Bit 4 - Set to 1 when required Network Isolation Policies are configured. -- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. -- Bit 6 - Set to 1 when system reboot is required. +| Value | Description | +|:--|:--| +| 1 | Allow text copying. | +| 2 | Allow image copying. | +| 3 | Allow text and image copying. | + -**PlatformStatus** -Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. + +**Group policy mapping**: -Value type is integer. +| Name | Value | +|:--|:--| +| Name | AppHVSI_ClipboardConfig | +| Friendly Name | Configure Microsoft Defender Application Guard clipboard settings | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| ADMX File Name | AppHVSI.admx | + -Supported operation is Get. + + + -- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. -- Bit 1 - Set to 1 when the client machine is Hyper-V capable. -- Bit 2 - Reserved for Microsoft. -- Bit 3 - Set to 1 when Application Guard is installed on the client machine. -- Bit 4 - Reserved for Microsoft. -- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. + -**InstallWindowsDefenderApplicationGuard** -Initiates remote installation of Application Guard feature. + +### Settings/ClipboardSettings -Supported operations are Get and Execute. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardSettings +``` + -- Install - Will initiate feature install. -- Uninstall - Will initiate feature uninstall. + + +This policy setting allows you to decide how the clipboard behaves while in Application Guard. + -**Audit** -Interior node. Supported operation is Get. + + + -**Audit/AuditApplicationGuard** -This policy setting allows you to decide whether auditing events can be collected from Application Guard. + +**Description framework properties**: -Value type in integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Supported operations are Add, Get, Replace, and Delete. + +**Allowed values**: -This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. +| Value | Description | +|:--|:--| +| 0 (Default) | Completely turns Off the clipboard functionality for the Application Guard. | +| 1 | Turns On clipboard operation from an isolated session to the host. | +| 2 | Turns On clipboard operation from the host to an isolated session. | +| 3 | Turns On clipboard operation in both the directions. | + -The following list shows the supported values: + +**Group policy mapping**: -- 0 (default) - Audit event logs aren't collected for Application Guard. -- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container. +| Name | Value | +|:--|:--| +| Name | AppHVSI_ClipboardConfig | +| Friendly Name | Configure Microsoft Defender Application Guard clipboard settings | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| ADMX File Name | AppHVSI.admx | + - -ADMX Info: + + + -- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard* -- GP name: *AuditApplicationGuard* -- GP path: *Windows Components/Microsoft Defender Application Guard* -- GP ADMX file name: *AppHVSI.admx* - + -## Related topics + +### Settings/PrintingSettings -[Configuration service provider reference](index.yml) + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/PrintingSettings +``` + + + + +This policy setting allows you to decide how the print functionality behaves while in Application Guard. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disables all print functionality. | +| 1 | Enables only XPS printing. | +| 2 | Enables only PDF printing. | +| 3 | Enables both PDF and XPS printing. | +| 4 | Enables only local printing. | +| 5 | Enables both local and XPS printing. | +| 6 | Enables both local and PDF printing. | +| 7 | Enables local, PDF, and XPS printing. | +| 8 | Enables only network printing. | +| 9 | Enables both network and XPS printing. | +| 10 | Enables both network and PDF printing. | +| 11 | Enables network, PDF, and XPS printing. | +| 12 | Enables both network and local printing. | +| 13 | Enables network, local, and XPS printing. | +| 14 | Enables network, local, and PDF printing. | +| 15 | Enables all printing. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppHVSI_PrintingConfig | +| Friendly Name | Configure Microsoft Defender Application Guard print settings | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| ADMX File Name | AppHVSI.admx | + + + + + + + + + +### Settings/SaveFilesToHost + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/SaveFilesToHost +``` + + + + +This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0). | +| 1 | Turns on the functionality to allow users to download files from Edge in the container to the host file system. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppHVSI_SaveFilesToHost | +| Friendly Name | Allow files to download and save to the host operating system from Microsoft Defender Application Guard | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Application Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI | +| Registry Value Name | SaveFilesToHost | +| ADMX File Name | AppHVSI.admx | + + + + + + + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Status +``` + + + + +Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. Bit 3 - Set to 1 when Application Guard installed on the client machine. Bit 4 - Set to 1 when required Network Isolation Policies are configured. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. Bit 6 - Set to 1 when system reboot is required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index 1c659fd2d1..67e900aa01 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,487 +1,660 @@ --- title: WindowsDefenderApplicationGuard DDF file -description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). +description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/10/2018 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + # WindowsDefenderApplicationGuard DDF file -> [!WARNING] -> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -This XML is for Windows 10, version 1809 and later. +The following XML file contains the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider. ```xml -]> +]> 1.2 + + + + WindowsDefenderApplicationGuard + ./Device/Vendor/MSFT + + + + + Root Node + + + + + + + + + + + + + + 10.0.16299 + 1.1 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Settings + + + + + Interior Node for Settings + + + + + + + + + + + + + - WindowsDefenderApplicationGuard - ./Device/Vendor/MSFT + AllowWindowsDefenderApplicationGuard + + + + Turn on Microsoft Defender Application Guard in Enterprise Mode. - + - + - com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard + + + + 0 + Disable Microsoft Defender Application Guard + + + 1 + Enable Microsoft Defender Application Guard for Microsoft Edge ONLY + + + 2 + Enable Microsoft Defender Application Guard for isolated Windows environments ONLY + + + 3 + Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments + + + - - Settings - - - - - - - - - - - - - - - - - - - AllowWindowsDefenderApplicationGuard - - - - - - - - - - - - - - - - - - text/plain - - - - - ClipboardFileType - - - - - - - - - - - - - - - - - - text/plain - - - - - ClipboardSettings - - - - - - - - - - - - - - - - - - text/plain - - - - - PrintingSettings - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockNonEnterpriseContent - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPersistence - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVirtualGPU - - - - - - - - - - - - - - - - - - text/plain - - - - - SaveFilesToHost - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustCriteria - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustOriginRemovableMedia - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustOriginNetworkShare - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustOriginMarkOfTheWeb - - - - - - - - - - - - - - - - - - text/plain - - - - - CertificateThumbprints - - - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCameraMicrophoneRedirection - - - - - - - - - - - - - - - - - - text/plain - - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - InstallWindowsDefenderApplicationGuard - - - - - - - - - - - - - - - - text/plain - - - - - Audit - - - - - - - - - - - - - - - - - - - AuditApplicationGuard - - - - - - - - - - - - - - - - - - text/plain - - - - + + ClipboardFileType + + + + + + + + Determines the type of content that can be copied from the host to Application Guard environment and vice versa. + + + + + + + + + + + + + + + 1 + Allow text copying. + + + 2 + Allow image copying. + + + 3 + Allow text and image copying. + + + + + + + ClipboardSettings + + + + + + + + 0 + This policy setting allows you to decide how the clipboard behaves while in Application Guard. + + + + + + + + + + + + + + + 0 + Completely turns Off the clipboard functionality for the Application Guard. + + + 1 + Turns On clipboard operation from an isolated session to the host. + + + 2 + Turns On clipboard operation from the host to an isolated session. + + + 3 + Turns On clipboard operation in both the directions. + + + + + + + PrintingSettings + + + + + + + + 0 + This policy setting allows you to decide how the print functionality behaves while in Application Guard. + + + + + + + + + + + + + + + 0 + Disables all print functionality. + + + 1 + Enables only XPS printing. + + + 2 + Enables only PDF printing. + + + 3 + Enables both PDF and XPS printing. + + + 4 + Enables only local printing. + + + 5 + Enables both local and XPS printing. + + + 6 + Enables both local and PDF printing. + + + 7 + Enables local, PDF, and XPS printing. + + + 8 + Enables only network printing. + + + 9 + Enables both network and XPS printing. + + + 10 + Enables both network and PDF printing. + + + 11 + Enables network, PDF, and XPS printing. + + + 12 + Enables both network and local printing. + + + 13 + Enables network, local, and XPS printing. + + + 14 + Enables network, local, and PDF printing. + + + 15 + Enables all printing. + + + + + + + BlockNonEnterpriseContent + + + + + + + + 0 + This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. + + + + + + + + + + + + + + + 0 + Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. + + + 1 + Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. + + + + + + + + AllowPersistence + + + + + + + + This policy setting allows you to decide whether data should persist across different sessions in Application Guard. + + + + + + + + + + + + + + + 0 + Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. + + + 1 + Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. + + + + + + + AllowVirtualGPU + + + + + + + + 0 + This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. + + + + + + + + + + + + + + 10.0.17134 + 1.2 + + + + 0 + Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0). + + + 1 + Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. + + + + + + + SaveFilesToHost + + + + + + + + 0 + This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. + + + + + + + + + + + + + + 10.0.17134 + 1.2 + + + + 0 + The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0). + + + 1 + Turns on the functionality to allow users to download files from Edge in the container to the host file system. + + + + + + + CertificateThumbprints + + + + + + + + This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924. If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container. + + + + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + + + + + + AllowCameraMicrophoneRedirection + + + + + + + + 0 + This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device. If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + 0 + Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0). + + + 1 + Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. + + + + + + + + Status + + + + + Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. Bit 3 - Set to 1 when Application Guard installed on the client machine. Bit 4 - Set to 1 when required Network Isolation Policies are configured. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. Bit 6 - Set to 1 when system reboot is required. + + + + + + + + + + + + + + + + PlatformStatus + + + + + Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Reserved for Microsoft. Bit 3 - Set to 1 when Application Guard is installed on the client machine. Bit 4 - Reserved for Microsoft. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. + + + + + + + + + + + + + + 10.0.19041 + 1.4 + + + + + InstallWindowsDefenderApplicationGuard + + + + + + Initiates remote installation of Application Guard feature. + + + + + + + + + + + + + + + Install + Will initiate feature install. + + + Uninstall + Will initiate feature uninstall. + + + + + + Audit + + + + + Interior node for Audit + + + + + + + + + + + + + + + AuditApplicationGuard + + + + + + + + 0 + This policy setting allows you to decide whether auditing events can be collected from Application Guard. + + + + + + + + + + + + + + + 0 + Audit event logs aren't collected for Application Guard. + + + 1 + Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container. + + + + + + + ``` -## Related topics +## Related articles -[WindowsDefenderApplicationGuard configuration service provider](windowsdefenderapplicationguard-csp.md) \ No newline at end of file +[WindowsDefenderApplicationGuard configuration service provider reference](windowsdefenderapplicationguard-csp.md) diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 1b912a214a..da4d51d70b 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -1,226 +1,129 @@ --- title: WindowsLicensing CSP -description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios. -ms.reviewer: +description: Learn more about the WindowsLicensing CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/15/2018 +ms.topic: reference --- + + + # WindowsLicensing CSP -The table below shows the applicability of Windows: + + +The WindowsLicensing configuration service provider is designed for licensing related management scenarios. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +The following list shows the WindowsLicensing configuration service provider nodes: -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- ./Vendor/MSFT/WindowsLicensing + - [ChangeProductKey](#changeproductkey) + - [CheckApplicability](#checkapplicability) + - [DeviceLicensingService](#devicelicensingservice) + - [AcquireDeviceLicense](#devicelicensingserviceacquiredevicelicense) + - [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror) + - [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription) + - [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus) + - [LicenseType](#devicelicensingservicelicensetype) + - [RemoveDeviceLicense](#devicelicensingserviceremovedevicelicense) + - [Edition](#edition) + - [LicenseKeyType](#licensekeytype) + - [SMode](#smode) + - [Status](#smodestatus) + - [SwitchFromSMode](#smodeswitchfromsmode) + - [SwitchingPolicy](#smodeswitchingpolicy) + - [Status](#status) + - [Subscriptions](#subscriptions) + - [{SubscriptionId}](#subscriptionssubscriptionid) + - [Name](#subscriptionssubscriptionidname) + - [Status](#subscriptionssubscriptionidstatus) + - [UpgradeEditionWithLicense](#upgradeeditionwithlicense) + - [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) + -The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 client devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 client devices. + +## ChangeProductKey -The following example shows the WindowsLicensing configuration service provider in tree format. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -```console -./Vendor/MSFT -WindowsLicensing -----UpgradeEditionWithProductKey -----ChangeProductKey -----Edition -----Status -----LicenseKeyType -----CheckApplicability -----ChangeProductKey (Added in Windows 10, version 1703) -----Subscriptions (Added in Windows 10, version 1607) ---------SubscriptionId (Added in Windows 10, version 1607) -------------Status (Added in Windows 10, version 1607) -------------Name (Added in Windows 10, version 1607) -----SMode (Added in Windows 10, version 1809) ---------SwitchingPolicy (Added in Windows 10, version 1809) ---------SwitchFromSMode (Added in Windows 10, version 1809) ---------Status (Added in Windows 10, version 1809) + +```Device +./Vendor/MSFT/WindowsLicensing/ChangeProductKey ``` - -**./Device/Vendor/MSFT/WindowsLicensing** -This node is the root node for the WindowsLicensing configuration service provider. - -The supported operation is Get. - -**UpgradeEditionWithProductKey** -Enters a product key for an edition upgrade of Windows 10 desktop devices. - -> [!NOTE] -> This upgrade process requires a system restart. - -The date type is a chr. - -The supported operation is Exec. - -When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. - -After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. - -> [!IMPORTANT] -> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail. - -If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. - -After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. - -This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key doesn't require a reboot and is a silent process for the user. - -> [!IMPORTANT] -> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. - -The following are valid edition upgrade paths when using this node through an MDM: - -- Windows 10/Windows 11 Enterprise to Windows 10/ Windows 11 Education -- Windows 10/Windows 11 Home to Windows 10/Windows 11 Education -- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Education -- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Enterprise - -Activation or changing a product key can be carried out on the following editions: - -- Windows 10/Windows 11 Education -- Windows 10/Windows 11 Enterprise -- Windows 10/Windows 11 Home -- Windows 10/Windows 11 Pro - -**Edition** -Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. - -The data type is an Int. - -The supported operation is Get. - -**Status** -Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values: - -- 0 = Failed -- 1 = Pending -- 2 = In progress -- 3 = Completed -- 4 = Unknown - -The data type is an Int. - -The supported operation is Get. - - - -**LicenseKeyType** -Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change. - -- Windows 10 or Windows 11 client devices require a product key. - -The data type is a chr. - -The supported operation is Get. - -**CheckApplicability** -Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices. - -The data type is a chr. - -The supported operation is Exec. - -**ChangeProductKey** -Added in Windows 10, version 1703. Installs a product key for Windows desktop devices. Doesn't reboot. - -The data type is a chr. - -The supported operation is Execute. - -**Subscriptions** -Added in Windows 10, version 1607. Node for subscriptions. - -**Subscriptions/SubscriptionId** -Added in Windows 10, version 1607. Node for subscription IDs. - -**Subscriptions/SubscriptionId/Status** -Added in Windows 10, version 1607. Returns the status of the subscription. - -The data type is an Int. - -The supported operation is Get. - -**Subscriptions/SubscriptionId/Name** -Added in Windows 10, version 1607. Returns the name of the subscription. - -The data type is a chr. - -The supported operation is Get. - -**SMode** -Interior node for managing S mode. - -**SMode/SwitchingPolicy** -Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) - -Value type is integer. - -Supported operations are Add, Get, Replace, and Delete. - -Supported values: - -- 0 - No Restriction: The user is allowed to switch the device out of S mode. -- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. - -**SMode/SwitchFromSMode** -Added in Windows 10, version 1809. Switches a device out of S mode if possible. Doesn't reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) - -Supported operation is Execute. - -**SMode/Status** -Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) - -Value type is integer. - -Supported operation is Get. - -Values: - -- Request fails with error code 404 - no SwitchFromSMode request has been made. -- 0 - The device successfully switched out of S mode. -- 1 - The device is processing the request to switch out of S mode. -- 3 - The device was already switched out of S mode. -- 4 - The device failed to switch out of S mode. - -## SyncML examples - -**CheckApplicability** + + + + +Installs a product key for Windows 10 desktop devices. Does not reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + + + + + + +## CheckApplicability + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/CheckApplicability +``` + + + + +Returns TRUE if the entered product key can be used for an edition upgrade of Windows 10 desktop devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + + + + +**Example**: ```xml @@ -243,9 +146,328 @@ Values: ``` > [!NOTE] -> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. +> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the Data tag should be replaced with your product key. + -**Edition** + + + +## DeviceLicensingService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/DeviceLicensingService +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### DeviceLicensingService/AcquireDeviceLicense + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/AcquireDeviceLicense +``` + + + + +Acquire and Refresh Device License. Does not reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +### DeviceLicensingService/DeviceLicensingLastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/DeviceLicensingLastError +``` + + + + +Returns the last error code of Refresh/Remove Device License operation. Value would be empty(0) in absence of error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### DeviceLicensingService/DeviceLicensingLastErrorDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/DeviceLicensingLastErrorDescription +``` + + + + +Returns last error description from Device Licensing. Value would be empty, if error decription can not be evaluated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### DeviceLicensingService/DeviceLicensingStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/DeviceLicensingStatus +``` + + + + +Returns the status of Refresh/Remove Device License operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### DeviceLicensingService/LicenseType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/LicenseType +``` + + + + +License Type: User Based Subscription or Device Based Subscription. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | User Based Subscription. | +| 1 | Device Based Subscription. | + + + + + + + + + +### DeviceLicensingService/RemoveDeviceLicense + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/RemoveDeviceLicense +``` + + + + +Remove Device License. Device would be ready for user based license after this operation. Does not reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +## Edition + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Edition +``` + + + + +Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + +**Example**: ```xml @@ -262,8 +484,46 @@ Values: ``` + -**LicenseKeyType** + + + +## LicenseKeyType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/LicenseKeyType +``` + + + + +Returns the parameter type used by Windows 10 devices for an edition upgrade. Windows 10 desktop devices require a product key for an edition upgrade. Windows 10 mobile devices require a license for an edition upgrade. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + +**Example**: ```xml @@ -280,76 +540,92 @@ Values: ``` + -**Status** + -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/Status - - - - - - + +## SMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/SMode ``` + -**UpgradeEditionWithProductKey** + + +Interior node for managing S mode. + -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey - - - chr - - XXXXX-XXXXX-XXXXX-XXXXX-XXXXX - - - - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### SMode/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/SMode/Status ``` + -> [!NOTE] -> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. + + +Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request. + - + +Possible values: -**UpgradeEditionWithLicense** +- Request fails with error code 404: no SwitchFromSMode request has been made. +- 0: The device successfully switched out of S mode. +- 1: The device is processing the request to switch out of S mode. +- 3: The device was already switched out of S mode. +- 4: The device failed to switch out of S mode. + -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithLicense - - - chr - - YOUR XML ENCODED LICENSE GOES HERE - - - - - -``` ---> + +**Description framework properties**: -**Get S mode status** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + +**Example**: ```xml @@ -368,8 +644,46 @@ Values: ``` + -**Execute SwitchFromSMode** + + + +### SMode/SwitchFromSMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/SMode/SwitchFromSMode +``` + + + + +Switches a device out of S mode if possible. Does not reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + +**Example**: ```xml @@ -393,97 +707,504 @@ Values: ``` + -**Add S mode SwitchingPolicy** + -```xml - - - - 4 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - - int - text/plain - - 1 - - - - - + +### SMode/SwitchingPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy ``` + -**Get S mode SwitchingPolicy** + + +Policy that determines whether a consumer can switch the device out of S mode. + + + + +This setting is only applicable to devices available in S mode. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | No Restriction: The user is allowed to switch the device out of S mode. | +| 1 | User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. | + + + + +**Examples**: + +- Add S Mode SwitchingPolicy + + ```xml + + + + 4 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + + ``` + +- Get S Mode Switching Policy + + ```xml + + + + 2 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + + ``` + +- Replace S mode SwitchingPolicy + + ```xml + + + + 1 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + + ``` + +- Delete S mode SwitchingPolicy + + ```xml + + + + 3 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + + ``` + + + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Status +``` + + + + +Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + +**Example**: ```xml - 2 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - + $CmdID$ + + + ./Device/Vendor/MSFT/WindowsLicensing/Status + + ``` + -**Replace S mode SwitchingPolicy** + + + +## Subscriptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions +``` + + + + +Node for subscriptions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Subscriptions/{SubscriptionId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/{SubscriptionId} +``` + + + + +Node for subscription IDs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### Subscriptions/{SubscriptionId}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/{SubscriptionId}/Name +``` + + + + +Returns the name of the subscription. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Subscriptions/{SubscriptionId}/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/{SubscriptionId}/Status +``` + + + + +Returns the status of the subscription. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## UpgradeEditionWithLicense + +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/UpgradeEditionWithLicense +``` + + + + +Provide a license for an edition upgrade of Windows 10 mobile devices. Does not require reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | xml | +| Access Type | Exec | + + + + + + + + + +## UpgradeEditionWithProductKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey +``` + + + + +Enter a product key for an edition upgrade of Windows 10 desktop devices. Requires reboot. + + + + +When a product key is pushed from an MDM server to a user's device, `changepk.exe` runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. + +After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. + +> [!NOTE] +> If another policy requires a system reboot that occurs when `changepk.exe` is running, the edition upgrade will fail. + +If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and `changepk.exe` runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. + +After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. + +This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key doesn't require a reboot and is a silent process for the user. + +> [!IMPORTANT] +> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. + +The following are valid edition upgrade paths when using this node through an MDM: + +- Windows 10/11 Enterprise to Windows 10/11 Education +- Windows 10/11 Home to Windows 10/11 Education +- Windows 10/11 Pro to Windows 10/11 Education +- Windows 10/11 Pro to Windows 10/11 Enterprise + +Activation or changing a product key can be carried out on the following editions: + +- Windows 10/11 Education +- Windows 10/11 Enterprise +- Windows 10/11 Home +- Windows 10/11 Pro + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | +| Reboot Behavior | Automatic | + + + + +**Example**: ```xml - - 1 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - - int - text/plain - - 1 - - - + + $CmdID$ + + + ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey + + + chr + + XXXXX-XXXXX-XXXXX-XXXXX-XXXXX + + + ``` -**Delete S mode SwitchingPolicy** +> [!NOTE] +> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the Data tag should be replaced with your product key. + -```xml - - - - 3 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - - - - - -``` + -## Related topics + + + -[Configuration service provider reference](index.yml) + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 00f97205ee..ad27537130 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -1,44 +1,399 @@ --- title: WindowsLicensing DDF file -description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/17/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 07/16/2017 +ms.topic: reference --- + + # WindowsLicensing DDF file -> [!WARNING] -> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1809 and later. +The following XML file contains the device description framework (DDF) for the WindowsLicensing configuration service provider. ```xml -]> +]> 1.2 + + + + WindowsLicensing + ./Vendor/MSFT + + + + + This is the root node for the WindowsLicensing configuration service provider. + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCD; + + + + UpgradeEditionWithProductKey + + + + + Enter a product key for an edition upgrade of Windows 10 desktop devices. Requires reboot. + + + + + + + + + + + + + + + + + + Automatic + + + + ChangeProductKey + + + + + Installs a product key for Windows 10 desktop devices. Does not reboot. + + + + + + + + + + + + + + + + + 10.0.15063 + 1.2 + + + + + + + Edition + + + + + Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. + + + + + + + + + + + + + + + + + + + Status + + + + + Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown + + + + + + + + + + + + + + + + + + + UpgradeEditionWithLicense + + + + + Provide a license for an edition upgrade of Windows 10 mobile devices. Does not require reboot. + + + + + + + + + + + + + + + + + + + + + + LicenseKeyType + + + + + Returns the parameter type used by Windows 10 devices for an edition upgrade. Windows 10 desktop devices require a product key for an edition upgrade. Windows 10 mobile devices require a license for an edition upgrade. + + + + + + + + + + + + + + + + + + + CheckApplicability + + + + + Returns TRUE if the entered product key can be used for an edition upgrade of Windows 10 desktop devices. + + + + + + + + + + + + + + + + + + + Subscriptions + + + + + Node for subscriptions. + + + + + + + + + + + + + + 10.0.14393 + 1.1 + + - WindowsLicensing - ./Vendor/MSFT + + + Node for subscription IDs. + + + + + + + SubscriptionId + + + + + + + + + Status + + + + + Returns the status of the subscription. + + + + + + + + + + + + + + + + Name + + + + + Returns the name of the subscription. + + + + + + + + + + + + + + + + + + SMode + + + + + Interior node for managing S mode. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + SwitchingPolicy + + + + + + + + Policy that determines whether a consumer can switch the device out of S mode + + + + + + + + + + + + + + + + + + 0 + No Restriction: The user is allowed to switch the device out of S mode. + + + 1 + User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. + + + + + + SwitchFromSMode + + + + + Switches a device out of S mode if possible. Does not reboot. + + + @@ -46,309 +401,206 @@ The XML below is for Windows 10, version 1809 and later. - com.microsoft/1.3/MDM/WindowsLicensing + + + + + + + + + Status + + + + + Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request. + + + + + + + + + + + + + + + + + + + + DeviceLicensingService + + + + + Insert Description Here + + + + + + + + + + + + + + 10.0.22621 + 1.4 + + + + LicenseType + + + + + + + + License Type: User Based Subscription or Device Based Subscription + + + + + + + + + + + + + + + 0 + User Based Subscription + + + 1 + Device Based Subscription + + + + + + DeviceLicensingStatus + + + + + Returns the status of Refresh/Remove Device License operation. + + + + + + + + + + + - - UpgradeEditionWithProductKey - - - - - Enter a product key for an edition upgrade of Windows 10 desktop devices. Requires reboot. - - - - - - - - - - - - - - text/plain - - - - - ChangeProductKey - - - - - Installs a product key for Windows 10 desktop devices. Does not reboot. - - - - - - - - - - - - - - text/plain - - - - - Edition - - - - - Returns a value that maps to the Windows 10 or Windows 11 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - Returns the status of an edition upgrade on Windows 10 or Windows 11 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown - - - - - - - - - - - - - - text/plain - - - - - CheckApplicability - - - - - Returns TRUE if the entered product key can be used for an edition upgrade of Windows 10 desktop devices. - - - - - - - - - - - - - - text/plain - - - - - Subscriptions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SubscriptionId - - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - Name - - - - - - - - - - - - - - - text/plain - - - - - - - SMode - - - - - - - - - - - - - - - - - - - SwitchingPolicy - - - - - - - - Policy that determines whether a consumer can switch the device out of S mode - - - - - - - - - - - - - - text/plain - - - - - SwitchFromSMode - - - - - Switches a device out of S mode if possible. Does not reboot. - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request. - - - - - - - - - - - - - - text/plain - - - - + + DeviceLicensingLastError + + + + + Returns the last error code of Refresh/Remove Device License operation. Value would be empty(0) in absence of error. + + + + + + + + + + + + + + + + DeviceLicensingLastErrorDescription + + + + + Returns last error description from Device Licensing. Value would be empty, if error decription can not be evaluated. + + + + + + + + + + + + + + + + AcquireDeviceLicense + + + + + Acquire and Refresh Device License. Does not reboot. + + + + + + + + + + + + + + + + RemoveDeviceLicense + + + + + Remove Device License. Device would be ready for user based license after this operation. Does not reboot. + + + + + + + + + + + + + + + + ``` -## Related topics +## Related articles -[WindowsLicensing configuration service provider](windowslicensing-csp.md) \ No newline at end of file +[WindowsLicensing configuration service provider reference](windowslicensing-csp.md) diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index ecbdc67678..b4cc4b0e26 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,70 +1,201 @@ --- title: WiredNetwork CSP -description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works. +description: Learn more about the WiredNetwork CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/28/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/27/2018 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # WiredNetwork CSP -The table below shows the applicability of Windows: + + +The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have group policy to enable them to access corporate Internet over ethernet. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +The following list shows the WiredNetwork configuration service provider nodes: -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- ./Device/Vendor/MSFT/WiredNetwork + - [EnableBlockPeriod](#deviceenableblockperiod) + - [LanXML](#devicelanxml) +- ./User/Vendor/MSFT/WiredNetwork + - [EnableBlockPeriod](#userenableblockperiod) + - [LanXML](#userlanxml) + -The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809. + +## Device/EnableBlockPeriod -The following example shows the WiredNetwork configuration service provider in tree format. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/WiredNetwork/EnableBlockPeriod ``` -./User/Vendor/MSFT -WiredNetwork -----LanXML -----EnableBlockPeriod + + + +Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + -./Device/Vendor/MSFT -WiredNetwork -----LanXML -----EnableBlockPeriod + + + + +**Description framework properties**: -./User/Vendor/MSFT -./Device/Vendor/MSFT -WiredNetwork -----LanXML -----EnableBlockPeriod +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | + + + + + + + + + +## Device/LanXML + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/WiredNetwork/LanXML ``` -**./Device/Vendor/MSFT/WiredNetwork** -The root node for the wirednetwork configuration service provider. + -**LanXML** -Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx. + + +XML describing the wired network configuration and follows the LAN_profile schemas + -- Supported operations are Add, Get, Replace, and Delete. -- Value type is string. + + + -**EnableBlockPeriod** - Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + +**Description framework properties**: -- Supported operations are Add, Get, Replace, and Delete. -- Value type is integer. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## User/EnableBlockPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/WiredNetwork/EnableBlockPeriod +``` + + + + +Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | + + + + + + + + + +## User/LanXML + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/WiredNetwork/LanXML +``` + + + + +XML describing the wired network configuration and follows the LAN_profile schemas + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + +## Examples The following example shows how to add a wired network profile: + ```xml @@ -83,7 +214,10 @@ The following example shows how to add a wired network profile: ``` + -## Related topics + -[Configuration service provider reference](index.yml) \ No newline at end of file +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index 95d8425592..42f5285262 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -1,173 +1,190 @@ --- title: WiredNetwork DDF file -description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. +description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/16/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/28/2018 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + # WiredNetwork DDF file - -This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. This CSP was added in Windows 10, version 1511. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the WiredNetwork configuration service provider. ```xml -]> +]> 1.2 - - WiredNetwork - ./User/Vendor/MSFT - - - - - - - - - - - - - - - - - - - LanXML - - - - - - - - XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx - - - - - - - - - - - text/plain - - - - - EnableBlockPeriod - - - - - - - - Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. - - - - - - - - - - - text/plain - - - - - - WiredNetwork - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - - - - - LanXML - - - - - - - - XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx - - - - - - - - - - - text/plain - - - - - EnableBlockPeriod - - - - - - - - Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. - - - - - - - - - - - text/plain - - - - + + + + WiredNetwork + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.17763 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + + + + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + + + + [0-4294967295] + + + + + + WiredNetwork + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.17763 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + + + + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + + + + [0-4294967295] + + + + ``` -## Related topics +## Related articles -[WiredNetwork CSP](wirednetwork-csp.md) +[WiredNetwork configuration service provider reference](wirednetwork-csp.md) diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 93b93d3872..361556d8dd 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 08/11/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device enrollment diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 475721a37f..8dab751eb2 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -9,7 +9,9 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.date: 08/26/2022 --- @@ -120,13 +122,13 @@ For more information, visit [Install Quick Assist](https://support.microsoft.com Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5. -1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. 1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com). 1. Select **Manage** / **Settings** and turn on **Show offline apps**. 1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not. 1. Search for **Quick Assist** and select it from the Search results. 1. Choose the **Offline** license and select **Get the app** -1. In the Endpoint Manager admin center, choose **Sync**. +1. In the Intune admin center, choose **Sync**. 1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list. 1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link. 1. Assign the app to the required group of devices and choose **Review + save** to complete the application install. diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index a90fd2bb19..cbdc9361aa 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,10 +1,7 @@ --- -title: Configure Windows 10 taskbar (Windows 10) +title: Configure Windows 10 taskbar description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: [taskbar layout, pin apps] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.author: lizlong ms.topic: article @@ -12,9 +9,12 @@ ms.localizationpriority: medium ms.date: 01/18/2018 ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- + # Configure Windows 10 taskbar Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index c40796bd2a..78ad0b03f2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -2,6 +2,7 @@ title: Send feedback about Cortana at work back to Microsoft description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index ad09a7c543..399384fb32 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -2,6 +2,7 @@ title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: windows-client +ms.collection: tier3 ms.mktglfcycl: manage ms.sitesec: library author: aczechowski diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 39e709ad20..cd9bc813a9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 90543d9202..0071761fd5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -2,6 +2,7 @@ title: Configure Cortana with Group Policy and MDM settings (Windows) description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 71800954eb..0cf1df4390 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -2,6 +2,7 @@ title: Sign into Azure AD, enable the wake word, and try a voice query description: A test scenario walking you through signing in and managing the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index d31430c312..4ba46b4d36 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -2,6 +2,7 @@ title: Perform a quick search with Cortana at work (Windows) description: This scenario is a test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 48b5bfd328..b2202a902d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -2,6 +2,7 @@ title: Set a reminder for a location with Cortana at work (Windows) description: A test scenario about how to set a location-based reminder using Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 0ce5972f23..fcad450ae3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana at work to find your upcoming meetings (Windows) description: A test scenario on how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 0111aba809..94c1edabe4 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send email to a co-worker (Windows) description: A test scenario about how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index a6c2d4c3bb..54a1064afb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -2,6 +2,7 @@ title: Review a reminder suggested by Cortana (Windows) description: A test scenario on how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index e8caaf8cf3..a69e0078ff 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -2,6 +2,7 @@ title: Help protect data with Cortana and WIP (Windows) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 19dce90d45..63c801e46b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -2,6 +2,7 @@ title: Cortana at work testing scenarios description: Suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 26f401808e..ec1abf4d96 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -2,6 +2,7 @@ title: Set up and test custom voice commands in Cortana for your organization (Windows) description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 9f38750042..b089b30590 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index c3456c0ae6..76496df719 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -2,6 +2,7 @@ title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index 2a7d33cdbf..c6a2efd05f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -2,6 +2,7 @@ title: Test scenario 2 - Perform a quick search with Cortana at work description: A test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index 1724baee87..468c4060cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -2,6 +2,7 @@ title: Test scenario 3 - Set a reminder for a specific location using Cortana at work description: A test scenario about how to set up, review, and edit a reminder based on a location. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index 8cad2a9dab..d1e98c4409 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana to find your upcoming meetings at work (Windows) description: A test scenario about how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index d3b93dd8a0..fcb33530cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send an email to co-worker (Windows) description: A test scenario on how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index fbd5290713..1090b25b3f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -2,6 +2,7 @@ title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email description: A test scenario about how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index 701b2f4f58..5f71bbdcec 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -2,6 +2,7 @@ title: Testing scenarios using Cortana in your business or organization description: A list of suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 77f7406fb8..edd95b2265 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -1,5 +1,5 @@ --- -title: Customize and export Start layout (Windows 10) +title: Customize and export Start layout description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.reviewer: manager: aaroncz @@ -9,20 +9,21 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure --- # Customize and export Start layout - **Applies to** -- Windows 10 +- Windows 10 >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. +The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. @@ -31,7 +32,7 @@ When a full Start layout is applied, the users cannot pin, unpin, or uninstall a When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. >[!NOTE] ->Partial Start layout is only supported on Windows 10, version 1511 and later. +>Partial Start layout is only supported on Windows 10, version 1511 and later. @@ -49,7 +50,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a **To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. 2. Create a new user account that you will use to customize the Start layout. @@ -63,7 +64,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. - - **Unpin apps** that you don’t want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. + - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. - **Drag tiles** on Start to reorder or group apps. @@ -89,7 +90,7 @@ When you have the Start layout that you want your users to see, use the [Export- 2. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: - `Export-StartLayout –path .xml` + `Export-StartLayout -path .xml` On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index f043da3ecb..7ef410564c 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -7,7 +7,9 @@ ms.author: lizlong ms.reviewer: ericpapa ms.prod: windows-client ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 01/10/2023 ms.topic: article @@ -130,7 +132,7 @@ This section shows you how to create a pinned list policy in Intune. There isn't To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment). -1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. 3. Enter the following properties: diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index a630b2ac0b..a97023b5d9 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,5 +1,5 @@ --- -title: Configure and customize Windows 11 taskbar | Microsoft Docs +title: Configure and customize Windows 11 taskbar description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Intune. See what happens to the taskbar when the Windows OS client is installed or upgraded. manager: aaroncz ms.author: lizlong @@ -7,7 +7,9 @@ ms.reviewer: chataylo ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article @@ -27,7 +29,7 @@ For example, you can override the default set of apps with your own a set of pin To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs. -This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. +This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons). ## Before you begin @@ -168,7 +170,7 @@ MDM providers can deploy policies to devices managed by the organization, includ Use the following steps to create an Intune policy that deploys your taskbar XML file: -1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index baffd2a688..40b7d5daac 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with group policy description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: manager: aaroncz @@ -8,7 +8,9 @@ author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index ff5c66875f..ebd6bb9d28 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -55,7 +55,7 @@ Two features enable Start layout control: The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout: -1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 315f3afa7f..90a28bb7e6 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-configure", diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 2eda1c13b6..ee9ad89242 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -8,7 +8,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.prod: windows-client -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- @@ -41,7 +43,7 @@ foreach ($app in $installedapps) $aumidList ``` -You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters. +You can add the `-user ` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. ## To find the AUMID by using File Explorer @@ -63,7 +65,7 @@ At a command prompt, type the following command: `reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` -## Example +### Example to get AUMIDs of the installed apps for the specified user The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. @@ -105,9 +107,46 @@ The following Windows PowerShell commands demonstrate how you can call the listA # Get a list of AUMIDs for the current account: listAumids -# Get a list of AUMIDs for an account named “CustomerAccount”: +# Get a list of AUMIDs for an account named "CustomerAccount": listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: listAumids("allusers") ``` + +### Example to get the AUMID of any application in the Start menu + +The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. + +```powershell +function Get-AppAUMID { +param ( +[string]$AppName +) +$Apps = (New-Object -ComObject Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() +if ($AppName){ + $Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}} + if ($Result){ + Return $Result + } + else {"Unable to locate {0}" -f $AppName} +} +else { + $Result = $Apps | Select-Object name,@{n="AUMID";e={$_.path}} + Return $Result +} +} +``` + +The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it. + +```powershell +# Get the AUMID for OneDrive +Get-AppAUMID -AppName OneDrive + +# Get the AUMID for Microsoft Word +Get-AppAUMID -AppName Word + +# List all apps and their AUMID in the Start menu +Get-AppAUMID +``` diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 48abdda3c1..f1159c1544 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,17 +1,16 @@ --- -title: Guidelines for choosing an app for assigned access (Windows 10/11) +title: Guidelines for choosing an app for assigned access description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -keywords: [kiosk, lockdown, assigned access] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.reviewer: sybruckm manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- @@ -50,7 +49,7 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. @@ -155,7 +154,7 @@ You can create your own web browser Windows app by using the WebView class. Lear ## Secure your information -Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. +Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. ## App configuration diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index fe0ebfbafc..2891f614c0 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Configure Windows client # < 60 chars -summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars +summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -10,6 +10,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 3724425208..d48592fdfc 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -1,6 +1,6 @@ --- -title: Set up a single-app kiosk on Windows 10/11 -description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). +title: Set up a single-app kiosk on Windows +description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions. ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong @@ -8,7 +8,9 @@ ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 5e74a0ca9d..800e7781f6 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,9 @@ manager: aaroncz ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -247,7 +249,7 @@ A few things to note here: - The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. - Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. - There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). +- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: @@ -284,7 +286,7 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato ##### Taskbar -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. +Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. The following example exposes the taskbar to the end user: @@ -607,7 +609,7 @@ Lock the Taskbar | Enabled Prevent users from adding or removing toolbars | Enabled Prevent users from resizing the taskbar | Enabled Remove frequent programs list from the Start Menu | Enabled -Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ | Enabled +Remove 'Map Network Drive' and 'Disconnect Network Drive' | Enabled Remove the Security and Maintenance icon | Enabled Turn off all balloon notifications | Enabled Turn off feature advertisement balloon notifications | Enabled @@ -615,7 +617,7 @@ Turn off toast notifications | Enabled Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled -Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Remove All Programs list from the Start Menu | Enabled - Remove and disable setting Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index c77e2f658e..8796ceac18 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,14 +1,16 @@ --- -title: Install Windows Configuration Designer (Windows 10/11) +title: Install Windows Configuration Designer description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4f0004d334..a6fac6c279 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,14 +1,16 @@ --- -title: Provisioning packages overview on Windows 10/11 +title: Provisioning packages overview description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index beda72c25c..41f4968fe9 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md index 19e203f23c..cabee079ab 100644 --- a/windows/configuration/shared-devices-concepts.md +++ b/windows/configuration/shared-devices-concepts.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md index a84ff0f030..b0d626cff0 100644 --- a/windows/configuration/shared-pc-technical.md +++ b/windows/configuration/shared-pc-technical.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 874a5657cc..7600808ed5 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -90,7 +90,7 @@ You can apply the customized Start layout with images for secondary tiles by usi In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. -1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. 3. Enter the following properties: diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 3ebc98f62f..9d33ff603e 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -1,5 +1,5 @@ --- -title: Configure access to Microsoft Store (Windows 10) +title: Configure access to Microsoft Store description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium ms.date: 11/29/2022 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index b51d7becb9..a24ff5885a 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -18,53 +18,65 @@ ms.topic: article - Windows 11 -The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. - -This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). +The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). +## CSP policies to customize Windows 11 taskbar buttons + +- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) + - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar` + - Local setting: Settings > Personalization > Taskbar > Search + +- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) + - Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button` + - Local setting: Settings > Personalization > Taskbar > Task view + +- [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests) + - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets` + - Local setting: Settings > Personalization > Taskbar > Widgets + +- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar) + - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting` + - Local setting: Settings > Personalization > Taskbar > Chat + ## Existing CSP policies that Windows 11 taskbar supports -- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) +- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar -- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar) +- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar` - Local setting: None -- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar) - - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat` - - Local setting: Settings > Personalization > Taskbar > Chat - ## Existing CSP policies that Windows 11 doesn't support The following list includes some of the CSP policies that aren't supported on Windows 11: -- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall) +- [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings` -- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar) +- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars` -- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar) +- [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars` -- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock) +- [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location` -- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize) +- [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar` -- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar) +- [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar` -- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping) +- [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items` -- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar` - -- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled) +- [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar` + +- [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar` diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index b72c7c7f8d..852b3e4500 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index ba28b638f1..b4bfc496ca 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -3,6 +3,7 @@ title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index e33519a625..a26af56567 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -3,6 +3,7 @@ title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 627c8b1414..d6cb847dc1 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -3,6 +3,7 @@ title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 9367276244..5942fc45be 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index 2f4dadd57a..60273009e8 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Microsoft Configuration Manager description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index f58d68f203..479a729676 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -3,6 +3,7 @@ title: Deploy required UE-V features description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 901c9451d1..1d05d369d0 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -3,6 +3,7 @@ title: Use UE-V with custom applications description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 8eb556d6e4..f1604d6359 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -3,6 +3,7 @@ title: User Experience Virtualization for Windows 10, version 1607 description: Overview of User Experience Virtualization for Windows 10, version 1607 author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 05/02/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 825c7597c7..36ce63717c 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -3,6 +3,7 @@ title: Get Started with UE-V description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 03/08/2018 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 9f62707fab..22bf076b54 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -3,6 +3,7 @@ title: Manage Administrative Backup and Restore in UE-V description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 6f44c3f7ea..1e594846ab 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -3,6 +3,7 @@ title: Manage Configurations for UE-V description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index 1ec2b72325..04dae12024 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Managing UE-V Settings Location Templates Using Windows PowerShell and WM description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index f6f4e14585..4d07a6a09a 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Manage UE-V Service and Packages with Windows PowerShell and WMI description: Managing the UE-V service and packages with Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index 39539183ca..9c3cebd1a1 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -3,6 +3,7 @@ title: Migrating UE-V settings packages description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 39acddadd3..5e13281dc1 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -3,6 +3,7 @@ title: Prepare a UE-V Deployment description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index b68e1eb3fe..47dfe6e7e7 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -3,6 +3,7 @@ title: User Experience Virtualization (UE-V) Release Notes description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index 4029c2a043..a91444675f 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -3,6 +3,7 @@ title: Security Considerations for UE-V description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index ddd0e4181c..7d1eeeccb0 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -3,6 +3,7 @@ title: Sync Methods for UE-V description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index 6ffa1e76ff..b9571cdf2a 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -3,6 +3,7 @@ title: Sync Trigger Events for UE-V description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 20bedf9737..7851418fe8 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -3,6 +3,7 @@ title: Synchronizing Microsoft Office with UE-V description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md index 1050b221b6..9d161c1889 100644 --- a/windows/configuration/ue-v/uev-technical-reference.md +++ b/windows/configuration/ue-v/uev-technical-reference.md @@ -3,6 +3,7 @@ title: Technical Reference for UE-V description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index d5be7f7710..d2a350b63d 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -3,6 +3,7 @@ title: Troubleshooting UE-V description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index 5f5127f7ea..78cfb2f9c0 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -3,6 +3,7 @@ title: Upgrade to UE-V for Windows 10 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 951c1b4ff0..5d02d042ce 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -3,6 +3,7 @@ title: Using UE-V with Application Virtualization applications description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index facd3330f3..157f473f1f 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -3,6 +3,7 @@ title: What's New in UE-V for Windows 10, version 1607 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index 0eaaa0f658..827c6ad3ff 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -3,6 +3,7 @@ title: Working with Custom UE-V Templates and the UE-V Template Generator description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index eec297b628..a3d8dd29c1 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -1,5 +1,5 @@ --- -title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs +title: Customize and manage the Windows 10 Start and taskbar layout description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 08/05/2021 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -25,7 +27,7 @@ ms.technology: itpro-configure > > **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. +Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. >[!NOTE] >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. @@ -215,7 +217,7 @@ On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: -- **Event 22**: The XML is malformed. The specified file isn’t valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. +- **Event 22**: The XML is malformed. The specified file isn't valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. - **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. ## Next steps diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index e019375c50..1c23a9707e 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -8,8 +8,8 @@ author: lizgt2000 ms.reviewer: manager: aaroncz ms.localizationpriority: medium -ms.date: 09/20/2022 -ms.topic: reference +ms.topic: conceptual +ms.collection: tier1 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -59,7 +59,9 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy - [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. -- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants. +- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants. + +- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. ## Hearing diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index b9bfa40f0f..33bd24bcc8 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Spotlight on the lock screen (Windows 10) +title: Configure Windows Spotlight on the lock screen description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -23,7 +25,7 @@ ms.technology: itpro-configure Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. >[!NOTE] @@ -99,4 +101,4 @@ The recommendation for custom lock screen images that include text (such as a le [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) -  + diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 4ac1a97b0f..4fc092c907 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -35,7 +35,7 @@ - name: Plan items: - name: Plan for Windows 11 - href: /windows/whats-new/windows-11-plan + href: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Create a deployment plan href: update/create-deployment-plan.md - name: Define readiness criteria @@ -65,12 +65,14 @@ href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Deprecated features href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json + - name: Resources for deprecated features + href: /windows/whats-new/deprecated-features-resources?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Removed features href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Prepare items: - name: Prepare for Windows 11 - href: /windows/whats-new/windows-11-prepare + href: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Prepare to deploy Windows client updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure @@ -164,19 +166,30 @@ href: update/waas-configure-wufb.md - name: Use Windows Update for Business and WSUS href: update/wufb-wsus.md - - name: Windows Update for Business deployment service - href: update/deployment-service-overview.md - items: - - name: Troubleshoot the Windows Update for Business deployment service - href: update/deployment-service-troubleshoot.md - name: Enforcing compliance deadlines for updates href: update/wufb-compliancedeadlines.md - name: Integrate Windows Update for Business with management solutions href: update/waas-integrate-wufb.md - name: 'Walkthrough: use Group Policy to configure Windows Update for Business' href: update/waas-wufb-group-policy.md - - name: 'Walkthrough: use Intune to configure Windows Update for Business' + - name: 'Walkupdatesthrough: use Intune to configure Windows Update for Business' href: update/deploy-updates-intune.md + - name: Windows Update for Business deployment service + items: + - name: Windows Update for Business deployment service overview + href: update/deployment-service-overview.md + - name: Prerequisites for Windows Update for Business deployment service + href: update/deployment-service-prerequisites.md + - name: Deploy updates with the deployment service + items: + - name: Deploy feature updates using Graph Explorer + href: update/deployment-service-feature-updates.md + - name: Deploy expedited updates using Graph Explorer + href: update/deployment-service-expedited-updates.md + - name: Deploy driver and firmware updates using Graph Explorer + href: update/deployment-service-drivers.md + - name: Troubleshoot Windows Update for Business deployment service + href: update/deployment-service-troubleshoot.md - name: Monitor items: - name: Windows Update for Business reports @@ -321,6 +334,8 @@ href: update/windows-update-overview.md - name: Servicing stack updates href: update/servicing-stack-updates.md + - name: Update CSP policies + href: /windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Additional Windows Update settings href: update/waas-wu-settings.md - name: Delivery Optimization reference diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index 1d67fee4df..8a3e5bc940 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -5,10 +5,8 @@ ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.author: frankroj -ms.reviewer: manager: aaroncz ms.topic: article -ms.custom: seo-marvel-apr2020 ms.date: 11/23/2022 ms.technology: itpro-deploy --- diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml index bbaa26132d..c7cea673bd 100644 --- a/windows/deployment/breadcrumb/toc.yml +++ b/windows/deployment/breadcrumb/toc.yml @@ -34,4 +34,15 @@ items: - name: Deployment tocHref: /mem/intune/protect/ topicHref: /windows/deployment/ - + +- name: Learn + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /windows/ + topicHref: /windows/resources/ + items: + - name: Deployment + tocHref: /windows/client-management/mdm + topicHref: /windows/deployment/ diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 3dbdf7eef2..f3f16802b4 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -7,7 +7,6 @@ author: frankroj manager: aaroncz ms.author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.date: 11/23/2022 ms.technology: itpro-deploy --- diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index f19a79ea47..7239ce998b 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -8,7 +8,7 @@ ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to -ms.collection: highpri +ms.collection: highpri, tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index 6ec6b46d6c..b8025d4dc9 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -1,6 +1,5 @@ --- title: Deploy Windows 10 with Microsoft 365 -ms.reviewer: manager: aaroncz ms.author: frankroj description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365. @@ -8,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.date: 11/23/2022 ms.technology: itpro-deploy --- diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 309fe14ba0..5c8f6ce68d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,8 +7,7 @@ ms.localizationpriority: medium ms.prod: windows-client author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 -ms.collection: highpri +ms.collection: highpri, tier2 ms.date: 11/23/2022 ms.technology: itpro-deploy --- diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 23b36c4d59..94c3d4ad20 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -1,14 +1,12 @@ --- title: Add a Windows 10 operating system image using Configuration Manager description: Operating system images are typically the production image used for deployment throughout the organization. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index feff4155ed..49a76b890d 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -1,14 +1,12 @@ --- title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index bc6f5f88b1..8c9f73f7e0 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -1,14 +1,12 @@ --- title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Configuration Manager. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index dc5fff054b..95074a8b3d 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -1,7 +1,6 @@ --- title: Create a task sequence with Configuration Manager (Windows 10) description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 7a7d509012..8c8f05cc7c 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,8 +1,6 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager description: Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process. -ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 6a0dd625b6..e3a76f89f8 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,7 +1,6 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) description: In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences. -ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 581ec6010d..603cdd71f6 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -1,14 +1,12 @@ --- title: Finalize operating system configuration for Windows 10 deployment description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 2fa98b5ab7..2cbc8a589e 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -1,7 +1,6 @@ --- title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index d87aff2989..2ea7c6d6a7 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,14 +1,12 @@ --- title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index dd75747e26..f2a38e6125 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,15 +1,12 @@ --- title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager description: In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager. -ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index db3236d549..9de18e31aa 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -1,14 +1,12 @@ --- title: Perform in-place upgrade to Windows 10 via Configuration Manager description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Configuration Manager task sequence. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index 80c99d9d57..1f8a403732 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -1,7 +1,6 @@ --- title: Assign applications using roles in MDT (Windows 10) description: This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 043e8f7ab8..dbfe7666fd 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,8 +1,6 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) description: In this article, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. -ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index eb84fdcd77..36f7e1544c 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -1,7 +1,6 @@ --- title: Configure MDT deployment share rules (Windows 10) description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 19adc65b02..443854bdd5 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -1,7 +1,6 @@ --- title: Configure MDT for UserExit scripts (Windows 10) description: In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index cfb17a3eee..167059f1e7 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,8 +1,6 @@ --- title: Configure MDT settings (Windows 10) description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. -ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index b26c222f91..7100f080ec 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -1,7 +1,6 @@ --- title: Create a Windows 10 reference image (Windows 10) description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index f92a6f30dc..8a735ec6c4 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -1,7 +1,6 @@ --- title: Deploy a Windows 10 image using MDT (Windows 10) description: This article will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client @@ -9,8 +8,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.date: 11/28/2022 --- diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index 73c2d4b629..757c32ec36 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -1,7 +1,6 @@ --- title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) description: This article will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client @@ -9,8 +8,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.date: 11/28/2022 --- diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index e5eb7ae010..bf1a4099cc 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -1,7 +1,6 @@ --- title: Prepare for deployment with MDT (Windows 10) description: This article will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client @@ -9,8 +8,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.date: 11/28/2022 --- diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index b38d0d58a8..23267929fa 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -1,7 +1,6 @@ --- title: Refresh a Windows 7 computer with Windows 10 (Windows 10) description: This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index b240a4f426..9983df7350 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -1,8 +1,6 @@ --- title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) description: In this article, you'll learn how to replace a Windows 7 device with a Windows 10 device. -ms.custom: seo-marvel-apr2020 -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index b8460e77a7..e08bd4f051 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -1,6 +1,5 @@ --- title: Set up MDT for BitLocker (Windows 10) -ms.reviewer: manager: aaroncz ms.author: frankroj description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. @@ -8,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.custom: seo-marvel-mar2020 ms.technology: itpro-deploy ms.date: 11/28/2022 --- diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index b9a293d1de..8c40be4dcd 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -1,7 +1,6 @@ --- title: Simulate a Windows 10 deployment in a test environment (Windows 10) description: This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 83c7037743..6c8c9c684a 100644 --- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -1,7 +1,6 @@ --- title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index 141bdd8589..c8e060d3cb 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -1,7 +1,6 @@ --- title: Use Orchestrator runbooks with MDT (Windows 10) description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 61bd481d35..ddb614d625 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -1,7 +1,6 @@ --- title: Use MDT database to stage Windows 10 deployment info (Windows 10) description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 02770d5644..1a264d2ee7 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -1,7 +1,6 @@ --- title: Use web services in MDT (Windows 10) description: Learn how to create a web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 0a538f15f8..9276cbf7c4 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -1,14 +1,12 @@ --- title: Deploy Windows To Go in your organization (Windows 10) description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface and programatically with Windows PowerShell. -ms.reviewer: manager: aaroncz author: frankroj ms.author: frankroj ms.prod: windows-client ms.technology: itpro-deploy ms.topic: article -ms.custom: seo-marvel-apr2020 ms.date: 11/23/2022 --- diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 6274640054..b72a595c2a 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -1,14 +1,12 @@ --- title: Deploy Windows 10 (Windows 10) description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment. -ms.reviewer: manager: aaroncz author: frankroj ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.custom: seo-marvel-apr2020 ms.date: 11/23/2022 ms.technology: itpro-deploy --- diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 6c21a68819..0336d89ddb 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -25,6 +25,8 @@ href: delivery-optimization-workflow.md - name: Using a proxy with Delivery Optimization href: delivery-optimization-proxy.md + - name: Testing Delivery Optimization + href: delivery-optimization-test.md - name: Microsoft Connected Cache items: - name: Microsoft Connected Cache overview @@ -55,7 +57,7 @@ items: - name: Frequently Asked Questions href: mcc-isp-faq.yml - - name: Enhancing VM performance + - name: Enhancing cache performance href: mcc-isp-vm-performance.md - name: Support and troubleshooting href: mcc-isp-support.md diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index 49b08e601c..9bdd82e8d5 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -9,7 +9,8 @@ ms.localizationpriority: medium author: cmknox ms.author: carmenf ms.reviewer: mstewart -manager: naengler +manager: aaroncz +ms.collection: tier3 --- # Delivery Optimization and Microsoft Connected Cache content type endpoints diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index ef06dbd00a..bab58db796 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -1,14 +1,15 @@ --- title: Using a proxy with Delivery Optimization -manager: dansimp +manager: aaroncz description: Settings to use with various proxy configurations to allow Delivery Optimization to work ms.prod: windows-client -author: carmenf +author: cmknox ms.localizationpriority: medium ms.author: carmenf ms.topic: article ms.technology: itpro-updates ms.date: 12/31/2017 +ms.collection: tier3 --- # Using a proxy with Delivery Optimization diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md index a7af3ce745..7ce46ef46c 100644 --- a/windows/deployment/do/delivery-optimization-test.md +++ b/windows/deployment/do/delivery-optimization-test.md @@ -1,5 +1,5 @@ --- -title: Testing Delivery Optimization +title: Testing Delivery Optimization description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios. ms.date: 11/08/2022 ms.prod: windows-client @@ -9,7 +9,8 @@ ms.localizationpriority: medium author: cmknox ms.author: carmenf ms.reviewer: mstewart -manager: naengler +manager: aaroncz +ms.collection: tier3 --- # Testing Delivery Optimization diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index 6d8accfe59..2c4b6f9158 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -1,14 +1,15 @@ --- title: Delivery Optimization client-service communication explained -manager: dougeby +manager: aaroncz description: Details of how Delivery Optimization communicates with the server when content is requested to download. ms.prod: windows-client -author: carmenf +author: cmknox ms.localizationpriority: medium ms.author: carmenf ms.topic: article ms.technology: itpro-updates ms.date: 12/31/2017 +ms.collection: tier3 --- # Delivery Optimization client-service communication explained @@ -20,14 +21,13 @@ ms.date: 12/31/2017 ## Download request workflow -This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification. - +This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from. 1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). -2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer. +2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to use peer-to-peer. 3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file. 4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download. -5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed. +5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode”. Simple mode will only pull content from the HTTP source and peer-to-peer won't be allowed. 6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it. ## Delivery Optimization service endpoint and data information @@ -35,8 +35,8 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r |Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint |--------------------------------------------|--------|---------------|-----------------------|------------------------| | geover-prod.do.dsp.mp.microsoft.com
    geo-prod.do.dsp.mp.microsoft.com
    geo.prod.do.dsp.mp.microsoft.com
    geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox)
    **doClientVersion**: The version of the DoSvc client
    **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) | -| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
    **doClientVersion**: The version of the DoSvc client
    **Profile**: The device type (for example, PC or Xbox)
    **eId**: Client grouping Id
    **CacheHost**: Cache host id | -| cp\*.prod.do.dsp.mp.microsoft.com
    | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **countryCode**: The country the client is connected from
    **altCatalogId**: If ContentId isn't available, use the download URL instead
    **eId**: Client grouping Id
    **CacheHost**: Cache host id | -| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **partitionId**: Client partitioning hint
    **altCatalogId**: If ContentId isn't available, use the download URL instead
    **eId**: Client grouping Id | -| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **altCatalogId**: If ContentId isn't available, use the download URL instead
    **PeerId**: Identity of the device running DO client
    **ReportedIp**: The internal / private IP Address
    **IsBackground**: Is the download interactive or background
    **Uploaded**: Total bytes uploaded to peers
    **Downloaded**: Total bytes downloaded from peers
    **DownloadedCdn**: Total bytes downloaded from CDN
    **Left**: Bytes left to download
    **Peers Wanted**: Total number of peers wanted
    **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
    **Scope**: The Download mode
    **UploadedBPS**: The upload speed in bytes per second
    **DownloadBPS**: The download speed in Bytes per second
    **eId**: Client grouping Id | +| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country the client is connected from
    **doClientVersion**: The version of the DoSvc client
    **Profile**: The device type (for example, PC or Xbox)
    **eId**: Client grouping ID
    **CacheHost**: Cache host ID | +| cp\*.prod.do.dsp.mp.microsoft.com
    | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
    **ContentId**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **countryCode**: The country the client is connected from
    **altCatalogID**: If ContentID isn't available, use the download URL instead
    **eID**: Client grouping ID
    **CacheHost**: Cache host ID | +| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox)
    **ContentID**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **partitionID**: Client partitioning hint
    **altCatalogID**: If ContentID isn't available, use the download URL instead
    **eID**: Client grouping ID | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
    **ContentID**: The content identifier
    **doClientVersion**: The version of the DoSvc client
    **altCatalogID**: If ContentID isn't available, use the download URL instead
    **PeerID**: Identity of the device running DO client
    **ReportedIp**: The internal / private IP Address
    **IsBackground**: Is the download interactive or background
    **Uploaded**: Total bytes uploaded to peers
    **Downloaded**: Total bytes downloaded from peers
    **DownloadedCdn**: Total bytes downloaded from CDN
    **Left**: Bytes left to download
    **Peers Wanted**: Total number of peers wanted
    **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
    **Scope**: The Download mode
    **UploadedBPS**: The upload speed in bytes per second
    **DownloadBPS**: The download speed in Bytes per second
    **eID**: Client grouping ID | | dl.delivery.mp.microsoft.com
    emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md index 5d80bf89fd..47fd869124 100644 --- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -3,13 +3,12 @@ title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diag manager: aaroncz description: Elixir images read me file ms.prod: windows-client -ms.mktglfcycl: deploy -audience: itpro author: nidos ms.author: nidos ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +robots: noindex --- # Read Me diff --git a/windows/deployment/do/images/mcc-isp-create-resource-fields.png b/windows/deployment/do/images/mcc-isp-create-resource-fields.png new file mode 100644 index 0000000000..f80f8e490a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-fields.png differ diff --git a/windows/deployment/do/images/mcc-isp-create-resource-validated.png b/windows/deployment/do/images/mcc-isp-create-resource-validated.png new file mode 100644 index 0000000000..cfa2901768 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-validated.png differ diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md index 114671fd5e..b0039d5c54 100644 --- a/windows/deployment/do/includes/get-azure-subscription.md +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -1,9 +1,10 @@ --- author: amymzhou ms.author: amyzhou -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.date: 10/18/2022 +ms.prod: windows-client +ms.technology: itpro-deploy ms.topic: include ms.localizationpriority: medium --- @@ -14,4 +15,4 @@ ms.localizationpriority: medium 1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. 1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. 1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. -1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. \ No newline at end of file +1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md index f90bc995e6..d264cc0f93 100644 --- a/windows/deployment/do/includes/mcc-prerequisites.md +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -1,9 +1,9 @@ --- author: amyzhou ms.author: amyzhou -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.prod: windows-client +ms.technology: itpro-deploy ms.topic: include ms.date: 11/09/2022 ms.localizationpriority: medium diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md index 5f75f6344a..0d11fcb79e 100644 --- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.prod: windows-client +ms.technology: itpro-deploy ms.topic: include ms.date: 04/06/2022 ms.localizationpriority: medium diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 5cbe1535a0..7c057be789 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -9,8 +9,7 @@ metadata: ms.topic: landing-page ms.prod: windows-client ms.technology: itpro-updates - ms.collection: - - highpri + ms.collection: highpri, tier3 author: aczechowski ms.author: aaroncz manager: dougeby @@ -59,8 +58,7 @@ landingContent: - text: Optimize Windows 10 or later update delivery with Configuration Manager url: /mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization - text: Delivery Optimization settings in Microsoft Intune - url: /mem/intune/configuration/delivery-optimization-windows - + url: /mem/intune/configuration/delivery-optimization-windows # Card - title: Microsoft Connected Cache (MCC) for Enterprise and Education diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index 11915236a8..7f45db43f3 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -8,11 +8,12 @@ ms.author: amyzhou ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Appendix -## Steps to obtain an Azure Subscription ID +## Steps to obtain an Azure subscription ID [!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] @@ -23,12 +24,20 @@ If you're not able to sign up for a Microsoft Azure subscription with the **Acco - [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). -## Installing on VMWare +## Hardware specifications -We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made: +Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache. + +### Installing on VMware + +We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made: 1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**. -1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. +1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. + +### Installing on Hyper-V + +To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization). ## Diagnostics Script @@ -65,17 +74,17 @@ communication operations. The runtime performs several functions: For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). -## Routing local Windows Clients to an MCC +## Routing local Windows clients to an MCC ### Get the IP address of your MCC using ifconfig There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. -#### Registry Key +#### Registry key You can either set your MCC IP address or FQDN using: -1. Registry Key (version 1709 and later): +1. Registry key (version 1709 and later): `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
    "DOCacheHost"=" " @@ -86,7 +95,7 @@ You can either set your MCC IP address or FQDN using: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f ``` -1. MDM Path (version 1809 and later): +1. MDM path (version 1809 and later): `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` @@ -95,7 +104,7 @@ You can either set your MCC IP address or FQDN using: :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: -**Verify Content using the DO Client** +## Verify content using the DO client To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index c39e4b5a84..bd3460bab9 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -1,6 +1,6 @@ --- title: Deploying your cache node -manager: dougeby +manager: aaroncz description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node ms.prod: windows-client author: amymzhou @@ -8,6 +8,7 @@ ms.author: amyzhou ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Deploying your cache node @@ -31,18 +32,18 @@ To deploy MCC to your server: For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) -### Provide Microsoft with the Azure Subscription ID +### Provide Microsoft with the Azure subscription ID As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] > [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). +For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. @@ -221,7 +222,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p 1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + 1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: @@ -235,7 +236,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p ## Verify proper functioning MCC server -#### Verify Client Side +#### Verify client side Connect to the EFLOW VM and check if MCC is properly running: @@ -305,21 +306,16 @@ sudo iotedge list :::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: -If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command: ```bash sudo journalctl -u iotedge -f ``` -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. +This command will provide the current status of the starting, stopping of a container, or the container pull and start. :::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge -f -``` > [!NOTE] > You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index fac81254f0..f1a81788a0 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -1,6 +1,6 @@ --- title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education -manager: dougeby +manager: aaroncz description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. ms.prod: windows-client author: amymzhou @@ -8,6 +8,7 @@ ms.author: amyzhou ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Requirements of Microsoft Connected Cache for Enterprise and Education (early preview) @@ -24,13 +25,12 @@ ms.technology: itpro-updates Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. +1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. > [!NOTE] > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations. - **EFLOW Requires Hyper-V support** + **EFLOW requires Hyper-V support** - On Windows client, enable the Hyper-V feature - On Windows Server, install the Hyper-V role and create a default network switch @@ -44,6 +44,7 @@ ms.technology: itpro-updates VM networking: - An external virtual switch to support outbound and inbound network communication (created during the installation process) +1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints. ## Sizing recommendations diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md index 83882c952c..1a995a17cf 100644 --- a/windows/deployment/do/mcc-enterprise-update-uninstall.md +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -1,6 +1,6 @@ --- title: Update or uninstall Microsoft Connected Cache for Enterprise and Education -manager: dougeby +manager: aaroncz description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. ms.prod: windows-client author: amymzhou @@ -8,6 +8,7 @@ ms.author: amyzhou ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Update or uninstall Microsoft Connected Cache for Enterprise and Education diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md index 8d8bc76577..1ab223ec25 100644 --- a/windows/deployment/do/mcc-isp-cache-node-configuration.md +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -8,6 +8,7 @@ ms.author: amyzhou ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Cache node configuration diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index aa7180c750..7eecb4983c 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -8,9 +8,10 @@ ms.author: nidos ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- -# Create, Configure, provision, and deploy the cache node in Azure portal +# Create, configure, provision, and deploy the cache node in Azure portal **Applies to** @@ -58,8 +59,8 @@ BGP (Border Gateway Protocol) routing is another method offered for client routi 1. Enter the max allowable egress that your hardware can support. -1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. -**Note:** Up to nine cache drives are supported. +1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes. +**Note:** This is a **required** field. Up to nine cache drive folders are supported. 1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). @@ -110,10 +111,10 @@ There are five IDs that the device provisioning script takes as input in order t 1. Copy and paste the script command line shown in the Azure portal. -1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). +1. Run the script in your server terminal for your cache node. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). > [!NOTE] - > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to re-provision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. ### General configuration fields @@ -127,12 +128,12 @@ There are five IDs that the device provisioning script takes as input in order t ### Storage fields > [!IMPORTANT] -> All cache drives must have read/write permissions set or the cache node will not function. -> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` +> All cache drives must have full read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrivefolder` | Field Name | Expected Value| Description | |---|---|---| -| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive folder** | File path string | Up to 9 drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: `/dev/sda3/` Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) for more information.| | **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | ### Client routing fields diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 74688ffae3..1d912e7b10 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -5,8 +5,7 @@ metadata: author: amymzhou ms.author: amymzhou manager: aaroncz - ms.collection: - - highpri + ms.collection: highpri, tier3 ms.topic: faq ms.date: 09/30/2022 ms.prod: windows-client @@ -69,8 +68,6 @@ sections: answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. - question: How does Microsoft Connected Cache populate its content? answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. - - question: What do I do if I need more support and have more questions even after reading this FAQ page? - answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). - question: What CDNs will Microsoft Connected Cache pull content from? answer: | Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: @@ -82,3 +79,11 @@ sections: $ whois 13.107.4.50|grep "Organization:" Organization: Microsoft Corporation (MSFT) + - question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic? + answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic. + - question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do? + answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com". + - question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned? + answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the private preview and isn't an issue during public preview. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index e53324e321..ca3e78f917 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -3,13 +3,12 @@ title: Operator sign up and service onboarding manager: aaroncz description: Service onboarding for Microsoft Connected Cache for ISP ms.prod: windows-client -ms.mktglfcycl: deploy -audience: itpro author: nidos ms.author: nidos ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Operator sign up and service onboarding for Microsoft Connected Cache @@ -24,21 +23,37 @@ This article details the process of signing up for Microsoft Connected Cache for ## Prerequisites Before you begin sign up, ensure you have the following components: -- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/). -- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. -- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. -- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS. + +1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). + +1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. + +1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. + +1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS. +1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). ## Resource creation and sign up process 1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**. - :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace." lightbox="./images/mcc-isp-search.png"::: -1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node. + + :::image type="content" source="./images/mcc-isp-create-resource-fields.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource creation step." lightbox="./images/mcc-isp-create-resource-fields.png"::: > [!IMPORTANT] > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. + + After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select **Create**. + + :::image type="content" source="./images/mcc-isp-create-resource-validated.png" alt-text="Screenshot of the Azure portal that shows a green validation successful message for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-create-resource-validated.png"::: + +1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a **Deployment complete** page as below. Select **Go to resource**. + + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="Screenshot of the Azure portal that shows a successful deployment for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-deployment-complete.png"::: + 1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: @@ -48,7 +63,10 @@ Before you begin sign up, ensure you have the following components: > [!NOTE] > Verification codes expire in 24 hours. You will need to generate a new code if it expires. - :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + + > [!NOTE] + > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here’s your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**. 1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. @@ -57,37 +75,3 @@ Before you begin sign up, ensure you have the following components: During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal. We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md). --> - -### Cache performance - -To make sure you're maximizing the performance of your cache node, review the following information: - -#### OS requirements - -The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. - -#### NIC requirements - -- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. -- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. - -#### Drive performance - -The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. - -RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. - -### Hardware configuration example - -There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: - -**Dell PowerEdge R330** - -- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core -- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s -- 4 - Transcend SSD230s 1 TB SATA Drives -- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) - -### Virtual machines - -Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md index a10e0f5a63..5fb2e95dbe 100644 --- a/windows/deployment/do/mcc-isp-support.md +++ b/windows/deployment/do/mcc-isp-support.md @@ -3,12 +3,12 @@ title: Support and troubleshooting manager: aaroncz description: Troubleshooting issues for Microsoft Connected Cache for ISP ms.prod: windows-client -audience: itpro author: nidos ms.author: nidos ms.topic: reference ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Support and troubleshooting diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md index 2e74cc5a44..0b9a530e78 100644 --- a/windows/deployment/do/mcc-isp-update.md +++ b/windows/deployment/do/mcc-isp-update.md @@ -3,13 +3,12 @@ title: Update or uninstall your cache node manager: aaroncz description: How to update or uninstall your cache node ms.prod: windows-client -ms.mktglfcycl: deploy -audience: itpro author: amyzhou ms.author: amyzhou ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Update or uninstall your cache node diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index da0003c24f..ebe7e20158 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -2,20 +2,41 @@ title: Verify cache node functionality and monitor health and performance manager: aaroncz description: How to verify the functionality of a cache node -keywords: updates, downloads, network, bandwidth ms.prod: windows-client -audience: itpro author: amyzhou ms.author: amyzhou ms.topic: article ms.date: 12/31/2017 ms.technology: itpro-updates +ms.collection: tier3 --- # Verify cache node functionality and monitor health and performance This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. +## Verify cache node installation is complete + +Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers): + +```bash +sudo iotedge list +``` + +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: + +If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: + +```bash +sudo iotedge system logs -- -f +``` + +For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: + +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: + +You may need to wait up to 30 minutes for the cache node software to complete downloading and begin caching. + ## Verify functionality on Azure portal Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. @@ -48,6 +69,14 @@ http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsup If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. +## Verify BGP routing configuration + +To verify your BGP routes are correctly configured for a cache node, navigate to **Settings > Cache nodes**. Select the cache node you wish to verify BGP routes for. + +Verify that under **Routing Information**, the state of **BGP routes received** is True. Verify the IP space is correct. Lastly, select **Download JSON** next to **Download BGP Routes** to view the BGP routes that your cache node is currently advertising. + +If **BGP routes received** is False, your **IP Space** is 0, or you're experiencing any BGP routing errors, ensure your **ASN** and **IP address** is entered correctly. + ## Monitor cache node health and performance Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 9316c9a5af..e56fc1ef3a 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -1,5 +1,5 @@ --- -title: Enhancing VM performance +title: Enhancing cache performance manager: aaroncz description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs ms.prod: windows-client @@ -8,13 +8,44 @@ ms.author: amyzhou ms.topic: reference ms.technology: itpro-updates ms.date: 12/31/2017 +ms.collection: tier3 --- -# Enhancing virtual machine performance +# Enhancing cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +## Enhancing virtual machine performance In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. -## Virtual machine settings +### Virtual machine settings Change the following settings to maximize the egress in virtual environments: @@ -27,7 +58,3 @@ Change the following settings to maximize the egress in virtual environments: Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. 2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. - -## Next steps - -[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 34b12c0d9b..27de31c9b1 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -10,6 +10,7 @@ ms.reviewer: carmenf manager: aaroncz ms.topic: how-to ms.date: 05/20/2022 +ms.collection: tier3 --- # Microsoft Connected Cache for Internet Service Providers (early preview) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 0827ee5979..cb916610f0 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -8,8 +8,7 @@ metadata: ms.author: carmenf manager: dougeby ms.technology: itpro-updates - ms.collection: - - highpri + ms.collection: highpri, tier3 ms.topic: faq ms.date: 08/04/2022 title: Delivery Optimization Frequently Asked Questions diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 6564dcd26e..ad50cecaaa 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -1,16 +1,15 @@ --- title: Delivery Optimization reference -ms.reviewer: -manager: dougeby +manager: aaroncz description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings. ms.prod: windows-client -author: carmenf +author: cmknox ms.localizationpriority: medium ms.author: carmenf ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates ms.date: 12/31/2017 +ms.collection: tier3 --- # Delivery Optimization reference @@ -20,59 +19,57 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=103506). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). -There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows client updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md). +There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md). ## Delivery Optimization options You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. +You'll find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -[//]: # (something about Intune UX--perhaps link to relevant Intune docs?) - ### Summary of Delivery Optimization settings -| Group Policy setting | MDM setting | Supported from version | -| --- | --- | --- | -| [Download mode](#download-mode) | DODownloadMode | 1511 | -| [Group ID](#group-id) | DOGroupID | 1511 | -| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | -| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | -| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 | -| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 | -| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | -| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | -| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | -| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| -| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| -| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | -| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | -| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | -| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | -| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | -| [MaxForegroundDownloadBandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | -| [MaxBackgroundDownloadBandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | -| [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | -| [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | -| [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 | -| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | -| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | -| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | -| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | -| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | -| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | -| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | -| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | -| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | +| Group Policy setting | MDM setting | Supported from version | Notes | +| --- | --- | --- | ------- | +| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| +| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices default to using 'Subnet'. | +| [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. | +| [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. | +| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). | +| [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | Default value is 20%. | +| [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | Default value is 10 GB.| +| [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. | +| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50 MB. | +| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. | +| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. | +| [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | +| [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. | +| [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | +| [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | +| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | +| [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | +| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. | +| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. | +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| +| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | +| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | +| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (deprecated in Windows 10, version 2004) | Default is '0' (unlimited). | ### More detail on Delivery Optimization settings -[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group. +#### Locally cached updates -Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: +Delivery Optimization uses locally cached updates to deliver contact via peers. The more content available in the cache, the more likely that peering can be used. In cases where devices have enough local storage and you'd like to cache more content. Likewise, if you have limited storage and would prefer to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. @@ -83,20 +80,35 @@ Delivery Optimization uses locally cached updates. In cases where devices have a All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size). -Additional options available that control the impact Delivery Optimization has on your network include the following: +#### Impact to network -- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization. -- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. -- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. -- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the **maximum foreground download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. +More options available that control the impact Delivery Optimization has on your network include the following: + +- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select. - [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source. -- [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. -- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. + +#### Policies to prioritize the use of Peer-to-Peer and Cache Server sources + +When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content can’t be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior. + +##### Peer-to-peer delay fallback settings + +- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. + +##### Microsoft Connected Cache (MCC) delay fallback settings + +- [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server. + +**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server. + +#### System resource usage Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: @@ -107,28 +119,26 @@ Administrators can further customize scenarios where Delivery Optimization will ### Download mode -Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Additional technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization). +Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Other technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization). | Download mode option | Functionality when set | | --- | --- | -| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | +| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source or a Microsoft Connected Cache server. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (**1 – Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.| | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | -| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) |Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. | +| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. | +| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. | > [!NOTE] -> Starting in Windows 11, the Bypass option of Download Mode is no longer used. +> Starting in Windows 11, the Bypass option of Download Mode is deprecated. > > [!NOTE] > When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices. ### Group ID -By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. - -[//]: # (Configuration Manager boundary group option; GroupID Source policy) +By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) @@ -139,14 +149,14 @@ By default, peer sharing on clients using the Group download mode (option 2) is Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are: -- 0 = not set +- 0 = Not set - 1 = AD Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching @@ -165,7 +175,7 @@ In environments configured for Delivery Optimization, you might want to set an e ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20**. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**. ### Absolute Max Cache Size @@ -173,7 +183,7 @@ This setting specifies the maximum number of gigabytes the Delivery Optimization ### Minimum Peer Caching Content File Size -This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50MB** to participate in peering. +This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50 MB** to participate in peering. ### Maximum Download Bandwidth @@ -184,11 +194,11 @@ This setting specifies the maximum download bandwidth that can be used across al ### Maximum Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers aren't throttled even when this policy is set. ### Maximum Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers aren't throttled even when this policy is set. ### Percentage of Maximum Download Bandwidth @@ -199,43 +209,45 @@ This setting specifies the maximum download bandwidth that Delivery Optimization ### Max Upload Bandwidth -This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0", or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. +This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it doesn't cap the upload bandwidth rate at a set rate. ### Set Business Hours to Limit Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.** ### Set Business Hours to Limit Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.** ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there is no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**. +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**. If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. -### Delay background download from http (in secs) +### Delay background download from HTTP (in secs) -Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** +Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.** -### Delay foreground download from http (in secs) +### Delay foreground download from HTTP (in secs) -Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** +Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.** ### Delay Foreground Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** +Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** + +By default this policy isn't set. So, ### Delay Background Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** +Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** ### Minimum Background QoS -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s** +This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.** ### Modify Cache Drive @@ -247,7 +259,7 @@ This setting specifies the total amount of data in gigabytes that a Delivery Opt ### Enable Peer Caching while the device connects via VPN -This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering is not allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. ### Allow uploads while the device is on battery while under set Battery level @@ -259,10 +271,10 @@ The device can download from peers while on battery regardless of this policy. ### Cache Server Hostname -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.** +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** >[!IMPORTANT] -> Any value will signify that the policy is set. For example, an empty string ("") is not considered empty. +> Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty. ### Cache Server Hostname Source diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 8b49d9f487..9fa907d90e 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -1,7 +1,7 @@ --- title: Set up Delivery Optimization description: In this article, learn how to set up Delivery Optimization. -author: carmenf +author: cmknox ms.author: carmenf ms.reviewer: mstewart manager: aaroncz @@ -10,6 +10,7 @@ ms.technology: itpro-updates ms.localizationpriority: medium ms.topic: how-to ms.date: 12/19/2022 +ms.collection: tier3 --- # Set up Delivery Optimization for Windows @@ -25,16 +26,19 @@ ms.date: 12/19/2022 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. +You'll find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows). -**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. +**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5. + +## Allow service endpoints + +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for more information. ## Allow content endpoints -When using a firewall, it is important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). - +When using a firewall, it's important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). ## Recommended Delivery Optimization settings @@ -57,13 +61,13 @@ Quick-reference table: | Use case | Policy | Recommended value | Reason | | --- | --- | --- | --- | | Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | -| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | +| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Use peers-to-peer capability in more downloads | | Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | -| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | +| Labs with AC-powered devices | Content expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | ### Hybrid WAN scenario -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -71,14 +75,14 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. -To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. +To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**. > [!NOTE] -> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). +> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optimization for Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). ### Large number of mobile devices @@ -90,11 +94,11 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Plentiful free space and large numbers of devices -Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. +Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you've more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you've more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. -To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices). +To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you've more than 30 devices) or 1 (if you've more than 100 devices). -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you've more than 30 devices) or 1 (if you've more than 100 devices). ### Lab scenario @@ -104,18 +108,18 @@ To do this in Group Policy, go to **Computer Configuration\Administrative Templa To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days). +[Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios. [!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)] +### Monitor with Windows Update for Business Delivery Optimization Report -### Monitor with Update Compliance +Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. -Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox="/windows/deployment/update/images/wufb-do-overview.png"::: -[[DO status](images/UC_workspace_DO_status.png)](images/UC_workspace_DO_status.png#lightbox) - -For details, see [Delivery Optimization in Update Compliance](../update/update-compliance-delivery-optimization.md). +For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). ## Troubleshooting @@ -135,17 +139,17 @@ If you don't see any bytes coming from peers the cause might be one of the follo Try these steps: 1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga"). -2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, DownloadMode should be 1, 2, or 3. -3. If DownloadMode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. +2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, download mode should be 1, 2, or 3. +3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. ### The cloud service doesn't see other peers on the network Try these steps: 1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads. -2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. +2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero. -4. If the number of peers is zero and **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices are not reporting the same public IP address, configure **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[GroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. +4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. > [!NOTE] > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. @@ -155,7 +159,7 @@ Try these steps: Try a Telnet test between two devices on the network to ensure they can connect using port 7680. Follow these steps: 1. Install Telnet by running `dism /online /Enable-Feature /FeatureName:TelnetClient` from an elevated command prompt. -2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. +2. Run the test. For example, if you are on device with IP 192.168.8.12 and you're trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You'll either see a connection error or a blinking cursor like this /_. The blinking cursor means success. > [!NOTE] > You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test. diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 149bfe398d..0f88d16b68 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -1,15 +1,13 @@ --- title: What is Delivery Optimization? -manager: dougeby +manager: aaroncz description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11. ms.prod: windows-client -author: carmenf +author: cmknox ms.localizationpriority: medium ms.author: carmenf -ms.collection: - - highpri +ms.collection: tier3, highpri ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates ms.date: 12/31/2017 --- @@ -21,11 +19,13 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). -Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional. -Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. +To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content. + +You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). @@ -60,7 +60,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MDM Agent | Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: | | :heavy_check_mark: | | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: | | | -| MSIX | Windows 10 2004, Windows 11 | :heavy_check_mark: | | | +| MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: | | | #### Windows Server diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index bc0d6223b6..3f99fd1880 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -1,15 +1,15 @@ --- title: Microsoft Connected Cache overview -manager: dougeby +manager: aaroncz description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution. ms.prod: windows-client -author: carmenf +author: cmknox ms.localizationpriority: medium ms.author: carmenf ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates ms.date: 12/31/2017 +ms.collection: tier3 --- # Microsoft Connected Cache overview @@ -20,13 +20,21 @@ ms.date: 12/31/2017 - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our Microsoft Connected Cache for ISPs early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. +Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: 1) Microsoft Connected Cache for Internet Service Providers and 2) Microsoft Connected Cache for Enterprise and Education (early preview). Both products are created and managed in the cloud portal. + +## Microsoft Connected Cache for ISPs (preview) +Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. + +## Microsoft Connected Cache for Enterprise and Education (early preview) +Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +## IoT Edge + +Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. 1. Maintains Azure IoT Edge security standards on your edge device. @@ -51,8 +59,6 @@ The following diagram displays and overview of how MCC functions: :::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: - - ## Next steps - [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 5d39e69f91..c3d46c8e64 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -3,22 +3,21 @@ title: Optimize Windows update delivery description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache. ms.prod: windows-client ms.localizationpriority: medium -author: aaroncz -ms.author: aaroncz -ms.reviewer: -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.topic: article ms.technology: itpro-updates ms.date: 12/31/2017 +ms.collection: tier3 --- # Optimize Windows update delivery - **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -30,7 +29,7 @@ Two methods of peer-to-peer content distribution are available. Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources and the time it takes for clients to retrieve the updates. -- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. +- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, and in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. @@ -47,7 +46,7 @@ Two methods of peer-to-peer content distribution are available. > [!NOTE] > Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache). > -> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). +> In addition to Client Peer Cache, similar functionality is available in the Windows Pre-installation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). ## Express update delivery @@ -57,6 +56,7 @@ Windows client quality update downloads can be large because every package conta > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express + - **Express on Microsoft Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** @@ -67,6 +67,7 @@ Windows client quality update downloads can be large because every package conta ### How Express download works For OS updates that support Express, there are two versions of the file payload stored on the service: + 1. **Full-file version** - essentially replacing the local versions of the update binaries. 2. **Express version** - containing the deltas needed to patch the existing binaries on the device. diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 3239c88eeb..87d135c896 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -1,15 +1,15 @@ --- title: What's new in Delivery Optimization -manager: dougeby +manager: aaroncz description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11. ms.prod: windows-client -author: carmenf +author: cmknox ms.localizationpriority: medium ms.author: carmenf ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates ms.date: 12/31/2017 +ms.collection: tier3 --- # What's new in Delivery Optimization diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index ad1f0f4c84..1387984499 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "GitHub", diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 58bb72052d..5e9e859e17 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -9,8 +9,7 @@ metadata: ms.topic: landing-page ms.technology: itpro-apps ms.prod: windows-client - ms.collection: - - highpri + ms.collection: highpri, tier1 author: frankroj ms.author: frankroj manager: aaroncz diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index eb154e5d93..4caffd0228 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -8,8 +8,7 @@ ms.date: 11/23/2022 manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.custom: seo-marvel-apr2020 -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-deploy --- diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md index 4a758fcbc4..07cf3c224a 100644 --- a/windows/deployment/planning/act-technical-reference.md +++ b/windows/deployment/planning/act-technical-reference.md @@ -1,7 +1,6 @@ --- title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md index a66f84e71b..17ef12c6b3 100644 --- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md @@ -1,7 +1,6 @@ --- title: Applying Filters to Data in the SUA Tool (Windows 10) description: Learn how to apply filters to results from the Standard User Analyzer (SUA) tool while testing your application. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md index 1d00068f16..4e03a9e206 100644 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Available Data Types and Operators in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index 64b214e0e5..07285db62e 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -1,7 +1,6 @@ --- title: Best practice recommendations for Windows To Go (Windows 10) description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index 57500f6608..64ed4fae58 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -1,13 +1,11 @@ --- title: Compatibility Administrator User's Guide (Windows 10) -ms.reviewer: manager: aaroncz ms.author: frankroj description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows. ms.prod: windows-client author: frankroj ms.topic: article -ms.custom: seo-marvel-mar2020 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index e6aa979948..49fca85218 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -1,6 +1,5 @@ --- title: Compatibility Fix Database Management Strategies and Deployment (Windows 10) -ms.reviewer: manager: aaroncz ms.author: frankroj description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database. @@ -8,7 +7,6 @@ ms.prod: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.custom: seo-marvel-mar2020 ms.technology: itpro-deploy --- diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index 36d1893c70..79207612a8 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -1,14 +1,12 @@ --- title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy --- diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index 82a1bae472..18f1b3e14e 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 01691fdc5d..80892aa2d5 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Create a Custom Compatibility Mode (Windows 10) description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md index 78bd540870..31f4cff7a1 100644 --- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Create AppHelp Message in Compatibility Administrator (Windows 10) description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 45096f66f5..e4cce0cd24 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -1,13 +1,11 @@ --- title: Deployment considerations for Windows To Go (Windows 10) description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index 6be90716a2..a6299026c3 100644 --- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -1,13 +1,11 @@ --- title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md index 8f65a9df75..a39866b132 100644 --- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md +++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md @@ -1,7 +1,6 @@ --- title: Fixing Applications by Using the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index 4744b0559a..2cf46ee778 100644 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Install/Uninstall Custom Databases (Windows 10) description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md index 99aae19234..9c90b3ca24 100644 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -1,7 +1,6 @@ --- title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index a1328a53ce..5f5b94be3f 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -1,13 +1,11 @@ --- title: Prepare your organization for Windows To Go (Windows 10) -description: Though Windows To Go is no longer being developed, you can find info here about the "what", "why", and "when" of deployment. -ms.reviewer: +description: Though Windows To Go is no longer being developed, you can find info here about the what, why, and when of deployment. manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md index 05272344a0..826f2dfc4c 100644 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index 5d49ad0b11..4c0f2e2689 100644 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 6eeb930f19..b376163521 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -1,7 +1,6 @@ --- title: Security and data protection considerations for Windows To Go (Windows 10) description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md index e08401cc6b..25850695fc 100644 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md @@ -1,7 +1,6 @@ --- title: Showing Messages Generated by the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 2da3a82f9e..4f53104c76 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -1,8 +1,6 @@ --- title: SUA User's Guide (Windows 10) description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature. -ms.custom: seo-marvel-apr2020 -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md index 4b809cd144..a2dff7087c 100644 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md @@ -1,7 +1,6 @@ --- title: Tabs on the SUA Tool Interface (Windows 10) description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md index 28f0233990..b2ff9f8850 100644 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md @@ -1,7 +1,6 @@ --- title: Testing Your Application Mitigation Packages (Windows 10) description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md index fe304771ef..ee6976fca5 100644 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md @@ -1,7 +1,6 @@ --- title: Understanding and Using Compatibility Fixes (Windows 10) description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md index 586884be61..cb156708b7 100644 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md @@ -1,7 +1,6 @@ --- title: Using the Compatibility Administrator Tool (Windows 10) description: This section provides information about using the Compatibility Administrator tool. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 9ce7891647..f6e1a6fbee 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -1,7 +1,6 @@ --- title: Using the Sdbinst.exe Command-Line Tool (Windows 10) description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md index 6e2479ed22..5b72bfbc4b 100644 --- a/windows/deployment/planning/using-the-sua-tool.md +++ b/windows/deployment/planning/using-the-sua-tool.md @@ -1,7 +1,6 @@ --- title: Using the SUA Tool (Windows 10) description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 5ce139085f..ce121c5440 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,7 +1,6 @@ --- title: Using the SUA wizard (Windows 10) description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md index 88e06925c5..44cf622430 100644 --- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md @@ -1,7 +1,6 @@ --- title: Viewing the Events Screen in Compatibility Administrator (Windows 10) description: You can use the Events screen to record and view activities in the Compatibility Administrator tool. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index 11fe1573d4..e444794da2 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -1,7 +1,6 @@ --- title: Windows 10 compatibility (Windows 10) description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 09dbb881a7..2a900b672d 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -1,7 +1,6 @@ --- title: Windows 10 deployment considerations (Windows 10) description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 26aff43d39..7341f4b302 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -1,7 +1,6 @@ --- title: Windows 10 infrastructure requirements (Windows 10) description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index 5465e73df5..f9b22c70d2 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -1,15 +1,13 @@ --- title: Windows To Go feature overview (Windows 10) description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.date: 10/28/2022 --- diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 6263da1c9b..edf0aba102 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -7,7 +7,6 @@ manager: aaroncz author: frankroj ms.author: frankroj ms.topic: article -ms.custom: seo-marvel-apr2020 ms.date: 11/23/2022 ms.technology: itpro-deploy --- diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index d60d4df294..c73105ae1b 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -2,25 +2,12 @@ title: How to check Windows release health description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption. ms.date: 08/16/2022 -ms.author: v-nishmi -author: DocsPreview -manager: jren +ms.author: mstewart +author: mestew +manager: aaroncz ms.reviewer: mstewart ms.topic: how-to ms.prod: windows-client -localization_priority: medium -ms.custom: - - Adm_O365 - - 'O365P_ServiceHealthModern' - - 'O365M_ServiceHealthModern' - - 'O365E_ViewStatusServices' - - 'O365E_ServiceHealthModern' - - 'seo-marvel-apr2020' -search.appverid: - - MET150 - - MOE150 - - BCS160 - - IWA160 ms.technology: itpro-updates --- diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md index bc649af09d..0f0a693609 100644 --- a/windows/deployment/update/create-deployment-plan.md +++ b/windows/deployment/update/create-deployment-plan.md @@ -110,32 +110,3 @@ During the broad deployment phase, you should focus on the following activities: - Deploy to all devices in the organization. - Work through any final unusual issues that weren't detected in your Limited ring. - - -## Ring deployment planning - -Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We've combined many of these tasks, and more, into a single interface with Desktop Analytics. - - -[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Configuration Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to -make informed decisions about the readiness of your Windows devices. - -In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Configuration Manager can help you assess app compatibility with the latest -feature update. You can create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. - -> [!IMPORTANT] -> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity. - -### Deployment plan options - -There are two ways to implement a ring deployment plan, depending on how you manage your devices: - -- If you're using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans). -- If you're using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide). - -For more about Desktop Analytics, see these articles: - -- [How to set up Desktop Analytics](/mem/configmgr/desktop-analytics/set-up) -- [Tutorial: Deploy Windows 10 to Pilot](/mem/configmgr/desktop-analytics/tutorial-windows10) -- [Desktop Analytics documentation](/mem/configmgr/desktop-analytics/overview) -- [Intune deployment planning, design, and implementation guide](/mem/intune/fundamentals/planning-guide) diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md index d30f45fc12..5c884406fd 100644 --- a/windows/deployment/update/deploy-updates-intune.md +++ b/windows/deployment/update/deploy-updates-intune.md @@ -8,8 +8,7 @@ ms.author: mstewart manager: aaroncz ms.topic: article ms.technology: itpro-updates -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.date: 12/31/2017 --- diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md new file mode 100644 index 0000000000..d7608bf6f1 --- /dev/null +++ b/windows/deployment/update/deployment-service-drivers.md @@ -0,0 +1,335 @@ +--- +title: Deploy drivers and firmware updates with Windows Update for Business deployment service. +description: Use Windows Update for Business deployment service to deploy driver and firmware updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy drivers and firmware updates with Windows Update for Business deployment service + +***(Applies to: Windows 11 & Windows 10)*** + +The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). + +This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a driver update to clients. In this article, you will: +> [!div class="checklist"] +> +> - [Open Graph Explorer](#open-graph-explorer) +> - [Run queries to identify devices](#run-queries-to-identify-devices) +> - [Enroll devices](#enroll-devices) +> - [Create a deployment audience and add audience members](#create-a-deployment-audience-and-add-audience-members) +> - [Create an update policy](#create-an-update-policy) +> - [Review applicable driver content](#review-applicable-driver-content) +> - [Approve driver content for deployment](#approve-driver-content-for-deployment) +> - [Revoke content approval](#revoke-content-approval) +> - [Unenroll devices](#unenroll-devices) + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## Enroll devices + +When you enroll devices into driver management, the deployment service becomes the authority for driver updates coming from Windows Update. Devices don't receive drivers or firmware from Windows Update until a deployment is manually created or they're added to a driver update policy with approvals. + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)] + +## Create a deployment audience and add audience members + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-audience-graph-explorer.md)] + +Once a device has been enrolled and added to a deployment audience, the Windows Update for Business deployment service will start collecting scan results from Windows Update to build a catalog of applicable drivers to be browsed, approved, and scheduled for deployment. + +## Create an update policy + +Update policies define how content is deployed to a deployment audience. An [update policy](/graph/api/resources/windowsupdates-updatepolicy) ensures deployments to a deployment audience behave in a consistent manner without having to create and manage multiple individual deployments. When a content approval is added to the policy, it's deployed to the devices in the associated audiences. The deployment and monitoring settings are optional. + +> [!IMPORTANT] +> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for a [content approval](#approve-driver-content-for-deployment) will be combined with the existing update policy's deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used. + + +### Create a policy and define the settings later + +To create a policy without any deployment settings, in the request body specify the **Audience ID** as `id`. In the following example, the **Audience ID** is `d39ad1ce-0123-4567-89ab-cdef01234567`, and the `id` given in the response is the **Policy ID**: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies + content-type: application/json + + { + "audience": { + "@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567" + } + } + ``` + +Response returning the policy, without any additional settings specified, that has a **Policy ID** of `9011c330-1234-5678-9abc-def012345678`: + +```json +HTTP/1.1 202 Accepted +content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/updatePolicies/$entity", + "id": "9011c330-1234-5678-9abc-def012345678", + "createdDateTime": "2023-01-25T05:32:21.9721459Z", + "autoEnrollmentUpdateCategories": [], + "complianceChangeRules": [], + "deploymentSettings": { + "schedule": null, + "monitoring": null, + "contentApplicability": null, + "userExperience": null, + "expedite": null + } +} +``` + +### Specify settings during policy creation + +To create a policy with additional settings, in the request body: + - Specify the **Audience ID** as `id` + - Define any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings). + - Add the `content-length` header to the request if a status code of 411 occurs. The value should be the length of the request body in bytes. For information on error codes, see [Microsoft Graph error responses and resource types](/graph/errors). + + In the following driver update policy example, any deployments created by a content approval will start 7 days after approval for **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies + content-type: application/json + + { + "@odata.type": "#microsoft.graph.windowsUpdates.updatePolicy", + "audience": { + "@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567" + }, + "complianceChanges": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval" + } + ], + "complianceChangeRules": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule", + "contentFilter": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter" + }, + "durationBeforeDeploymentStart": "P7D" + } + ] + } + ``` + + +### Review and edit update policy settings + +To review the policy settings, run the following query using the **Policy ID**, for example `9011c330-1234-5678-9abc-def012345678`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678 + ``` + +To edit the policy settings, **PATCH** the policy using the **Policy ID**. Run the following **PATCH** to automatically approve driver content that's recommended by `Microsoft`for deployment for **Policy ID** `9011c330-1234-5678-9abc-def012345678`: + +``` msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678 +content-type: application/json + +{ + "complianceChangeRules": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule", + "contentFilter": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter" + } + } + ], + "deploymentSettings": { + "@odata.type": "#microsoft.graph.windowsUpdates.deploymentSettings", + "contentApplicability": { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApplicabilitySettings", + "offerWhileRecommendedBy": ["microsoft"] + } + } +} +``` + + +## Review applicable driver content + +Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information: + +- An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry) +- The **Azure AD ID** of the devices it's applicable to +- Information describing the update such as the name and version. + +To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/applicableContent +``` + +The following truncated response displays: + - An **Azure AD ID** of `01234567-89ab-cdef-0123-456789abcdef` + - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c` + + ```json + "matchedDevices": [ + { + "recommendedBy": [ + "Microsoft" + ], + "deviceId": "01ea3c90-12f5-4093-a4c9-c1434657c976" + } + ], + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c", + "displayName": "Microsoft - Test - 1.0.0.1", + "deployableUntilDateTime": null, + "releaseDateTime": "0001-01-21T04:18:32Z", + "description": "Microsoft test driver update released in January 2021", + "driverClass": "OtherHardware", + "provider": "Microsoft", + "setupInformationFile": null, + "manufacturer": "Microsoft", + "version": "1.0.0.1", + "versionDateTime": "2021-01-11T02:43:14Z" + ``` + +## Approve driver content for deployment + +Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliancechange) for the policy. + +> [!IMPORTANT] +> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for the content approval will be combined with the existing [update policy's](#create-an-update-policy) deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used. + +Add a content approval to an existing policy, **Policy ID** `9011c330-1234-5678-9abc-def012345678` for the driver update with the **Catalog ID** `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`. Schedule the start date for February 14, 2023 at 1 AM UTC: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c" + } + }, + "deploymentSettings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-14T01:00:00Z" + } + } +} +``` + +The response for a content approval returns content and deployment settings along with an `id`, which is the **Compliance Change ID**. The **Compliance Change ID** is `c03911a7-9876-5432-10ab-cdef98765432` in the following truncated response: + +```json + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "id": "c03911a7-9876-5432-10ab-cdef98765432", + "createdDateTime": "2023-02-02T17:54:39.173292Z", + "isRevoked": false, + "revokedDateTime": "0001-01-01T00:00:00Z", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c" + } + }, + "deploymentSettings": { + "schedule": { + "startDateTime": "2023-02-14T01:00:00Z", +``` + +Review all of the compliance changes to a policy with the most recent changes listed in the response first. The following example returns the compliance changes for a policy with the **Policy ID** `9011c330-1234-5678-9abc-def012345678` and sorts by `createdDateTime` in descending order: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges?orderby=createdDateTime desc + ``` + + > [!TIP] + > There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`. + +To retrieve the deployment ID, use the [expand parameter](/graph/query-parameters#expand-parameter) to review the deployment information related the content approval. The following example displays the content approval and the deployment information for **Compliance Change ID** `c03911a7-9876-5432-10ab-cdef98765432` in update **Policy ID** `9011c330-1234-5678-9abc-def012345678`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432/$/microsoft.graph.windowsUpdates.contentApproval?$expand=deployments + ``` + +### Edit deployment settings for a content approval + +Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/windowsupdates-contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC: + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "deploymentSettings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-28T05:00:00Z" + } + } +} +``` + +## Revoke content approval + +Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliancechange) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created. + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "isRevoked": true +} +``` + +To display all deployments with the most recently created returned first, order deployments based on the `createdDateTime`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=createdDateTime desc +``` + +## Unenroll devices + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] \ No newline at end of file diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md new file mode 100644 index 0000000000..14b6fec38a --- /dev/null +++ b/windows/deployment/update/deployment-service-expedited-updates.md @@ -0,0 +1,196 @@ +--- +title: Deploy expedited updates with Windows Update for Business deployment service +description: Use Windows Update for Business deployment service to deploy expedited updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy expedited updates with Windows Update for Business deployment service + + +***(Applies to: Windows 11 & Windows 10)*** + +In this article, you will: +> [!div class="checklist"] +> +> * [Open Graph Explorer](#open-graph-explorer) +> * [Run queries to identify test devices](#run-queries-to-identify-devices) +> * [List catalog entries for expedited updates](#list-catalog-entries-for-expedited-updates) +> * [Create a deployment](#create-a-deployment) +> * [Add members to the deployment audience](#add-members-to-the-deployment-audience) +> * [Delete a deployment](#delete-a-deployment) + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## List catalog entries for expedited updates + +Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates. + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3 +``` + +The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update: + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries", + "value": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", + "displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later", + "deployableUntilDateTime": null, + "releaseDateTime": "2023-01-10T00:00:00Z", + "isExpeditable": true, + "qualityUpdateClassification": "security" + }, + ... + ] +} +``` + +## Create a deployment + +When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body. + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deployments +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.deployment", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432" + } + }, + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "expedite": { + "isExpedited": true + }, + "userExperience": { + "daysUntilForcedReboot": 2 + } + } +} +``` + +The request returns a 201 Created response code and a [deployment](/graph/api/resources/windowsupdates-deployment) object in the response body for the newly created deployment, which includes: + +- The **Deployment ID** `de910e12-3456-7890-abcd-ef1234567890` of the newly created deployment. +- The **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567` of the newly created deployment audience. + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity", + "id": "de910e12-3456-7890-abcd-ef1234567890", + "createdDateTime": "2023-02-09T22:55:04.8547517Z", + "lastModifiedDateTime": "2023-02-09T22:55:04.8547524Z", + "state": { + "effectiveValue": "offering", + "requestedValue": "none", + "reasons": [] + }, + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", + "displayName": null, + "deployableUntilDateTime": null, + "releaseDateTime": "2023-01-10T00:00:00Z", + "isExpeditable": false, + "qualityUpdateClassification": "security" + } + }, + "settings": { + "schedule": null, + "monitoring": null, + "contentApplicability": null, + "userExperience": { + "daysUntilForcedReboot": 2 + }, + "expedite": { + "isExpedited": true + } + }, + "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity", + "audience": { + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "applicableContent": [] + } +} +``` + +## Add members to the deployment audience + +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited. + +The following example adds two devices to the deployment audience using the **Azure AD ID** for each device: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience +content-type: application/json + +{ + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + } + ] +} +``` + +To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` + +## Delete a deployment + +To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. + + +The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] \ No newline at end of file diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md new file mode 100644 index 0000000000..b1a289befa --- /dev/null +++ b/windows/deployment/update/deployment-service-feature-updates.md @@ -0,0 +1,292 @@ +--- +title: Deploy feature updates with Windows Update for Business deployment service. +description: Use Windows Update for Business deployment service to deploy feature updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy feature updates with Windows Update for Business deployment service + +***(Applies to: Windows 11 & Windows 10)*** + +The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). + +This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will: + +In this article, you will: +> [!div class="checklist"] +> * [Open Graph Explorer](#open-graph-explorer) +> * [Run queries to identify devices](#run-queries-to-identify-devices) +> * [Enroll devices](#enroll-devices) +> * [List catalog entries for feature updates](#list-catalog-entries-for-feature-updates) +> * [Create a deployment](#create-a-deployment) +> * [Add members to the deployment audience](#add-members-to-the-deployment-audience) +> * [Pause a deployment](#pause-a-deployment) +> * [Delete a deployment](#delete-a-deployment) +> * [Unenroll devices](#unenroll-devices) + + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## Enroll devices + +When you enroll devices into feature update management, the deployment service becomes the authority for feature updates coming from Windows Update. +As long as a device remains enrolled in feature update management through the deployment service, the device doesn't receive any other feature updates from Windows Update unless explicitly deployed using the deployment service. A device is offered the specified feature update if it hasn't already received the update. For example, if you deploy Windows 11 feature update version 22H2 to a device that's enrolled into feature update management and is currently on an older version of Windows 11, the device updates to version 22H2. If the device is already running version 22H2 or a later version, it stays on its current version. + +> [!TIP] +> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Azure AD ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience. + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)] + +## List catalog entries for feature updates + +Each feature update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). The `id` returned is the **Catalog ID** and is used to create a deployment. Feature updates are deployable until they reach their support retirement dates. For more information, see the support lifecycle dates for [Windows 10](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11](/lifecycle/products/windows-11-enterprise-and-education) Enterprise and Education editions. The following query lists all deployable feature update catalog entries: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.featureUpdateCatalogEntry') +``` + +The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f` for the Windows 11, version 22H2 feature update: + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries", + "value": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f", + "displayName": "Windows 11, version 22H2", + "deployableUntilDateTime": "2025-10-14T00:00:00Z", + "releaseDateTime": "2022-09-20T00:00:00Z", + "version": "Windows 11, version 22H2" + } + ] +} +``` + +## Create a deployment + +When creating a deployment for a feature update, there are multiple options available to define how the deployment behaves. The deployment and monitoring settings are optional. The following [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) are defined in the example request body for deploying the Windows 11, version 22H2 feature update (**Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f`): + +- Deployment [start date](/graph/api/resources/windowsupdates-schedulesettings) of February 14, 2023 at 5 AM UTC +- [Gradual rollout](/graph/api/resources/windowsupdates-gradualrolloutsettings) at a rate of 100 devices every three days +- [Monitoring rule](/graph/api/resources/windowsupdates-monitoringrule) that will pause the deployment if five devices rollback the feature update +- Default [safeguard hold](/graph/api/resources/windowsupdates-safeguardprofile) behavior of applying all applicable safeguards to devices in a deployment + - When safeguard holds aren't explicitly defined, the default safeguard hold behavior is applied automatically + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deployments +content-type: application/json + +{ + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f" + } + }, + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-14T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": "100" + } + }, + "monitoring": { + "monitoringRules": [ + { + "signal": "rollback", + "threshold": 5, + "action": "pauseDeployment" + } + ] + } + } +} +``` + +The response body will contain: +- The new **Deployment ID**, `de910e12-3456-7890-abcd-ef1234567890` in the example +- The new **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567` in the example +- Any settings defined in the deployment request body + + ```json + { + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity", + "id": "de910e12-3456-7890-abcd-ef1234567890", + "createdDateTime": "2023-02-07T19:21:15.425905Z", + "lastModifiedDateTime": "2023-02-07T19:21:15Z", + "state": { + "effectiveValue": "scheduled", + "requestedValue": "none", + "reasons": [] + }, + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f", + "displayName": "Windows 11, version 22H2", + "deployableUntilDateTime": "2025-10-14T00:00:00Z", + "releaseDateTime": "0001-01-01T00:00:00Z", + "version": "Windows 11, version 22H2" + } + }, + "settings": { + "contentApplicability": null, + "userExperience": null, + "expedite": null, + "schedule": { + "startDateTime": "2023-02-14T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": 100 + } + }, + "monitoring": { + "monitoringRules": [ + { + "signal": "rollback", + "threshold": 5, + "action": "pauseDeployment" + } + ] + } + }, + "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity", + "audience": { + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "applicableContent": [] + } + } + ``` + +### Edit a deployment + +To [update deployment](/graph/api/windowsupdates-deployment-update), PATCH the deployment resource by its **Deployment ID** and supply the updated settings in the request body. The following example keeps the existing gradual rollout settings that were defined when creating the deployment but changes the deployment start date to February 28, 2023 at 5 AM UTC: + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +content-type: application/json + +{ + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-28T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": "100" + } + } + } +} + +``` + +Verify the deployment settings for the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + +## Add members to the deployment audience + +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be offered. + +The following example adds three devices to the deployment audience using the **Azure AD ID** for each device: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience + content-type: application/json + + { + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + +To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` + +## Pause a deployment + +To pause a deployment, PATCH the deployment to have a `requestedValue` of `paused` for the [deploymentState](/graph/api/resources/windowsupdates-deploymentstate). To resume the deployment, use the value `none` and the state will either update to `offering` or `scheduled` if the deployment hasn't reached the start date yet. + +The following example pauses the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive + +PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.deployment", + "state": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentState", + "requestedValue": "paused" + } +} +``` + +## Delete a deployment + +To remove the deployment completely, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. + + +The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + +## Unenroll devices + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 3d655149d9..4b8e52781b 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -6,98 +6,67 @@ author: mestew ms.localizationpriority: medium ms.author: mstewart manager: aaroncz -ms.topic: article +ms.topic: overview ms.technology: itpro-updates ms.date: 12/31/2017 --- - - # Windows Update for Business deployment service -**Applies to** +***(Applies to: Windows 11 & Windows 10)*** -- Windows 10 -- Windows 11 +The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications. -The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies. +Windows Update for Business product family has three elements: -The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. It provides the following abilities: +- Client policy to govern update experiences and timing, which are available through Group Policy and CSPs +- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment +- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell) -- You can schedule deployment of updates to start on a specific date (for example, deploy 20H2 to specified devices on March 14, 2021). -- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021). -- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise. -- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization. -- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices. +The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md). -The service is privacy focused and backed by leading industry compliance certifications. +:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family."::: -## How it works +## How the deployment service works -The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Businesss reports](wufb-reports-overview.md). +With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated with Windows Update, once the admin defines the deployment behavior, Windows Update is already aware of how device should be directed to install updates when the device scans. The deployment service creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an admin. -:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text."::: - -Windows Update for Business comprises three elements: -- Client policy to govern update experiences and timing – available through Group Policy and CSPs -- Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell) -- Windows Update for Business reports to monitor update deployment - -Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. - -:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text."::: Using the deployment service typically follows a common pattern: -1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune. -2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service. +1. An admin uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app, or a more complete management solution such as Microsoft Intune. +2. The chosen management tool conveys your approval, scheduling, and device selection information to the deployment service. 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates. -The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune. + :::image type="content" source="media/wufbds-interaction-small.png" alt-text="Diagram displaying "::: -## Prerequisites +The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as [Microsoft Intune](/mem/intune). -To work with the deployment service, devices must meet all these requirements: +## Capabilities of the Windows Update for Business deployment service -- Be running Windows 10, version 1709 or later (or Windows 11) -- Be joined to Azure Active Directory (AD) or Hybrid AD -- Have one of the following Windows 10 or Windows 11 editions installed: - - Pro - - Enterprise - - Education - - Pro Education - - Pro for Workstations +The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. The service provides the following capabilities for updates: -Additionally, your organization must have one of the following subscriptions: -- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) -- Windows Virtual Desktop Access E3 or E5 -- Microsoft 365 Business Premium +- **Approval and scheduling**: Approve and schedule deployment of updates to start on a specific date + - *Example*: Deploy the Windows 11 22H2 feature update to specified devices on February 17, 2023. +- **Gradual rollout**: Stage deployments over a period of days or weeks by specifying gradual rollout settings + - *Example*: Deploy the Windows 11 22H2 feature update to 500 devices per day, beginning on February 17, 2023 +- **Expedite**: Bypass the configured Windows Update for Business policies to immediately deploy a security update across the organization +- **Safeguard holds**: Automatically holds the deployment for devices that may be impacted by an update issue identified by Microsoft machine-learning algorithms -## Getting started +Certain capabilities are available for specific update classifications: -To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application. +|Capabilities | [Quality updates](deployment-service-expedited-updates.md) | [Feature updates](deployment-service-feature-updates.md) | [Drivers and firmware](deployment-service-drivers.md)| +|---|---|---|---| +|Approval and scheduling | | Yes | Yes | +|Gradual rollout | | Yes | | +|Expedite | Yes | | | +|Safeguard holds| | Yes | | -### Using Microsoft Intune - -Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). - -### Scripting common actions using PowerShell - -The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). - -### Building your own application - -Microsoft Graph makes deployment service APIs available through. Get started with these learning paths: -- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) -- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) - -Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more. ## Deployment protections The deployment service protects deployments through a combination of rollout controls and machine-learning algorithms that monitor deployments and react to issues during the rollout. -### Schedule rollouts with automatic piloting +### Gradual rollout The deployment service allows any update to be deployed over a period of days or weeks. Once an update has been scheduled, the deployment service optimizes the deployment based on the scheduling parameters and unique attributes spanning the devices being updated. The service follows these steps: @@ -106,80 +75,45 @@ The deployment service allows any update to be deployed over a period of days or 3. Start deploying to earlier waves to build coverage of device attributes present in the population. 4. Continue deploying at a uniform rate until all waves are complete and all devices are updated. -This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. - -You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring. +This built-in piloting capability complements your existing [deployment ring](waas-quick-start.md) structure and provides another support for reducing and managing risk during an update. This capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. Continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring. ### Safeguard holds against likely and known issues -Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. - -To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold) +Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service also extends safeguard holds to protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold). ### Monitoring deployments to detect rollback issues During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. -### How to enable deployment protections +## Get started with the deployment service -Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. +To use the deployment service, you use a management tool built on the platform like Microsoft Intune, script common actions using PowerShell, or build your own application. -#### Device prerequisites +To learn more about the deployment service and the deployment process, see: -- Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **8**. +- [Prerequisites for Windows Update for Business deployment service](deployment-service-prerequisites.md) +- [Deploy feature updates using Graph Explorer](deployment-service-feature-updates.md) +- [Deploy expedited updates using Graph Explorer](deployment-service-expedited-updates.md) +- [Deploy driver and firmware updates using Graph Explorer](deployment-service-drivers.md) -#### Set the **AllowWUfBCloudProcessing** policy +### Scripting common actions using PowerShell -To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. +The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). -| Policy| Sets registry key under `HKLM\Software`| -|--|--| -| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` | -| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` | +### Building your own application -Following is an example of setting the policy using Intune: +Microsoft Graph makes deployment service APIs available through. Get started with the resources below: -1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) +- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) -2. Select **Devices** > **Configuration profiles** > **Create profile**. +- Windows Update for Business deployment service [sample driver deployment application](https://github.com/microsoftgraph/windowsupdates-webapplication-sample) on GitHub +- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) -3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**. +### Use Microsoft Intune -4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**. - -5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**. - - Name: **AllowWUfBCloudProcessing** - - Description: Enter a description. - - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **Integer** - - Value: **8** - -6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. - -7. In **Review + create**, review your settings, and then select **Create**. - -8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: - - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` - -## Best practices -Follow these suggestions for the best results with the service. - -### Device onboarding - -- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). - -- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. - -### General - -Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. - - -## Next steps - -To learn more about the deployment service, try the following: +Microsoft Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see: - [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) -- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) +- [Expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates) + diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md new file mode 100644 index 0000000000..ad489103a6 --- /dev/null +++ b/windows/deployment/update/deployment-service-prerequisites.md @@ -0,0 +1,108 @@ +--- +title: Prerequisites for the Windows Update for Business deployment service +description: Prerequisites for using the Windows Update for Business deployment service. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Windows Update for Business deployment service prerequisites + +***(Applies to: Windows 11 & Windows 10)*** + +Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites. + +## Azure and Azure Active Directory + +- An Azure subscription with [Azure Active Directory](/azure/active-directory/) +- Devices must be Azure Active Directory-joined and meet the below OSrequirements. + - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). + - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business + +## Licensing + +Windows Update for Business deployment service requires users of the devices to have one of the following licenses: + +- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) +- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) +- Windows Virtual Desktop Access E3 or E5 +- Microsoft 365 Business Premium + +## Operating systems and editions + +- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions +- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions + +Windows Update for Business deployment service supports Windows client devices on the **General Availability Channel**. + +### Windows operating system updates + +- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device: + - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. + - As an Admin, run the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}` + +- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended + +## Diagnostic data requirements + +Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](deployment-service-drivers.md), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the *Required* level (previously called *Basic*) for these features. + +When you use [Windows Update for Business reports](wufb-reports-overview.md) in conjunction with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting: + +- *Optional* level (previously *Full*) for Windows 11 devices +- *Enhanced* level for Windows 10 devices + +## Permissions + +- [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) + - Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have the permissions. + +> [!NOTE] +> Leveraging other parts of the Graph API might require additional permissions. For example, to display [device](/graph/api/resources/device) information, a minimum of [Device.Read.All](/graph/permissions-reference#device-permissions) permission is needed. + +## Required endpoints + +- Have access to the following endpoints: + +- [Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update) + - *.prod.do.dsp.mp.microsoft.com + - *.windowsupdate.com + - *.dl.delivery.mp.microsoft.com + - *.update.microsoft.com + - *.delivery.mp.microsoft.com + - tsfe.trafficshaping.dsp.mp.microsoft.com +- Windows Update for Business deployment service endpoints + + - devicelistenerprod.microsoft.com + - login.windows.net + - payloadprod*.blob.core.windows.net + +- [Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config): *(Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)* + - *.notify.windows.com + + +## Limitations + + +[!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] + + +## General tips for the deployment service + +Follow these suggestions for the best results with the service: + +- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). + +- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. + +- Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index f584bbae71..f6be148c37 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -15,10 +15,7 @@ ms.date: 12/31/2017 # Troubleshoot the Windows Update for Business deployment service -**Applies to** - -- Windows 10 -- Windows 11 +***(Applies to: Windows 11 & Windows 10)*** This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json). @@ -35,3 +32,30 @@ This troubleshooting guide addresses the most common issues that IT administrato - Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates). - **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors. + +### The device installed a newer update then the expedited update I deployed + +There are some scenarios when a deployment to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy. + +Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots. + +A more recent update is deployed when the following conditions are met: + +- The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install. + +- During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of: + - When the device restarts to complete installation + - When the device runs its daily scan + - When a new update becomes available + + When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update. + +While expedite update deployments will override an update deferral for the update version that's specified, they don't override deferrals that are in place for any other update version. + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md new file mode 100644 index 0000000000..fda5f5a881 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md @@ -0,0 +1,63 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + +A deployment audience is a collection of devices that you want to deploy updates to. The audience needs to be created first, then members are added to the audience. Use the following steps to create a deployment audience, add members, and verify it: + +1. To create a new audience, **POST** to the [deployment audience](/graph/api/resources/windowsupdates-deploymentaudience) resource with a request body of `{}`. + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences + content-type: application/json + + {} + ``` + + The POST returns an HTTP status code of `201 Created` as a response with the following body, where `id` is the **Audience ID**: + + ```json + { + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deploymentAudiences/$entity", + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "reportingDeviceCount": 0, + "applicableContent": [] + } + ``` + + +1. Add devices, using their **Azure AD ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Azure AD ID** of the device. + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience + content-type: application/json + + { + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + +1. To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md new file mode 100644 index 0000000000..d8c96ee718 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md @@ -0,0 +1,45 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments through the deployment service: + +### Policies that exclude drivers from Windows Update for a device + +The following policies exclude drivers from Windows Update for a device: + +- **Locations of policies that exclude drivers**: + - **Group Policy**: `\Windows Components\Windows Update\Do not include drivers with Windows Updates` set to `enabled` + - **CSP**: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) set to `1` + - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates` set to `1` + - **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Allow` + +**Behavior with the deployment service**: Devices with driver exclusion polices that are enrolled for **drivers** and added to an audience though the deployment service: + - Will display the applicable driver content in the deployment service + - Won't install drivers that are approved from the deployment service + - If drivers are deployed to a device that's blocking them, the deployment service displays the driver is being offered and reporting displays the install is pending. + +### Policies that define the source for driver updates + +The following policies define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS): + +- **Locations of policies that define an update source**: + - **Group Policy**: `\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates` set to `enabled` with the `Driver Updates` option set to `Windows Update` + - **CSP**: [SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) set to `0` for Windows Update as the source + - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates` set to `0`. Under `\AU`, `UseUpdateClassPolicySource` also needs to be set to `1` + - **Intune**: Not applicable. Intune deploys updates using Windows Update for Business. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update for Business. + +**Behavior with the deployment service**: Devices with these update source policies that are enrolled for **drivers** and added to an audience though the deployment service: + - Will display the applicable driver content in the deployment service + - Will install drivers that are approved from the deployment service + +> [!NOTE] +> When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device. \ No newline at end of file diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md new file mode 100644 index 0000000000..0ae067e62f --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md @@ -0,0 +1,45 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +You enroll devices based on the types of updates you want them to receive. Currently, you can enroll devices to receive feature updates (`feature`) or drivers (`driver`). You can enroll devices to receive updates from multiple update classifications. + +1. To enroll devices, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [enrollAssets](/graph/api/windowsupdates-updatableasset-enrollassets). The following example enrolls three devices to receive driver updates: + 1. In Graph Explorer, select **POST** from the drop-down list for the HTTP verb. + 1. Enter the following request into the URL field:
    + `https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets` + 1. In the **Request body** tab, enter the following JSON, supplying the following information: + - **Azure AD Device ID** as `id` + - Either `feature` or `driver` for the updateCategory + + ```json + { + "updateCategory": "driver", + "assets": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + + 1. Select the **Run query** button. The results will appear in the **Response** window. In this case, the HTTP status code of `202 Accepted`. + + :::image type="content" source="../media/7512398-deployment-enroll-asset-graph.png" alt-text="Screenshot of successfully enrolling assets through Graph Explorer." lightbox="../media/7512398-deployment-enroll-asset-graph.png" ::: diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md new file mode 100644 index 0000000000..b2f438598f --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md @@ -0,0 +1,54 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +Use the [device](/graph/api/resources/device) resource type to find clients to enroll into the deployment service. Change the query parameters to fit your specific needs. For more information, see [Use query parameters](/graph/query-parameters). + +- Displays the **AzureAD Device ID** and **Name** of all devices: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$select=deviceid,displayName + ``` + +- Displays the **AzureAD Device ID** and **Name** for devices that have a name starting with `Test`: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$filter=startswith(displayName,'Test')&$select=deviceid,displayName + ``` + + +### Add a request header for advanced queries + +For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries). + +1. In Graph Explorer, select the **Request headers** tab. +1. For **Key** type in `ConsistencyLevel` and for **Value**, type `eventual`. +1. Select the **Add** button. When you're finished, remove the request header by selecting the trash can icon. + + :::image type="content" source="../media/7512398-deployment-service-graph-modify-header.png" alt-text="Screenshot of the request headers tab in Graph Explorer" lightbox="../media/7512398-deployment-service-graph-modify-header.png"::: + +- Display the **Name** and **Operating system version** for the device that has `01234567-89ab-cdef-0123-456789abcdef` as the **AzureAD Device ID**: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"&$select=displayName,operatingSystemVersion + ``` + +- To find devices that likely aren't virtual machines, filter for devices that don't have virtual machine listed as the model but do have a manufacturer listed. Display the **AzureAD Device ID**, **Name**, and **Operating system version** for each device: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion + ``` + +> [!Tip] +> Requests using the [device](/graph/api/resources/device) resource type typically have both an `id` and a `deviceid`: +> - The `deviceid` is the **Azure AD Device ID** and will be used in this article. +> - Later in this article, this `deviceid` will be used as an `id` when you make certain requests such as adding a device to a deployment audience. +> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Azure AD Object ID, which won't be used in this article. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md new file mode 100644 index 0000000000..23bbb2b2d9 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md @@ -0,0 +1,18 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +The following permissions are needed for the queries listed in this article: + +- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations. +- At least [Device.Read.All](/graph/permissions-reference#device-permissions) permission to display [device](/graph/api/resources/device) information. + +Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have these permissions. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md new file mode 100644 index 0000000000..3b19cd934d --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md @@ -0,0 +1,34 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/adminwindowsupdates) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/graph-explorer-overview). + +> [!WARNING] +> +> - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium). +> - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant#properties) for Graph Explorer before proceeding. + +1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account. +1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission: + 1. Select the **Modify permissions** tab in Graph Explorer. + 1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent. + + :::image type="content" source="../media/7512398-wufbds-graph-modify-permission.png" alt-text="Screenshot of the modify permissions tab in Graph Explorer" lightbox="../media/7512398-wufbds-graph-modify-permission.png" ::: + +1. To make requests: + 1. Select either GET, POST, PUT, PATCH, or DELETE from the drop-down list for the HTTP method. + 1. Enter the request into the URL field. The version will populate automatically based on the URL. + 1. If you need to modify the request body, edit the **Request body** tab. + 1. Select the **Run query** button. The results will appear in the **Response** window. + + > [!TIP] + > When reviewing [Microsoft Graph documentation](/graph/), you may notice example requests usually list `content-type: application/json`. Specifying `content-type` typically isn't required for Graph Explorer, but you can add it to the request by selecting the **Headers** tab and adding the `content-type` to the **Request headers** field as the **Key** and `application/json` as the **Value**. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md new file mode 100644 index 0000000000..f85f158a63 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md @@ -0,0 +1,42 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +When a device no longer needs to be managed by the deployment service, unenroll it. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers: + +- Existing driver deployments from the service won't be offered to the device +- The device will continue to receive feature updates from the deployment service +- Drivers may start being installed from Windows Update depending on the device's configuration + +To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify: +- **Azure AD Device ID** as `id` for the device +- Either `feature` or `driver` for the updateCategory + +The following example removes `driver` enrollment for two devices, `01234567-89ab-cdef-0123-456789abcdef` and `01234567-89ab-cdef-0123-456789abcde0`: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets +content-type: application/json + +{ + "updateCategory": "driver", + "assets": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + } + ] +} +``` diff --git a/windows/deployment/update/includes/wufb-deployment-limitations.md b/windows/deployment/update/includes/wufb-deployment-limitations.md new file mode 100644 index 0000000000..34e70ba899 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-limitations.md @@ -0,0 +1,13 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. diff --git a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md new file mode 100644 index 0000000000..4e0d5caaff --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md @@ -0,0 +1,21 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + +## Log location for the Update Health Tools + +The Update Health Tools are used when you deploy expedited updates. In some cases, you may wish to review the logs for the Update Health Tools. + +**Log location**: `%ProgramFiles%\Microsoft Update Health Tools\Logs` + +- The logs are in `.etl` format. + - Microsoft offers [PerfView as a download on GitHub](https://github.com/Microsoft/perfview/blob/main/documentation/Downloading.md), which displays `.etl` files. + +For more information, see [Troubleshooting expedited updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-the-most-out-of-expedited-windows-quality-updates/ba-p/3659741). diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index 3dc65fd476..457b880be1 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md index 727f6eec4b..1975275322 100644 --- a/windows/deployment/update/includes/wufb-reports-endpoints.md +++ b/windows/deployment/update/includes/wufb-reports-endpoints.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 04/06/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md index 4a9b61242e..5bdb86a402 100644 --- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md +++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md index 94e46ac38f..37caa47a4d 100644 --- a/windows/deployment/update/includes/wufb-reports-recommend.md +++ b/windows/deployment/update/includes/wufb-reports-recommend.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.prod: w10 -ms.collection: M365-modern-desktop +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 12/05/2022 ms.localizationpriority: medium @@ -11,4 +11,5 @@ ms.localizationpriority: medium > [!Important] -> Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). +> - Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). +> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data). diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md index 6d4248cbb0..5dc0512de0 100644 --- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md +++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md index 1b22ab60cd..5eab6c5de8 100644 --- a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md +++ b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/10/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index af27a5c840..135a23932a 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -76,6 +76,7 @@ This table shows the correct sequence for applying the various tasks to the file |Add Features on Demand | | | 20 | |Add Safe OS Dynamic Update | 6 | | | |Add Setup Dynamic Update | | | | 26 +|Add setup.exe from WinPE | | | | 27 |Add latest cumulative update | | 15 | 21 | |Clean up the image | 7 | 16 | 22 | |Add Optional Components | | | 23 | @@ -188,7 +189,7 @@ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Pa # # update Windows Recovery Environment (WinRE) # -Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Mounting WinRE" Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null @@ -299,7 +300,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim ### Update WinPE -This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media. +This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. Finally, it cleans and exports Boot.wim, and copies it back to the new media. ```powershell # @@ -312,7 +313,7 @@ $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" Foreach ($IMAGE in $WINPE_IMAGES) { # update WinPE - Write-Output "$(Get-TS): Mounting WinPE" + Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)" Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update (Step 9 from the table) @@ -415,6 +416,11 @@ Foreach ($IMAGE in $WINPE_IMAGES) { Write-Output "$(Get-TS): Performing image cleanup on WinPE" DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null + # If second image, save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder + if ($IMAGE.ImageIndex -eq "2") { + Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null + } + # Dismount Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null @@ -496,7 +502,7 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop # Copy our updated recovery image from earlier into the main OS # Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file # into each edition to enable single instancing -Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null # Perform image cleanup Write-Output "$(Get-TS): Performing image cleanup on main OS" @@ -526,7 +532,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc ### Update remaining media files -This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests. +This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe using the previously saved version from WinPE. ```powershell # @@ -536,6 +542,10 @@ This part of the script updates the Setup files. It simply copies the individual # Add Setup DU by copy the files from the package into the newMedia Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH" cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null + +# Copy setup.exe from boot.wim, saved earlier. +Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null + ``` ### Finish up diff --git a/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png b/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png new file mode 100644 index 0000000000..9d0310652a Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png differ diff --git a/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png b/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png new file mode 100644 index 0000000000..44fb8ee6ab Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png differ diff --git a/windows/deployment/update/media/7512398-deployment-service-overview.png b/windows/deployment/update/media/7512398-deployment-service-overview.png new file mode 100644 index 0000000000..2e2085fb27 Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-service-overview.png differ diff --git a/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png b/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png new file mode 100644 index 0000000000..cfa73d5175 Binary files /dev/null and b/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png differ diff --git a/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png b/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png new file mode 100644 index 0000000000..261418b6ce Binary files /dev/null and b/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png differ diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/media/wufb-do-overview.png similarity index 100% rename from windows/deployment/update/images/wufb-do-overview.png rename to windows/deployment/update/media/wufb-do-overview.png diff --git a/windows/deployment/update/media/wufbds-product-large.png b/windows/deployment/update/media/wufbds-product-large.png deleted file mode 100644 index f74c499411..0000000000 Binary files a/windows/deployment/update/media/wufbds-product-large.png and /dev/null differ diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md index 4d7cf5c662..b25c48f947 100644 --- a/windows/deployment/update/plan-determine-app-readiness.md +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -63,15 +63,3 @@ There is more than one way to choose devices for app validation: - **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles. - **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems. - **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. - - -### Desktop Analytics - -Desktop Analytics can make all of the tasks discussed in this article significantly easier: - -- Creating and maintaining an application and device inventory -- Assign owners to applications for testing -- Automatically apply your app classifications (critical, important, not important) -- Automatically identify application compatibility risks and provide recommendations for reducing those risks - -For more information, see [What is Desktop Analytics?](/mem/configmgr/desktop-analytics/overview) diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index 7d787fbeda..a6c241bac8 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -97,7 +97,7 @@ Enable update services on devices. Ensure that every device is running all the s - Windows Update - Windows Update Medic Service -You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods. +You can check these services manually by using Services.msc, or by using PowerShell scripts, or other methods. ### Network configuration @@ -125,7 +125,7 @@ Set up [Delivery Optimization](../do/waas-delivery-optimization.md) for peer net ### Address unhealthy devices -In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems. +In the course of surveying your device population, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems. - **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later (and Windows 11) you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files: @@ -160,7 +160,7 @@ You can also create and run scripts to perform additional cleanup actions on dev net start msiserver ``` -- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues. +- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues. - **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component-Based Store from another source. You can fix the problem with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system). diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index 7d3d501e00..7bb8cf8dca 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -8,8 +8,7 @@ ms.author: mstewart manager: aaroncz ms.topic: article ms.technology: itpro-updates -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.date: 12/31/2017 --- diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index a74559df0f..a7a6c5b72e 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -6,8 +6,7 @@ author: mestew ms.localizationpriority: high ms.author: mstewart manager: aaroncz -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.topic: article ms.technology: itpro-updates ms.date: 12/31/2017 diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 14c94f5341..aab7607865 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -33,7 +33,7 @@ This article is specifically targeted at configuring devices enrolled to [Micros Take the following steps to create a configuration profile that will set required policies for Update Compliance: -1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**. +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**. 1. On the **Configuration profiles** view, select **Create a profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". 1. For **Template name**, select **Custom**, and then press **Create**. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 2d8e1183db..2e2c5100e7 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -53,6 +53,7 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru [!INCLUDE [Update Compliance script error codes](./includes/wufb-reports-script-error-codes.md)] ## Verify device configuration - -[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)]: + + +[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)] diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 693f8b440d..a7272569b6 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -6,8 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.topic: article ms.date: 05/03/2022 ms.technology: itpro-updates @@ -56,7 +55,6 @@ Update Compliance is offered as an Azure Marketplace application that is linked 1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**. 2. Select **Get it now**. 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data. - - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance. - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance. 4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created. @@ -125,9 +123,5 @@ Once you've added Update Compliance to a workspace in your Azure subscription, y After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. -### Update Compliance and Desktop Analytics - -If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), you must use the same Log Analytics workspace for both solutions. - diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index 72b284c0c6..c99c4f7dc8 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -17,6 +17,10 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 + +[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)] + + Update Compliance is fully committed to privacy, centering on these tenets: - **Transparency:** Windows client diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details). diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index a3f6cdf2a8..5de1f980ef 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 02/28/2023 --- # Configure Windows Update for Business @@ -27,7 +27,7 @@ ms.date: 12/31/2017 > [!NOTE] > Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/). -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). > [!IMPORTANT] > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). @@ -35,7 +35,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi ## Start by grouping devices -By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. +By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. >[!TIP] >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). @@ -68,7 +68,7 @@ Starting with Windows 10, version 1703, users can configure the branch readiness After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. -For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. +For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` won't install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.

    @@ -86,7 +86,7 @@ For example, a device on the General Availability Channel with `DeferFeatureUpda ## Pause feature updates -You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again. +You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again. Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. @@ -107,7 +107,7 @@ In cases where the pause policy is first applied after the configured start date You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) won't reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -119,7 +119,7 @@ The local group policy editor (GPEdit.msc) will not reflect whether the feature >If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: -- Any active restart notification are cleared or closed. +- Any active restart notifications are cleared or closed. - Any pending restarts are canceled. - Any pending update installations are canceled. - Any update installation running when pause is activated will attempt to roll back. @@ -164,7 +164,7 @@ In cases where the pause policy is first applied after the configured start date You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) won't reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -176,10 +176,10 @@ The local group policy editor (GPEdit.msc) will not reflect whether the quality >If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: -- Any active restart notification are cleared or closed +- Any active restart notifications are cleared or closed - Any pending restarts are canceled - Any pending update installations are canceled -- Any update installation running when pause is activated will attempt to rollback +- Any update installation running when pause is activated will attempt to roll back ## Configure when devices receive Windows Insider Preview builds @@ -201,7 +201,7 @@ The policy settings to **Select when feature updates are received** allows you t ## Exclude drivers from quality updates -Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete. +Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy won't apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete. **Policy settings to exclude drivers** @@ -210,6 +210,21 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving | GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | | MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +## Enable features introduced via servicing that are off by default + + +New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. + +The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them. + +**Policy settings to enable features introduced via servicing that are off by default** + +| Policy | Sets registry key under HKLM\Software | +| --- | --- | +| GPO for Windows 11, version 22H2 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | +| MDM for Windows 11, version 22H2 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl | + + ## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later. @@ -218,26 +233,28 @@ The following are quick-reference tables of the supported policy values for Wind | GPO Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)

    Other value or absent: receive all applicable updates | -| DeferQualityUpdates | REG_DWORD | 1: defer quality updates
    Other value or absent: don’t defer quality updates | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | -|DeferFeatureUpdates | REG_DWORD | 1: defer feature updates
    Other value or absent: don’t defer feature updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updates
    Other value or absent: don’t pause feature updates | -| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
    Other value or absent: offer Windows Update drivers | +| AllowTemporaryEnterpriseFeatureControl

    *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.
    Other value or absent: Features that are shipped turned off by default will remain off | +| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast
    4: Systems take feature updates for the Windows Insider build - Slow
    8: Systems take feature updates for the Release Windows Insider build

    Other value or absent: Receive all applicable updates | +| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updates
    Other value or absent: Don't defer feature updates | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days | +| DeferQualityUpdates | REG_DWORD | 1: Defer quality updates
    Other value or absent: Don't defer quality updates | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days | +| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: Exclude Windows Update drivers
    Other value or absent: Offer Windows Update drivers | +| PauseFeatureUpdatesStartTime | REG_DWORD |1: Pause feature updates
    Other value or absent: Don't pause feature updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updates
    Other value or absent: Don't pause quality updates | **MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update** | MDM Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)
    32: systems take feature updates from General Availability Channel
    Note: Other value or absent: receive all applicable updates | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updates
    Other value or absent: don’t pause feature updates | -| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
    Other value or absent: offer Windows Update drivers | +| AllowTemporaryEnterpriseFeatureControl

    *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.
    Other value or absent: Features that are shipped turned off by default will remain off | +| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast
    4: Systems take feature updates for the Windows Insider build - Slow
    8: Systems take feature updates for the Release Windows Insider build
    32: Systems take feature updates from General Availability Channel
    Note: Other value or absent: Receive all applicable updates | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days | +| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: Exclude Windows Update drivers
    Other value or absent: Offer Windows Update drivers | +| PauseFeatureUpdatesStartTime | REG_DWORD | 1: Pause feature updates
    Other value or absent: Don't pause feature updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: Pause quality updates
    Other value or absent: Don't pause quality updates | ## Update devices to newer versions @@ -245,7 +262,7 @@ Due to the changes in Windows Update for Business, Windows 10, version 1607 uses ### How older version policies are respected on newer versions -When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. +When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these aren't present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. ### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703 diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 1257d066aa..231671f5d7 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: mstewart manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-updates ms.date: 12/31/2017 --- diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index dfe5a33f26..2cd41a5831 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -7,7 +7,7 @@ author: mestew ms.localizationpriority: medium ms.author: mstewart ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-updates ms.date: 12/31/2017 --- diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index 84840a0222..641b7046a9 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -3,7 +3,6 @@ title: Windows as a service news & resources description: The latest news for Windows as a service with resources to help you learn more about them. ms.prod: windows-client ms.topic: article -ms.manager: elizapo author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index dd9bc872b4..184b4e1c7a 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: mstewart manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-updates ms.date: 12/31/2017 --- @@ -41,11 +41,7 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi ### Application compatibility -Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. - - -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](/mem/configmgr/desktop-analytics/ready-for-windows). - +Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. ## Servicing diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 4ff1d88197..ea9726a38e 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -7,8 +7,7 @@ ms.localizationpriority: medium ms.author: mstewart manager: aaroncz ms.topic: article -ms.collection: highpri -date: 09/22/2022 +ms.collection: highpri, tier2 ms.technology: itpro-updates ms.date: 12/31/2017 --- diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 6bcdbc9cde..af807a712a 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -7,8 +7,7 @@ author: mestew ms.author: mstewart manager: aaroncz ms.topic: article -ms.collection: highpri -date: 09/22/2022 +ms.collection: highpri, tier2 ms.technology: itpro-updates ms.date: 01/06/2023 --- diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md index 1d1bbb1115..fbbb54d9b6 100644 --- a/windows/deployment/update/waas-wufb-csp-mdm.md +++ b/windows/deployment/update/waas-wufb-csp-mdm.md @@ -1,6 +1,6 @@ --- title: Configure Windows Update for Business by using CSPs and MDM -description: Walk-through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM. +description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM. ms.prod: windows-client author: mestew ms.localizationpriority: medium @@ -8,7 +8,7 @@ ms.author: mstewart manager: aaroncz ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 02/28/2023 --- # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business @@ -16,8 +16,8 @@ ms.date: 12/31/2017 **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -42,9 +42,9 @@ You can control when updates are applied, for example by deferring when an updat Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device. -To enable Microsoft Updates use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice). +To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice). -Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate). +Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate). We also recommend that you allow Microsoft product updates as discussed previously. @@ -52,17 +52,17 @@ Drivers are automatically enabled because they are beneficial to device systems. #### I want to receive pre-release versions of the next feature update -1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. +1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. 1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**. 1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation. -1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you are testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests. +1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests. #### I want to manage which released feature update my devices receive -A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify. +A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify. - To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays) - To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime) @@ -99,7 +99,7 @@ At this point, the IT administrator can set a policy to pause the update. In thi ![illustration of rings with pause quality update check box selected.](images/waas-wufb-pause.png) -Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. +Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again. @@ -156,7 +156,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png) - - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: + - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur: ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png) @@ -174,7 +174,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window There are additional settings that affect the notifications. -We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values: +We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values: **0** (default) – Use the default Windows Update notifications
    **1** – Turn off all notifications, excluding restart warnings
    @@ -194,4 +194,16 @@ When you disable this setting, users will see **Some settings are managed by you If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess). +#### I want to enable features introduced via servicing that are off by default + +(*Starting in Windows 11, version 22H2 or later*) +New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. + +The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them. + + You can enable these features by using [AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol). The following options are available: + +- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled. + - When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots +- **1** - Not allowed. Features that are shipped turned off by default will remain off diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 286ed2119c..7c7b83dcd3 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -1,16 +1,15 @@ --- title: Configure Windows Update for Business via Group Policy -description: Walk-through demonstration of how to configure Windows Update for Business settings using Group Policy. +description: Walk through of how to configure Windows Update for Business settings using Group Policy. ms.prod: windows-client author: mestew ms.localizationpriority: medium ms.author: mstewart -ms.collection: - - highpri +ms.collection: highpri, tier2 manager: aaroncz ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 02/28/2023 --- # Walkthrough: Use Group Policy to configure Windows Update for Business @@ -25,7 +24,7 @@ ms.date: 12/31/2017 ## Overview -You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information. +You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. For more information, see [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) for more information. An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**. @@ -53,7 +52,7 @@ Follow these steps on a device running the Remote Server Administration Tools or 5. Right-click the **"Windows Update for Business - Group 1"** object, and then select **Edit**. -6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices. +6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You're now ready to start assigning policies to this ring (group) of devices. ## Manage Windows Update offerings @@ -64,9 +63,9 @@ You can control when updates are applied, for example by deferring when an updat Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device. -To enable Microsoft Updates use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**. +To enable Microsoft Updates, use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**. -Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy. +Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy. We also recommend that you allow Microsoft product updates as discussed previously. @@ -74,7 +73,7 @@ Drivers are automatically enabled because they are beneficial to device systems. #### I want to receive pre-release versions of the next feature update -1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. +1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release and receive emails and content related to what is coming in the next updates. 2. Use Group Policy Management Console to go to: **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage preview builds** and set the policy to **Enable preview builds** for any of test devices you want to install pre-release builds. @@ -84,18 +83,18 @@ Drivers are automatically enabled because they are beneficial to device systems. #### I want to manage which released feature update my devices receive -A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you will not receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify. +A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify. - To defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and feature updates are Received** - Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received** #### Example -In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days. +In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of 10 days. :::image type="content" alt-text="illustration of devices divided into three rings." source="images/waas-wufb-3-rings.png" lightbox="images/waas-wufb-3-rings.png"::: -When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates. +When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates. ##### Five days later The devices in the fast ring are offered the quality update the next time they scan for updates. @@ -103,11 +102,11 @@ The devices in the fast ring are offered the quality update the next time they s :::image type="content" alt-text="illustration of devices with fast ring deployed." source="images/waas-wufb-fast-ring.png" lightbox="images/waas-wufb-fast-ring.png"::: ##### Ten days later -Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates. +Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates. :::image type="content" alt-text="illustration of devices with slow ring deployed." source="images/waas-wufb-slow-ring.png" lightbox="images/waas-wufb-slow-ring.png"::: -If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves. +If no problems occur, all of the devices that scan for updates will be offered the quality update within 10 days of its release, in three waves. ##### What if a problem occurs with the update? @@ -119,13 +118,13 @@ At this point, the IT administrator can set a policy to pause the update. In thi :::image type="content" alt-text="illustration of rings with pause quality update check box selected." source="images/waas-wufb-pause.png" lightbox="images/waas-wufb-pause.png"::: -Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. +Now all devices are paused from updating for 35 days. When the pause is removed, they'll be offered the *next* quality update, which ideally won't have the same issue. If there's still an issue, the IT admin can pause updates again. #### I want to stay on a specific version -If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition. +If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version, use the **Select the target feature update version** setting instead of using the **Specify when Preview Builds and feature updates are received** setting for feature update deferrals. When you use this policy, specify the version that you want your devices to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it's 60 days past end of service for its edition. -When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device will not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not be in effect. +When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn't valid, the device won't receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals won't be in effect. ### Manage how users experience updates @@ -135,7 +134,7 @@ We recommend that you allow to update automatically--this is the default behavio For more granular control, you can set the maximum period of active hours the user can set with **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify active hours range for auto restart**. -It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**. +It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours. If you do want to set active hours, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours**. To update outside of the active hours, you don't need to set any additional settings: simply don't disable automatic restarts. For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Auto download and schedule the install**. You can customize this setting to accommodate the time that you want the update to be installed for your devices. @@ -145,7 +144,7 @@ When you set these policies, installation happens automatically at the specified We recommend that you use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts** for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. -This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours. +This policy also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours. These notifications are what the user sees depending on the settings you choose: @@ -159,7 +158,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png) - - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: + - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur: ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png) @@ -177,7 +176,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window There are additional settings that affect the notifications. -We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values: +We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values: **0** (default) - Use the default Windows Update notifications
    **1** - Turn off all notifications, excluding restart warnings
    @@ -192,9 +191,24 @@ Still more options are available in **Computer Configuration > Administrative Te #### I want to manage the update settings a user can access -Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users. +Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users. Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates**. When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out. If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**. + +#### I want to enable features introduced via servicing that are off by default + +(*Starting in Windows 11, version 22H2 or later*) + +New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. + +The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them. + + You can enable these features by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > Enable features introduced via servicing that are off by default**. The following options are available: + +- **Enabled**: All features in the latest monthly cumulative update are enabled. + - When the policy is set to **Enabled**, all features that are currently turned off will turn on when the device next reboots +- **Disabled** - Features that are shipped turned off by default will remain off +- **Not configured** - Features that are shipped turned off by default will remain off diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 9ce2940f5d..078c5cb3e0 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -2,7 +2,6 @@ title: Windows as a service ms.prod: windows-client ms.topic: article -ms.manager: dougeby author: mestew ms.author: mstewart description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization. diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index d1fc86d90c..0f3dcb78bb 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -6,7 +6,7 @@ author: mestew ms.author: mstewart manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-updates ms.date: 12/31/2017 --- diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md index 1f773ef7d8..6dbfd4ac46 100644 --- a/windows/deployment/update/wufb-reports-configuration-intune.md +++ b/windows/deployment/update/wufb-reports-configuration-intune.md @@ -32,7 +32,7 @@ Create a configuration profile that will set the required policies for Windows U ### Settings catalog -1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**. +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**. 1. On the **Configuration profiles** view, select **Create profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**. 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. @@ -57,7 +57,7 @@ Create a configuration profile that will set the required policies for Windows U ### Custom OMA URI-based profile -1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**. +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**. 1. On the **Configuration profiles** view, select **Create profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". 1. For **Template name**, select **Custom**, and then select **Create**. diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 784ab095bd..a521c8c546 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/10/2023 ms.technology: itpro-updates --- @@ -43,10 +43,6 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru 1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. 1. If there are issues, gather the logs and provide them to Microsoft Support. -## Verify device configuration - - -[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)] ## Script errors diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 378595d1f7..a29bce0bb7 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/10/2023 ms.technology: itpro-updates --- @@ -87,11 +87,6 @@ To share feedback about the Microsoft Learn platform, see [Microsoft Learn feedb Use the following troubleshooting tips to resolve the most common problems when using Windows Update for Business reports: -### Verify client configuration - - -[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)] - ### Ensuring devices are configured correctly to send data The first step in troubleshooting Windows Update for Business reports is ensuring that devices are configured. Review [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md) for the settings. We recommend using the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) for troubleshooting and configuring devices. diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index aa140f9778..13c5e19777 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -16,7 +16,7 @@ ms.technology: itpro-updates Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you: -- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices +- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices - Report on devices with update compliance issues - Analyze and display your data in multiple ways diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index cbd081c2c7..ace317b4e1 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/14/2023 ms.technology: itpro-updates --- @@ -23,6 +23,8 @@ Before you begin the process of adding Windows Update for Business reports to yo - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports. - The Log Analytics workspace must be in a [supported region](#log-analytics-regions) +- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md) + ## Permissions @@ -47,19 +49,26 @@ Windows Update for Business reports supports Windows client devices on the follo - General Availability Channel - Windows Update for Business reports *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them. +### Windows operating system updates + +- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended + ## Diagnostic data requirements -At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). Some queries in Windows Update for Business reports require devices to send diagnostic data at the following levels: +At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). -- *Optional* level (previously *Full*) for Windows 11 devices +For some queries, such as Windows 11 eligibility reporting, Windows Update for Business reports requires devices to send diagnostic data at the following levels: + +- *Optional* level for Windows 11 devices (previously *Full*) - *Enhanced* level for Windows 10 devices - > [!Note] - > Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: - > - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) - > - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds** +Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: -For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + + - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) + - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds** + + Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data). ## Data transmission requirements diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 6bd8442700..12318c9c53 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -20,6 +20,7 @@ Update Event that combines the latest client-based data with the latest service- |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. | | **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID | +|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | | **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. | | **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. | | **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. | @@ -29,9 +30,11 @@ Update Event that combines the latest client-based data with the latest service- | **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate | | **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate | | **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | +| **IsUpdateHealty** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating. | | **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. | | **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. | | **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. | +| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). | | **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. | | **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. | @@ -40,8 +43,10 @@ Update Event that combines the latest client-based data with the latest service- | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update), or driver | | **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| | **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. | +| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | | **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | | **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media | diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md index 78efd1d68b..e515e80e13 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md @@ -43,4 +43,4 @@ These alerts are activated as a result of an issue that is device-specific. It i | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update), or driver | diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md index 87184d6464..8e8e34ea82 100644 --- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md @@ -20,15 +20,33 @@ Update Event that comes directly from the service-side. The event has only servi |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | | **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. | -| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | +| **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval | +| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +| **DeploymentName** | [string](/azure/kusto/query/scalar-data-types/string) |`My deployment` | Friendly name of the created deployment | +| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | Whether the content is being expedited | +| **DeploymentRevokeTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time the update was revoked | | **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | | **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. | +| **PolicyCreatedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time the policy was created | +| **PolicyId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | The policy identifier targeting the update to this device | +| **PolicyName** | [string](/azure/kusto/query/scalar-data-types/string) | `My policy` | Friendly name of the policy | | **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. | | **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. | | **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. | +| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" | | **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | Azure AD tenant ID | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver | +| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| +| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | +|**UpdateProvider** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Update provider of drivers and firmware | +| **UpdateRecommendedTime** |[datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time when the update was recommended to the device | +| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | +|**UpdateVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `20.0.19.3` | Update version of drivers or firmware | +| **UpdateVersionTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Update version date time stamp for drivers and firmware | diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md index f00e02af9e..db70047ed0 100644 --- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md @@ -42,8 +42,10 @@ Alert for both client and service updates. Contains information that needs atten | **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. | | **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. | +| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver | | **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index c6ddd21005..279be81249 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -15,14 +15,15 @@ ms.technology: itpro-updates ***(Applies to: Windows 11 & Windows 10)*** -[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into four tab sections: +[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections: - [Summary](#summary-tab) - [Quality updates](#quality-updates-tab) - [Feature updates](#feature-updates-tab) - [Delivery Optimization](#bkmk_do) +- [Driver updates](#driver-updates-tab) -:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook with the three tabbed sections outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png"::: +:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook. The three tabbed sections are outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png"::: ## Open the Windows Update for Business reports workbook @@ -137,7 +138,40 @@ The **Device status** group for feature updates contains the following items: - **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices. - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). -## Delivery Optimization (preview tab) +## Driver updates tab + +The **Driver update** tab provides information on driver and firmware update deployments from [Windows Update for Business deployment service](deployment-service-overview.md). Generalized data is at the top of the page in tiles. The data becomes more specific as you navigate lower in this tab. The top of the driver updates tab contains tiles with the following information: + +**Devices taking driver updates**: Count of devices that are installing driver and firmware updates. +**Approved updates**: Count of approved driver updates +**Total policies**: The total number of deployment polices for driver and firmware updates from [Windows Update for Business deployment service](deployment-service-overview.md) +**Active alerts**: Count of active alerts for driver deployments + +Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +:::image type="content" source="media/7539531-wufb-reports-workbook-drivers.png" alt-text="Screenshot of the update status tab for driver updates." lightbox="media/7539531-wufb-reports-workbook-drivers.png"::: + +Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates**](#feature-updates-tab) tabs, the **Driver updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. These different chart groups allow you to easily discover trends in compliance data. + +### Update status group for drivers + +The **Update status** group for driver updates contains the following items: + +- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates. +- **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class. +- **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates. + +The **Update deployment status** table displays information about deployed driver updates for your devices. Drill-in further by selecting a value from the **TotalDevices** column to display the status of a specific driver for a specific policy along with information about the installation status for each device. + +### Device status group for driver updates + +The **Device status** group for driver updates contains the following items: + +- **Device alerts**: Count of active device alerts for driver updates in each alert classification. +- **Device compliance status**: Table containing a list of devices getting a driver update and installation information including active alerts for the devices. + - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +## Delivery Optimization The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. @@ -154,7 +188,8 @@ The Delivery Optimization tab is further divided into the following groups: - **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**. - **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**. -:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png"::: +:::image type="content" source="media/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="media/wufb-do-overview.png"::: + ## Customize the workbook diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index 7feb6b10b2..3196b89771 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -76,3 +76,7 @@ The policy can be configured using the following two methods: - [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature) - [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother) - [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality) + + +> [!NOTE] +> Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be alterred. diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 2e9259fece..60af41b984 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -3,12 +3,11 @@ title: Log files and resolving upgrade errors manager: aaroncz ms.author: frankroj description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process. -ms.custom: seo-marvel-apr2020 ms.prod: windows-client author: frankroj ms.localizationpriority: medium ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 6db2339eda..62aa926553 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -3,12 +3,11 @@ title: SetupDiag manager: aaroncz ms.author: frankroj description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors. -ms.custom: seo-marvel-apr2020 ms.prod: windows-client author: frankroj ms.localizationpriority: medium ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 2f48ed28eb..5bd00dddf7 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -1,6 +1,5 @@ --- title: Submit Windows 10 upgrade errors using Feedback Hub -ms.reviewer: manager: aaroncz ms.author: frankroj description: Download the Feedback Hub app, and then submit Windows 10 upgrade errors for diagnosis using feedback hub. diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 2fdbd0beea..a49e89b8ed 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index eff1786ff2..7e8b1b574e 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index ece3ab44a0..57c9590028 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -1,6 +1,5 @@ --- title: Windows error reporting - Windows IT Pro -ms.reviewer: manager: aaroncz ms.author: frankroj description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup. diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index d197dc65f1..9d45ea81e3 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -1,7 +1,6 @@ --- title: Windows Upgrade and Migration Considerations (Windows 10) description: Discover the Microsoft tools you can use to move files and settings between installations including special considerations for performing an upgrade or migration. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index d9550203d8..b550aa4d52 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -1,7 +1,6 @@ --- title: User State Migration Tool (USMT) - Getting Started (Windows 10) description: Plan, collect, and prepare your source computer for migration using the User State Migration Tool (USMT). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 677f59ca0c..f8c2dded9b 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -1,7 +1,6 @@ --- title: Migrate Application Settings (Windows 10) description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index 9059505be0..25d04bc4c2 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -1,7 +1,6 @@ --- title: Migration Store Types Overview (Windows 10) description: Learn about the migration store types and how to determine which migration store type best suits your needs. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 390cc4ad37..c4c1311fb0 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -1,7 +1,6 @@ --- title: Offline Migration Reference (Windows 10) description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 64fe549a96..d39b9bf79e 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -1,7 +1,6 @@ --- title: Understanding Migration XML Files (Windows 10) description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index cebdc6bf49..d36ddbbc92 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -1,8 +1,6 @@ --- title: USMT Best Practices (Windows 10) description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0. -ms.custom: seo-marvel-apr2020 -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 72982b364a..ab33c29403 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -1,7 +1,6 @@ --- title: Choose a Migration Store Type (Windows 10) description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in your organization. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index d7332ed880..55cfe5e69c 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -1,7 +1,6 @@ --- title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) description: Learn about the User State Migration Tool (USMT) command-line syntax for using the ScanState tool, LoadState tool, and UsmtUtils tool. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 4f68b4b46e..183565827a 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -1,7 +1,6 @@ --- title: Common Migration Scenarios (Windows 10) description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 96846a8e88..a144f93cd4 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -1,7 +1,6 @@ --- title: Config.xml File (Windows 10) description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index e12ed6ff62..b3c5c22025 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -1,7 +1,6 @@ --- title: Conflicts and Precedence (Windows 10) description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 88db104333..73cf61e887 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -1,7 +1,6 @@ --- title: Custom XML Examples (Windows 10) description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the My Videos folder. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 9b4a91454c..7964757619 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -1,7 +1,6 @@ --- title: Customize USMT XML Files (Windows 10) description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index ed6b5bc177..67138078a2 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -1,7 +1,6 @@ --- title: Determine What to Migrate (Windows 10) description: Determine migration settings for standard or customized for the User State Migration Tool (USMT) 10.0. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 2e1ddfc773..e994e3640b 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -1,7 +1,6 @@ --- title: Estimate Migration Store Size (Windows 10) description: Estimate the disk space requirement for a migration so that you can use User State Migration Tool (USMT). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 0956d47d63..2b5db81c9d 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -1,7 +1,6 @@ --- title: Exclude Files and Settings (Windows 10) description: In this article, learn how to exclude files and settings when creating a custom .xml file and a Config.xml file. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index b5b02016d8..0e973ffb4e 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -1,7 +1,6 @@ --- title: Extract Files from a Compressed USMT Migration Store (Windows 10) description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 98148b856d..a7078f7b0b 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -1,7 +1,6 @@ --- title: General Conventions (Windows 10) description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index b4790b2a5a..c11c83a8f3 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -1,7 +1,6 @@ --- title: Hard-Link Migration Store (Windows 10) description: Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 23bb493204..751bdc54ee 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -1,7 +1,6 @@ --- title: How USMT Works (Windows 10) description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index e234211ca1..0b38e19dbe 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -1,7 +1,6 @@ --- title: User State Migration Tool (USMT) How-to articles (Windows 10) description: Reference the articles in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index 24278e020b..101e8b5666 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -1,7 +1,6 @@ --- title: Identify Applications Settings (Windows 10) description: Identify which applications and settings you want to migrate before using the User State Migration Tool (USMT). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index 01625d4d37..049a88b921 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -1,7 +1,6 @@ --- title: Identify File Types, Files, and Folders (Windows 10) description: Learn how to identify the file types, files, folders, and settings that you want to migrate when you're planning your migration. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 9b3d93da8e..6781531b60 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -1,7 +1,6 @@ --- title: Identify Operating System Settings (Windows 10) description: Identify which system settings you want to migrate, then use the User State Migration Tool (USMT) to select settings and keep the default values for all others. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 270b1902c3..40a4f58cb6 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -1,7 +1,6 @@ --- title: Identify Users (Windows 10) description: Learn how to identify users you plan to migrate, and how to migrate local accounts and domain accounts. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 7249c768be..8e5821354c 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -1,7 +1,6 @@ --- title: Include Files and Settings (Windows 10) description: Specify the migration .xml files you want, then use the User State Migration Tool (USMT) 10.0 to migrate the settings and components specified. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index b6238044f2..e5c04fe082 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -1,7 +1,6 @@ --- title: LoadState Syntax (Windows 10) description: Learn about the syntax and usage of the command-line options available when you use the LoadState command. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index 06ccc91749..ad51352c37 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -1,7 +1,6 @@ --- title: Log Files (Windows 10) description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 7b8526be55..c19ee33c65 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -1,7 +1,6 @@ --- title: Migrate EFS Files and Certificates (Windows 10) description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 518b93c468..d4ecef51aa 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -1,7 +1,6 @@ --- title: Migrate User Accounts (Windows 10) description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index 07c5b088c8..f136ae0f31 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -1,7 +1,6 @@ --- title: Migration Store Encryption (Windows 10) description: Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index 7609e4e147..eb67085ba9 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -7,7 +7,7 @@ ms.prod: windows-client author: frankroj ms.date: 11/01/2022 ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-deploy --- diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 6559990881..e7f255af34 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -1,7 +1,6 @@ --- title: Plan Your Migration (Windows 10) description: Learn how to your plan your migration carefully so your migration can proceed smoothly and so that you reduce the risk of migration failure. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index 37172c925e..3239732839 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -7,7 +7,7 @@ ms.prod: windows-client author: frankroj ms.date: 11/01/2022 ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-deploy --- diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 9c2604adf1..fdf20145f0 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -1,7 +1,6 @@ --- title: User State Migration Toolkit (USMT) Reference (Windows 10) description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index d0f86bfc08..87a290ad93 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -1,7 +1,6 @@ --- title: USMT Requirements (Windows 10) description: While the User State Migration Tool (USMT) doesn't have many requirements, these tips and tricks can help smooth the migration process. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 026a457ea7..8edfb43a05 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -1,7 +1,6 @@ --- title: Reroute Files and Settings (Windows 10) description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState command lines to reroute files and settings. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index ac1cc27168..63e2f70b4c 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -1,7 +1,6 @@ --- title: USMT Resources (Windows 10) description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 14b65a281f..d8ee510c34 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -1,7 +1,6 @@ --- title: ScanState Syntax (Windows 10) description: The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 2504eabb75..b60e82e749 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -1,14 +1,12 @@ --- title: User State Migration Tool (USMT) Technical Reference (Windows 10) description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj ms.date: 11/01/2022 ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy --- diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index a26c2a25cd..9b0981998d 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -1,7 +1,6 @@ --- title: Test Your Migration (Windows 10) description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 755df2c928..a1a2c43ef3 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -1,7 +1,6 @@ --- title: User State Migration Tool (USMT) Overview Topics (Windows 10) description: Learn about User State Migration Tool (USMT) overview articles that describe USMT as a highly customizable user-profile migration experience for IT professionals. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index ede8f237ec..05971e5afd 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -1,7 +1,6 @@ --- title: User State Migration Tool (USMT) Troubleshooting (Windows 10) description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to help troubleshooting. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index cb67fc466b..2a174b6f13 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -1,7 +1,6 @@ --- title: UsmtUtils Syntax (Windows 10) description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index be20a22816..b8a8f9f4dc 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -1,7 +1,6 @@ --- title: What does USMT migrate (Windows 10) description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 34115d72da..e669804e3e 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -1,7 +1,6 @@ --- title: XML Elements Library (Windows 10) description: Learn about the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index af25e49152..8d3f0e6ae2 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -1,7 +1,6 @@ --- title: USMT XML Reference (Windows 10) description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows 10. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 60856e7a7e..f96e15394d 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -1,7 +1,6 @@ --- title: Verify the Condition of a Compressed Migration Store (Windows 10) description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT). -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 156809cb6d..787fa3f640 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -1,7 +1,6 @@ --- title: XML File Requirements (Windows 10) description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID. -ms.reviewer: manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index cc4d7b7b90..0b6ed5832d 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,11 +1,9 @@ --- title: Configure VDA for Windows subscription activation description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario. -ms.reviewer: manager: aaroncz ms.author: frankroj author: frankroj -ms.custom: seo-marvel-apr2020 ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index b00e515b54..956036f01b 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -1,8 +1,7 @@ --- title: Activate by Proxy an Active Directory Forest (Windows 10) description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index dc8833d2f8..ce77d52b35 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -1,8 +1,7 @@ --- title: Activate an Active Directory Forest Online (Windows 10) description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 73f32edf78..2495b86782 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -1,8 +1,7 @@ --- title: Activate using Active Directory-based activation description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz author: frankroj ms.author: frankroj @@ -11,7 +10,7 @@ ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: how-to -ms.collection: highpri +ms.collection: highpri, tier2 --- # Activate using Active Directory-based activation diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index c9d04453fb..72dd3657cf 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -1,8 +1,7 @@ --- title: Activate using Key Management Service (Windows 10) description: Learn how to use Key Management Service (KMS) to activate Windows. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client @@ -10,7 +9,7 @@ author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 3166add837..f3d7c238f3 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -1,8 +1,7 @@ --- title: Activate clients running Windows 10 (Windows 10) description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index 48855f3afa..37122356a9 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -1,8 +1,7 @@ --- title: Active Directory-Based Activation Overview (Windows 10) description: Enable your enterprise to activate its computers through a connection to their domain using Active Directory-Based Activation (ADBA). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index 53a1f70b1b..a57398003d 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -1,8 +1,7 @@ --- title: Add and Manage Products (Windows 10) description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 55297e1791..20e49eabe0 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -1,8 +1,7 @@ --- title: Add and Remove Computers (Windows 10) description: The Discover products function on the Volume Activation Management Tool (VAMT) allows you to search the Active Directory domain or a general LDAP query. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index 5fa51a1c12..229cb229b6 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -1,8 +1,7 @@ --- title: Add and Remove a Product Key (Windows 10) description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 0aa4fe2fb3..be88aa7204 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -1,8 +1,7 @@ --- title: Appendix Information sent to Microsoft during activation (Windows 10) description: Learn about the information sent to Microsoft during activation. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj author: frankroj diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 189f8488ed..a2282b3152 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -1,8 +1,7 @@ --- title: Configure Client Computers (Windows 10) description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz author: frankroj ms.author: frankroj diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 63e839c6dd..378f187d4d 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -1,8 +1,7 @@ --- title: Import and export VAMT data description: Learn how to use the VAMT to import product-activation data from a file into SQL Server. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index 833bc9a283..c2f7b56ef2 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -1,8 +1,7 @@ --- title: Install and Configure VAMT (Windows 10) description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index ed311b84f5..1788056d42 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -1,8 +1,7 @@ --- title: Install a KMS Client Key (Windows 10) description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index 00ea59707d..e98a27e5cd 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -1,8 +1,7 @@ --- title: Install a Product Key (Windows 10) description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 1ea051c4fe..c204b95d16 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -1,8 +1,7 @@ --- title: Install VAMT (Windows 10) description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 1d5ba5f37c..ecd19f7dcc 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -1,8 +1,7 @@ --- title: Introduction to VAMT (Windows 10) description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index 348a87ba6b..5c00b19da0 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -1,8 +1,7 @@ --- title: Perform KMS Activation (Windows 10) description: The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index e189dd781a..51ac686f69 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -1,8 +1,7 @@ --- title: Perform Local Reactivation (Windows 10) description: An initially activated a computer using scenarios like MAK, retail, or CSLVK (KMS host), can be reactivated with Volume Activation Management Tool (VAMT). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 17dfa9af6d..92fe7a7905 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -1,8 +1,7 @@ --- title: Manage Activations (Windows 10) description: Learn how to manage activations and how to activate a client computer by using various activation methods. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 2b9594e4f6..51995c11dc 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -1,8 +1,7 @@ --- title: Manage Product Keys (Windows 10) description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index d2499a44f3..174118be90 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -1,8 +1,7 @@ --- title: Manage VAMT Data (Windows 10) description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 7205e81894..87357dbe84 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -1,7 +1,6 @@ --- title: Monitor activation (Windows 10) -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj description: Understand the most common methods to monitor the success of the activation process for a computer running Windows. diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index f1dcda98ce..8ca7a4f5bd 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -1,8 +1,7 @@ --- title: Perform Online Activation (Windows 10) description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 97cdedeb4f..1cc96ae7ed 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -1,8 +1,7 @@ --- title: Plan for volume activation (Windows 10) description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 2410bc8ba2..756957a315 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -1,8 +1,7 @@ --- title: Perform Proxy Activation (Windows 10) description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that don't have Internet access. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index b8118e73e2..1da6d8b48a 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -1,8 +1,7 @@ --- title: Remove Products (Windows 10) description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 85a3fe5222..414c9569db 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -1,8 +1,7 @@ --- title: Scenario 3 KMS Client Activation (Windows 10) description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index c234aa5c7d..8040430270 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -1,8 +1,7 @@ --- title: Scenario 1 Online Activation (Windows 10) description: Achieve network access by deploying the Volume Activation Management Tool (VAMT) in a Core Network environment. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index 223ef377b2..61b958307c 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -1,8 +1,7 @@ --- title: Scenario 2 Proxy Activation (Windows 10) description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index be82deed6b..3a5330083f 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -1,8 +1,7 @@ --- title: Update Product Status (Windows 10) description: Learn how to use the Update license status function to add the products that are installed on the computers. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index a381b30b76..d086a0d8ca 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -1,8 +1,7 @@ --- title: Use the Volume Activation Management Tool (Windows 10) description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index e965f4be1c..7f990d6a31 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -1,8 +1,7 @@ --- title: Use VAMT in Windows PowerShell (Windows 10) description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 4c29fd57a4..4b52470719 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -1,17 +1,13 @@ --- title: VAMT known issues (Windows 10) description: Find out the current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.custom: - - CI 111496 - - CSSTroubleshooting ms.technology: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index 47e54481c4..d66ce6f5a0 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -1,8 +1,7 @@ --- title: VAMT Requirements (Windows 10) description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT). -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index 2378579069..e085f009c8 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -1,8 +1,7 @@ --- title: VAMT Step-by-Step Scenarios (Windows 10) description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index 3f9a5a7264..6d157c6365 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -1,8 +1,7 @@ --- title: VAMT technical reference description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client @@ -10,7 +9,6 @@ ms.technology: itpro-fundamentals author: frankroj ms.date: 11/07/2022 ms.topic: overview -ms.custom: seo-marvel-apr2020 --- # Volume Activation Management Tool (VAMT) technical reference diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 3bc4621e7a..29dfd02ddc 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -1,8 +1,7 @@ --- title: Volume Activation for Windows 10 description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows. -ms.reviewer: - - nganguly +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj ms.prod: windows-client diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 32807ff581..6849160ab4 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -7,7 +7,6 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.topic: article -ms.custom: seo-marvel-apr2020 ms.date: 11/23/2022 ms.technology: itpro-deploy --- diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 677807d5c7..25168e8c14 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -1,7 +1,6 @@ --- title: Windows 10 deployment process posters description: View and download Windows 10 deployment process flows for Microsoft Configuration Manager and Windows Autopilot. -ms.reviewer: manager: aaroncz author: frankroj ms.author: frankroj diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md index fec86dadb3..3ee6b7d8a5 100644 --- a/windows/deployment/windows-10-deployment-tools-reference.md +++ b/windows/deployment/windows-10-deployment-tools-reference.md @@ -1,7 +1,6 @@ --- title: Windows 10 deployment tools reference description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT). -ms.reviewer: manager: aaroncz ms.author: frankroj author: frankroj diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md index e20b0e50ff..b4187d65df 100644 --- a/windows/deployment/windows-10-deployment-tools.md +++ b/windows/deployment/windows-10-deployment-tools.md @@ -1,7 +1,6 @@ --- title: Windows 10 deployment tools description: Learn how to use Windows 10 deployment tools to successfully deploy Windows 10 to your organization. -ms.reviewer: manager: aaroncz ms.author: frankroj author: frankroj diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 66d08877b8..c57dd5bce0 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -4,7 +4,6 @@ description: Learn about volume license media in Windows 10, and channels such a ms.prod: windows-client ms.localizationpriority: medium ms.date: 11/23/2022 -ms.reviewer: manager: aaroncz ms.author: frankroj author: frankroj diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 3741412fbb..61823c8faa 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -4,7 +4,6 @@ description: In this article, you'll learn how to deploy Windows 10 in a test la ms.prod: windows-client ms.localizationpriority: medium ms.date: 11/23/2022 -ms.reviewer: manager: aaroncz ms.author: frankroj author: frankroj diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 46c6a2b39c..87d0a1a2d5 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -4,7 +4,6 @@ description: Learn how to deploy Windows 10 in a test lab using Microsoft Config ms.prod: windows-client ms.technology: itpro-deploy ms.localizationpriority: medium -ms.reviewer: manager: aaroncz ms.author: frankroj author: frankroj diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 0998486d71..40769fc671 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -1,7 +1,6 @@ --- title: Configure a test lab to deploy Windows 10 description: Learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment. -ms.reviewer: manager: aaroncz ms.author: frankroj author: frankroj diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index c34e8342eb..4430523e8a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -7,10 +7,7 @@ ms.localizationpriority: medium author: frankroj ms.author: frankroj manager: aaroncz -ms.collection: - - highpri -search.appverid: - - MET150 +ms.collection: highpri, tier2 ms.topic: conceptual ms.date: 11/23/2022 appliesto: @@ -40,7 +37,7 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f, from their device compliance policy using **Select Excluded Cloud Apps**. +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 5bc21c33d2..fa4844aef5 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -48,32 +48,32 @@ href: items: - name: Windows quality updates - href: operate/windows-autopatch-wqu-overview.md + href: operate/windows-autopatch-windows-quality-update-overview.md items: - - name: Windows quality end user experience - href: operate/windows-autopatch-wqu-end-user-exp.md + - name: Windows quality update end user experience + href: operate/windows-autopatch-windows-quality-update-end-user-exp.md - name: Windows quality update signals - href: operate/windows-autopatch-wqu-signals.md + href: operate/windows-autopatch-windows-quality-update-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-windows-quality-update-communications.md - name: Windows quality update reports - href: operate/windows-autopatch-wqu-reports-overview.md + href: operate/windows-autopatch-windows-quality-update-reports-overview.md items: - name: Summary dashboard - href: operate/windows-autopatch-wqu-summary-dashboard.md + href: operate/windows-autopatch-windows-quality-update-summary-dashboard.md - name: All devices report - href: operate/windows-autopatch-wqu-all-devices-report.md + href: operate/windows-autopatch-windows-quality-update-all-devices-report.md - name: All devices report—historical - href: operate/windows-autopatch-wqu-all-devices-historical-report.md + href: operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md - name: Eligible devices report—historical - href: operate/windows-autopatch-wqu-eligible-devices-historical-report.md + href: operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md - name: Ineligible devices report—historical - href: operate/windows-autopatch-wqu-ineligible-devices-historical-report.md + href: operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md - name: Windows feature updates - href: operate/windows-autopatch-fu-overview.md + href: operate/windows-autopatch-windows-feature-update-overview.md items: - - name: Windows feature end user experience - href: operate/windows-autopatch-fu-end-user-exp.md - - name: Windows quality and feature update communications - href: operate/windows-autopatch-wqu-communications.md + - name: Windows feature update end user experience + href: operate/windows-autopatch-windows-feature-update-end-user-exp.md - name: Microsoft 365 Apps for enterprise href: operate/windows-autopatch-microsoft-365-apps-enterprise.md - name: Microsoft Edge @@ -95,7 +95,7 @@ href: items: - name: Windows update policies - href: operate/windows-autopatch-wqu-unsupported-policies.md + href: references/windows-autopatch-windows-update-unsupported-policies.md - name: Microsoft 365 Apps for enterprise update policies href: references/windows-autopatch-microsoft-365-policies.md - name: Changes made at tenant enrollment diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md index b01e97264d..4a3c6c4c86 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Add and verify admin contacts @@ -17,7 +17,7 @@ msreviewer: hathind There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch. > [!IMPORTANT] -> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs. +> You might have already added these contacts in the Microsoft Intune admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs. You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus). @@ -35,7 +35,7 @@ Your admin contacts will receive notifications about support request updates and **To add admin contacts:** -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**. 1. Select **+Add**. 1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index d1e52e4ced..b6ead33041 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: andredm7 +ms.reviewer: andredm7 --- # Device registration overview diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index 340afa6233..076f04ca7b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: andredm7 +ms.reviewer: andredm7 --- # Post-device registration readiness checks (public preview) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 47e7d10902..fcc1e157cf 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 09/07/2022 +ms.date: 02/03/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: andredm7 +ms.reviewer: andredm7 --- # Register your devices @@ -20,8 +20,8 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: -- [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) -- [Windows feature updates](../operate/windows-autopatch-fu-overview.md) +- [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) +- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) @@ -52,7 +52,7 @@ Azure AD groups synced up from: > It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group. > [!IMPORTANT] -> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. +> The **Windows Autopatch Device Registration** Azure AD group only supports **one level** of Azure AD nested groups. ### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant @@ -79,8 +79,12 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - Office Click-to-run - Last Intune device check in completed within the last 28 days. - Devices must have Serial Number, Model and Manufacturer. - > [!NOTE] - > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. + +> [!NOTE] +> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. + +> [!NOTE] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). @@ -111,12 +115,18 @@ A role defines the set of permissions granted to users assigned to that role. Yo - Azure AD Global Administrator - Intune Service Administrator -- Modern Workplace Intune Administrator For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). -> [!NOTE] -> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Intune roles, and allows you to create and configure custom Intune roles. +If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process: + +| Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | +| ----- | ----- | ----- | ----- | ----- | ----- | +| Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes | +| Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | + +> [!TIP] +> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.

    For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).

    ## Details about the device registration process @@ -129,12 +139,12 @@ For more information, see [Device registration overview](../deploy/windows-autop ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). +Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. **To register devices with Windows Autopatch:** -1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. 4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. @@ -154,7 +164,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W **To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:** -1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. In the left pane, select **Devices**. 1. Navigate to Provisioning > **Windows 365**. 1. Select Provisioning policies > **Create policy**. diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index 1f245af013..2105efa402 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -14,8 +14,8 @@ metadata: ms.custom: intro-hub-or-landing ms.prod: windows-client ms.technology: itpro-updates - ms.collection: - - highpri + ms.collection: highpri, tier2 + # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md index 15b45c91d4..1792c44913 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: andredm7 +ms.reviewer: andredm7 --- # Deregister a device @@ -18,7 +18,7 @@ To avoid end-user disruption, device deregistration in Windows Autopatch only de **To deregister a device:** -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Windows Autopatch** in the left navigation menu. 1. Select **Devices**. 1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister. @@ -42,7 +42,7 @@ You can hide unregistered devices you don't expect to be remediated anytime soon **To hide unregistered devices:** -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Windows Autopatch** in the left navigation menu. 1. Select **Devices**. 1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md index bc8fc2e428..c45d4d9c97 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Microsoft Edge diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md deleted file mode 100644 index 020359528b..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Windows feature updates -description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 07/11/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: conceptual -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -msreviewer: hathind ---- - -# Windows feature updates - -## Service level objective - -Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. - -## Device eligibility - -For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria: - -| Criteria | Description | -| ----- | ----- | -| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. | -| Intune sync | Devices must have checked with Intune within the last five days. | -| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. | -| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | -| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | -| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | -| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). | - -## Windows feature update releases - -When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout. - -The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend. - -| Ring | Timeline | -| ----- | ----- | -| Test | Release start | -| First | Release start + 30 days | -| Fast | Release start + 60 days | -| Broad | Release start + 90 days | - -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: - -## New devices to Windows Autopatch - -If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria. - -If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device. - -## Feature update configuration - -When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. You’ll see four of each of the following policies in your tenant, one for each ring: - -- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows. -- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates. - -| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | -| ----- | ----- | ----- | ----- | ----- | -| Test | 20H2 | 0 | 5 | 0 | -| First | 20H2 | 0 | 5 | 2 | -| Fast | 20H2 | 0 | 5 | 2 | -| Broad | 20H2 | 0 | 5 | 2 | - -> [!NOTE] -> Customers are not able to select a target version for their tenant. - -During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline. - -To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods affect devices. - -| Policy | Description | -| ----- | ----- | -| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. | -| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | -| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | - -> [!IMPORTANT] -> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management. - -## Windows 11 testing - -To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11. - -> [!IMPORTANT] -> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment. - -## Pausing and resuming a release - -You can pause or resume a Windows feature update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -## Rollback - -Windows Autopatch doesn't support the rollback of feature updates. - -## Incidents and outages - -If devices in your tenant don't meet the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows. - -If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index aa13524ff2..72d902e425 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Maintain the Windows Autopatch environment diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index ebe7cda8b7..a196916be3 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,15 +1,15 @@ --- title: Microsoft 365 Apps for enterprise -description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch -ms.date: 08/08/2022 +description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates +ms.date: 02/28/2023 ms.prod: windows-client ms.technology: itpro-updates -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Microsoft 365 Apps for enterprise @@ -30,9 +30,9 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates (both ## Update release schedule -All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN). +All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN). -Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. +Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. ## Deployment rings @@ -40,21 +40,21 @@ Since the Office CDN determines when devices are offered updates, Windows Autopa ## End user experience -There are two parts of the end user experience that are configured by Windows Autopatch: +Windows Autopatch configures the following end user experiences: - Behavior during updates - Office client ### Behavior during updates -Updates can only be applied when Microsoft 365 Apps aren't running. Therefore, notifications usually appear because the user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days. +Updates are only applied when Microsoft 365 Apps aren't running. Therefore, notifications usually appear because the user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days. -Once the device has downloaded the update, users are given notifications leading up to the deadline. They'll receive the following message in the notification area in Windows, reminding them that updates are ready to be applied. +Once the device downloads the update, users are given notifications leading up to the deadline. They'll receive the following message in the notification area in Windows, reminding them to apply the updates. *Updates ready to be applied Updates are required by your system admin are blocked by one or more apps. Office will restart at mm/dd/yyyy h:mm AM/PM to apply updates.* -Alternatively, users can select **Update now** to apply the updates. The user is then prompted to close all open Office programs. After the updates are applied, the message disappears. +Alternatively, users can select **Update now** to apply the updates. Users are prompted to close all open Office programs. After the updates are applied, the message disappears. When the deadline arrives and the updates still aren't applied, users will: @@ -67,25 +67,62 @@ When the countdown reaches 00∶00, any open Office programs are closed, and the To ensure that users are receiving automatic updates, Windows Autopatch prevents the user from opting out of automatic updates. -## Update controls +## Microsoft 365 Apps for enterprise update controls If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might pause the update by forcing Microsoft 365 Apps to stay on a specific version. Windows Autopatch will either: -- Choose to stay on the previous version for rings that haven't received the update yet. +- Choose to stay on the previous version for devices that haven't received the update yet. - Force all devices to roll back to the previous version. > [!NOTE] -> Windows Autopatch doesn't currently allow customers to force their devices to stay on a previous version or rollback to a previous version. +> Windows Autopatch doesn't allow you to:
    • Pause or rollback an update in the Microsoft Intune admin center
    • Submit a request to the Windows Autopatch Service Engineering Team to pause or rollback an update
      • -Since quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise. +Updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise. + +## Allow or block Microsoft 365 App updates + +For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch won't provide Microsoft 365 App updates on your behalf, and your organizations will have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). + +**To allow or block Microsoft 365 App updates:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to the **Devices** > **Release Management** > **Release settings**. +3. Go to the **Microsoft 365 apps updates** section. By default, the **Allow/Block** toggle is set to **Allow**. +4. Turn off the **Allow** toggle to opt out of Microsoft 365 App update policies. You'll see the notification: *Update in process. This setting will be unavailable until the update is complete.* +5. Once the update is complete, you’ll receive the notification: *This setting is updated.* + +> [!NOTE] +> If the notification: *This setting couldn’t be updated. Please try again or submit a support request.* appears, use the following steps:
      1. Refresh your page.
      2. Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.
      3. If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md).
        4. + +**To verify if the Microsoft 365 App update setting is set to Allow:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to **Devices** > **Configuration profiles** > **Profiles**. +3. The following **five** profiles should be discoverable from the list of profiles: + 1. Windows Autopatch - Office Configuration + 2. Windows Autopatch - Office Update Configuration [Test] + 3. Windows Autopatch - Office Update Configuration [First] + 4. Windows Autopatch - Office Update Configuration [Fast] + 5. Windows Autopatch - Office Update Configuration [Broad] + +**To verify if the Microsoft 365 App update setting is set to Block:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to **Devices** > **Configuration profiles** > **Profiles**. +3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords “Office Configuration”. The result should return *0 profiles filtered*. + 1. Windows Autopatch - Office Configuration + 2. Windows Autopatch - Office Update Configuration [Test] + 3. Windows Autopatch - Office Update Configuration [First] + 4. Windows Autopatch - Office Update Configuration [Fast] + 5. Windows Autopatch - Office Update Configuration [Broad] ## Compatibility with Servicing Profiles [Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting. -A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. +A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 800f387276..c4a87a93ba 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Submit a support request @@ -17,15 +17,13 @@ msreviewer: hathind > [!IMPORTANT] > Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues. -You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. - ## Submit a new support request Support requests are triaged and responded to as they're received. **To submit a new support request:** -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu. 1. In the **Windows Autopatch** section, select **Support requests**. 1. In the **Support requests** section, select **+ New support request**. 1. Enter your question(s) and/or a description of the problem. @@ -59,7 +57,7 @@ You can see the summary status of all your support requests. At any time, you ca **To view all your active support requests:** -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. 1. In the **Windows Autopatch** section, select **Support request**. 1. From this view, you can export the summary view or select any case to view the details. @@ -69,7 +67,7 @@ You can edit support request details, for example, updating the primary case con **To edit support request details:** -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. 1. In the **Windows Autopatch** section, select **Support request**. 1. In the **Support requests** section, use the search bar or filters to find the case you want to edit. 1. Select the case to open the request's details. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md index 3a14dd0be0..b348eca592 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Microsoft Teams diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index ec414612c4..73e870645b 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Unenroll your tenant diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 81dd91dbd5..3c850cf312 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: andredm7 +ms.reviewer: andredm7 --- # Software update management @@ -20,8 +20,8 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut | Software update workload | Description | | ----- | ----- | -| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). | -| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md). +| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md). | +| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-windows-feature-update-overview.md). | Anti-virus definition | Updated with each scan. | | Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). | | Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | @@ -58,7 +58,6 @@ The Windows Autopatch deployment ring calculation happens during the [device reg - If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. - If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. - | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
        • **0–500** devices: minimum **one** device.
        • **500–5000** devices: minimum **five** devices.
        • **5000+** devices: minimum **50** devices.
        Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | @@ -72,7 +71,7 @@ If you want to move separate devices to different deployment rings, after Window **To move devices in between deployment rings:** -1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. 3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 4. Select **Device actions** from the menu. @@ -84,7 +83,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

        If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). -> [!WARNING] +> [!WARNING] > Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. ## Automated deployment ring remediation functions @@ -92,7 +91,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). +- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). There are two automated deployment ring remediation functions: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md similarity index 87% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md index dec4bcff3a..011b6892d8 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Windows feature update end user experience @@ -29,11 +29,11 @@ In this section we'll review what an end user would see in the following three s ### Typical update experience -In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First ring’s DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: +In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: -1. Restart immediately to install the updates -1. Schedule the installation, or -1. Snooze (the device will attempt to install outside of active hours.) +1. Restart immediately to install the updates. +2. Schedule the installation. +3. Snooze (the device will attempt to install outside of active hours). In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. @@ -51,7 +51,16 @@ The deadline specified in the update policy is five days. Therefore, once this d In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on. -Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. +The grace period to install the update and restart depends on the deployment ring the device is assigned to: + +| Deployment ring | Grace period (in days) | +| ----- | ----- | +| Test | Zero days | +| First | Two days | +| Fast | Two days | +| Broad | Two days | + +The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification. :::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md new file mode 100644 index 0000000000..3c0f7c4a9b --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -0,0 +1,116 @@ +--- +title: Windows feature updates +description: This article explains how Windows feature updates are managed in Autopatch +ms.date: 02/17/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows feature updates + +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. + +Windows feature updates consist of: + +- Keeping Windows devices protected against behavioral issues. +- Providing new features to boost end-user productivity. + +Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. + +## Enforcing a minimum Windows OS version + +Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. + +The policies: + +- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. +- Set a bare minimum Windows OS version required by the service once devices are registered with the service. + +If a device is registered with Windows Autopatch, and the device is: + +- Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria. +- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device. + +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. + +## Windows feature update policy configuration + +If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal: + +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [First] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM | + +> [!IMPORTANT] +> If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy). + +> [!NOTE] +> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:

        • **Modern Workplace DSS Policy [Test]**
        • **Modern Workplace DSS Policy [First]**
        • **Modern Workplace DSS Policy [Fast]**
        • **Modern Workplace DSS Policy [Broad]**

          • Since the new Windows feature update policies that set the minimum Windows 10 OS version are already in place, the Modern Workplace DSS policies can be safely removed from your tenant.

          + +## Test Windows 11 feature updates + +You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: + +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | + +> [!IMPORTANT] +> Windows Autopatch neither applies its deployment ring distribution, nor configures the [Windows Update for Business gradual rollout settings](/mem/intune/protect/windows-update-rollout-options) in the **Modern Workplace DSS Policy [Windows 11]** policy.

          Once devices are added to the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, the devices can be offered the Windows 11 22H2 feature update at the same time.

          + +## Manage Windows feature update deployments + +Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). + +Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. + +## Release management + +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + +### Pausing and resuming a release + +> [!CAUTION] +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). + +> [!IMPORTANT] +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

          For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

          + +**To pause or resume a Windows feature update:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Select **Devices** from the left navigation menu. +3. Under the **Windows Autopatch** section, select **Release management**. +4. In the **Release management** blade, select either: **Pause** or **Resume**. +5. Select the update type you would like to pause or resume. +6. Select a reason from the dropdown menu. +7. Optional. Enter details about why you're pausing or resuming the selected update. +8. If you're resuming an update, you can select one or more deployment rings. +9. Select **Okay**. + +If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. + +> [!NOTE] +> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. + +## Rollback + +Windows Autopatch doesn’t support the rollback of Windows feature updates. + +> [!CAUTION] +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). + +## Contact support + +If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md similarity index 83% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md index 3808dd45a7..f48428da15 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md @@ -1,6 +1,6 @@ --- title: All devices report—historical -description: Provides a visual representation of the update status trend for all devices over the last 90 days. +description: Provides a visual representation of the update status trend for all devices over the last 90 days. ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: adnich +ms.reviewer: adnich --- # All devices report—historical @@ -18,7 +18,7 @@ The historical All devices report provides a visual representation of the update **To view the historical All devices report:** -1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. 1. Select the **Reports** tab. 1. Select **All devices report—historical**. @@ -37,4 +37,4 @@ The following options are available: | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | | Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | -For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md similarity index 83% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md index 5536a42c04..a89b5943b8 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md @@ -1,6 +1,6 @@ --- title: All devices report -description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices. +description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices. ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: adnich +ms.reviewer: adnich --- # All devices report @@ -18,7 +18,7 @@ The All devices report provides a per device view of the current update status f **To view the All devices report:** -1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. 1. Select the **Reports** tab. 1. Select **All devices report**. @@ -38,8 +38,8 @@ The following information is available in the All devices report: | Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. | | Serial number | The current Intune recorded serial number for the device. | | Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | -| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)). | -| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)) | +| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)). | +| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)) | | OS version | The current version of Windows installed on the device. | | OS revision | The current revision of Windows installed on the device. | | Intune last check in time | The last time the device checked in to Intune. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md similarity index 78% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md index e0b5a5f133..ddf26cae19 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md @@ -1,5 +1,5 @@ --- -title: Windows quality and feature update communications +title: Windows quality update communications description: This article explains Windows quality update communications ms.date: 05/30/2022 ms.prod: windows-client @@ -9,10 +9,10 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- -# Windows quality and feature update communications +# Windows quality update communications There are three categories of communication that are sent out during a Windows quality and feature update: @@ -20,7 +20,11 @@ There are three categories of communication that are sent out during a Windows q - [Communications during release](#communications-during-release) - [Incident communications](#incident-communications) -Communications are posted to Message center, Service health dashboard, and the Windows Autopatch messages section of the Microsoft Endpoint Manager admin center as appropriate for the type of communication. +Communications are posted to, as appropriate for the type of communication, to the: + +- Message center +- Service health dashboard +- Windows Autopatch messages section of the Microsoft Intune admin center :::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png"::: @@ -34,7 +38,7 @@ Communications are posted to Message center, Service health dashboard, and the W ## Communications during release -The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information. +The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information. There are some circumstances where Autopatch will need to change the release schedule based on new information. @@ -42,4 +46,4 @@ For example, new threat intelligence may require us to expedite a release, or we ## Incident communications -Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours. +Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md similarity index 85% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md index 4e4e383213..f3d6012c50 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md @@ -1,6 +1,6 @@ --- title: Eligible devices report—historical -description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days. +description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days. ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: adnich +ms.reviewer: adnich --- # Eligible devices report—historical @@ -18,7 +18,7 @@ The historical Eligible devices report provides a visual representation of the u **To view the historical Eligible devices report:** -1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. 1. Select the **Reports** tab. 1. Select **Eligible devices report—historical**. @@ -37,4 +37,4 @@ The following options are available: | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | | Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | -For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md similarity index 99% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md index 9f8570c024..7772457c57 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Windows quality update end user experience diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md similarity index 87% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md index 733ee98e88..330088a5e0 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md @@ -1,6 +1,6 @@ --- title: Ineligible devices report—historical -description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days. +description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days. ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: adnich +ms.reviewer: adnich --- # Ineligible devices report—historical @@ -21,7 +21,7 @@ The historical Ineligible devices report provides a visual representation of why **To view the historical Ineligible devices report:** -1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. 1. Select the **Reports** tab. 1. Select **Ineligible devices report—historical**. @@ -40,4 +40,4 @@ The following options are available: | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | | Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | -For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md similarity index 62% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index fcf007a516..3c8809e691 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 12/15/2022 +ms.date: 02/17/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: andredm7 --- # Windows quality updates @@ -30,8 +30,11 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut | Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | -| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) | +| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) | + +> [!NOTE] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). ## Windows quality update releases @@ -54,6 +57,9 @@ Windows Autopatch configures these policies differently across deployment rings ## Release management +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + In the Release management blade, you can: - Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings). @@ -88,8 +94,8 @@ By default, the service expedites quality updates as needed. For those organizat **To turn off service-driven expedited quality updates:** -1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. -2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting. +1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. +2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting. > [!NOTE] > Windows Autopatch doesn't allow customers to request expedited releases. @@ -100,7 +106,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea **To view deployed Out of Band quality updates:** -1. Go to [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**. +1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**. 2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. > [!NOTE] @@ -108,19 +114,36 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea ### Pausing and resuming a release -If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release. +> [!CAUTION] +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). -In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update. +The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. -There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**. +If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release. + +> [!IMPORTANT] +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

          For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

          + +**To pause or resume a Windows quality update:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Select **Devices** from the left navigation menu. +3. Under the **Windows Autopatch** section, select **Release management**. +4. In the **Release management** blade, select either: **Pause** or **Resume**. +5. Select the update type you would like to pause or resume. +6. Select a reason from the dropdown menu. +7. Optional. Enter details about why you're pausing or resuming the selected update. +8. If you're resuming an update, you can select one or more deployment rings. +9. Select **Okay**. + +The three following statuses are associated with paused quality updates: | Status | Description | | ----- | ------ | -| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. | -| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. | +| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. | +| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. | +| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. | -## Incidents and outages +## Remediating Ineligible and/or Not up to Date devices -If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. - -If you're experiencing other issues related to Windows quality updates, [submit a support request](../operate/windows-autopatch-support-request.md). +To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action). In addition, the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md similarity index 80% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md index 2e61770efe..c55689a4ea 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md @@ -1,6 +1,6 @@ --- title: Windows quality update reports -description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch +description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: adnich +ms.reviewer: adnich --- # Windows quality update reports @@ -26,8 +26,8 @@ The report types are organized into the following focus areas: | Focus area | Description | | ----- | ----- | -| Operational detail |
          • [Summary dashboard](windows-autopatch-wqu-summary-dashboard.md): Provides the current update status summary for all devices.
          • [All devices report](windows-autopatch-wqu-all-devices-report.md): Provides the current update status of all devices at the device level.
          | -| Device trends |
          • [All devices report – historical](windows-autopatch-wqu-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.
          • [Eligible devices report – historical](windows-autopatch-wqu-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.
          • [Ineligible devices report – historical](windows-autopatch-wqu-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices haven’t received quality updates over the last 90 days.
          | +| Operational detail |
          • [Summary dashboard](windows-autopatch-windows-quality-update-summary-dashboard.md): Provides the current update status summary for all devices.
          • [All devices report](windows-autopatch-windows-quality-update-all-devices-report.md): Provides the current update status of all devices at the device level.
          | +| Device trends |
          • [All devices report – historical](windows-autopatch-windows-quality-update-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.
          • [Eligible devices report – historical](windows-autopatch-windows-quality-update-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.
          • [Ineligible devices report – historical](windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices haven’t received quality updates over the last 90 days.
          | ## Who can access the reports? @@ -57,16 +57,16 @@ Healthy devices are devices that meet all of the following prerequisites: - [Prerequisites](../prepare/windows-autopatch-prerequisites.md) - [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) -- [Windows quality update device eligibility](../operate/windows-autopatch-wqu-overview.md#device-eligibility) +- [Windows quality update device eligibility](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) > [!NOTE] > Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy. | Sub status | Description | | ----- | ----- | -| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). | -| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). | -| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). | +| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). | +| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). | +| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). | ### Not Up to Date (Microsoft Action) @@ -76,7 +76,7 @@ Not Up to Date means a device isn’t up to date when the: - Device is more than 21 days overdue from the last release. > [!NOTE] -> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-wqu-overview.md#service-level-objective). +> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective). | Sub status | Description | | ----- | ----- | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md similarity index 86% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md index 2a4c33b67a..492e76ed01 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md @@ -1,7 +1,7 @@ --- title: Windows quality update signals description: This article explains the Windows quality update signals -ms.date: 05/30/2022 +ms.date: 01/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Windows quality update signals @@ -24,7 +24,7 @@ Before being released to the Test ring, Windows Autopatch reviews several data s | Pre-release signal | Description | | ----- | ----- | -| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-wqu-communications.md#communications-during-release) will be sent out. | +| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. | | C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. | | C-Release Review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the B release. | @@ -56,6 +56,4 @@ Autopatch monitors the following reliability signals: | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | -When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. - -Once your tenant reaches 500 devices, Windows Autopatch starts generating recommendations specific to your devices. Based on this information, the service starts developing insights specific to your tenant allowing a customized response to what's happening in your environment. +When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md similarity index 85% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md rename to windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md index 735136be22..95dd437451 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md @@ -1,6 +1,6 @@ --- title: Summary dashboard -description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch. +description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch. ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: adnich +ms.reviewer: adnich --- # Summary dashboard @@ -18,7 +18,7 @@ The Summary dashboard provides a summary view of the current update status for a **To view the current update status for all your enrolled devices:** -1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. :::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png"::: @@ -32,7 +32,7 @@ The following information is available in the Summary dashboard: | Column name | Description | | ----- | ----- | -| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). | +| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). | | Devices | The number of devices showing as applicable for the state. | ## Report options diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index e51bf1f82a..c323dd4908 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: windows-client ms.topic: faq - ms.date: 08/26/2022 + ms.date: 02/28/2023 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -37,7 +37,7 @@ sections: Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service? answer: | - Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch. + Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch. - name: Requirements questions: - question: What are the prerequisites for Windows Autopatch? @@ -70,14 +70,14 @@ sections: No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices). - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center? answer: | - Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). + Cloud PC displays the model as the license type you've provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can I run Autopatch on my Windows 365 Business Workloads? answer: | No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can you change the policies and configurations created by Windows Autopatch? answer: | No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant). - - name: Update Management + - name: Update management questions: - question: What systems does Windows Autopatch update? answer: | @@ -92,23 +92,26 @@ sections: - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: - - Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). - - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls). + - Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). + - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls). + - question: Can I permanently pause a Windows feature update deployment? + answer: | + Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release). - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? answer: | - For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. + For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. - question: Can customers configure when to move to the next ring or is it controlled by Windows Autopatch? answer: | The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable. - question: Can you customize the scheduling of an update rollout to only install on certain days and times? answer: | - No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. + No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-windows-quality-update-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | - The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. + The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) would roll out more rapidly. - name: Support questions: - question: What support is available for customers who need help with onboarding to Windows Autopatch? diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 8ed02530ce..9698a98009 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -9,9 +9,8 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind -ms.collection: - - highpri +ms.collection: highpri, tier2 +ms.reviewer: hathind --- # What is Windows Autopatch? @@ -37,8 +36,8 @@ The goal of Windows Autopatch is to deliver software updates to registered devic | Management area | Service level objective | | ----- | ----- | -| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. | -| [Windows feature updates](../operate/windows-autopatch-fu-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. | +| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. | +| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. | | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). | | [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. | | [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | @@ -64,7 +63,7 @@ Microsoft remains committed to the security of your data and the [accessibility] | Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
          • [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
          • [Configure your network](../prepare/windows-autopatch-configure-network.md)
          • [Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)
          • [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
          | | Deploy | Once you've enrolled your tenant, this section instructs you to:
          • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
          • [Register your devices](../deploy/windows-autopatch-register-devices.md)
          | | Operate | This section includes the following information about your day-to-day life with the service:
          • [Update management](../operate/windows-autopatch-update-management.md)
          • [Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)
          • [Submit a support request](../operate/windows-autopatch-support-request.md)
          • [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
          -| References | This section includes the following articles:
          • [Windows update policies](../operate/windows-autopatch-wqu-unsupported-policies.md)
          • [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)
          • [Privacy](../references/windows-autopatch-privacy.md)
          • [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
          | +| References | This section includes the following articles:
          • [Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)
          • [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)
          • [Privacy](../references/windows-autopatch-privacy.md)
          • [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
          | ### Have feedback or would like to start a discussion? diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index ec8c9d7ece..99cec5d626 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -1,7 +1,7 @@ --- title: Roles and responsibilities description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do -ms.date: 12/12/2022 +ms.date: 02/28/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Roles and responsibilities @@ -28,7 +28,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: | | Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | | Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | -| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | | [Configure required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) | :heavy_check_mark: | :x: | | [Fix issues identified by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | :heavy_check_mark: | :x: | | [Enroll tenant into the Windows Autopatch service](../prepare/windows-autopatch-enroll-tenant.md) | :heavy_check_mark: | :x: | @@ -38,10 +38,12 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | Task | Your responsibility | Windows Autopatch | | ----- | :-----: | :-----: | -| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager | :heavy_check_mark: | :x: | +| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Intune | :heavy_check_mark: | :x: | | [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: | -| Educate users on the Windows Autopatch end user update experience
          • [Windows quality update end user experience](../operate/windows-autopatch-wqu-end-user-exp.md)
          • [Windows feature update end user experience](../operate/windows-autopatch-fu-end-user-exp.md)
          • [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
          • [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
          | :heavy_check_mark: | :x: | -| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| Educate users on the Windows Autopatch end user update experience
          • [Windows quality update end user experience](../operate/windows-autopatch-windows-quality-update-end-user-exp.md)
          • [Windows feature update end user experience](../operate/windows-autopatch-windows-feature-update-end-user-exp.md)
          • [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
          • [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
          | :heavy_check_mark: | :x: | +| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: | +| [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: | | [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: | | [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | | [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: | @@ -56,34 +58,34 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | Task | Your responsibility | Windows Autopatch | | ----- | :-----: | :-----: | -| [Maintain contacts in the Microsoft Endpoint Manager admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: | +| [Maintain contacts in the Microsoft Intune admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: | | [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: | | [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: | | [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: | | [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: | -| Monitor [Windows update signals](../operate/windows-autopatch-wqu-signals.md) for safe update release | :x: | :heavy_check_mark: | -| Test specific [business update scenarios](../operate/windows-autopatch-wqu-signals.md) | :heavy_check_mark: | :x: | -| [Define and implement release schedule](../operate/windows-autopatch-wqu-overview.md) | :x: | :heavy_check_mark: | -| Communicate the update [release schedule](../operate/windows-autopatch-wqu-communications.md) | :x: | :heavy_check_mark: | -| Release updates (as scheduled)
          • [Windows quality updates](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases)
          • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)
          • [Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)
          • [Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)
              • | :x: | :heavy_check_mark: | -| [Release updates (expedited)](../operate/windows-autopatch-wqu-overview.md#expedited-releases) | :x: | :heavy_check_mark: | +| Monitor [Windows update signals](../operate/windows-autopatch-windows-quality-update-signals.md) for safe update release | :x: | :heavy_check_mark: | +| Test specific [business update scenarios](../operate/windows-autopatch-windows-quality-update-signals.md) | :heavy_check_mark: | :x: | +| [Define and implement release schedule](../operate/windows-autopatch-windows-quality-update-overview.md) | :x: | :heavy_check_mark: | +| Communicate the update [release schedule](../operate/windows-autopatch-windows-quality-update-communications.md) | :x: | :heavy_check_mark: | +| Release updates (as scheduled)
              • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases)
              • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)
              • [Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)
              • [Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)
                  • | :x: | :heavy_check_mark: | +| [Release updates (expedited)](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :x: | :heavy_check_mark: | | [Deploy updates to devices](../operate/windows-autopatch-update-management.md) | :x: | :heavy_check_mark: | -| Monitor [Windows quality](../operate/windows-autopatch-wqu-overview.md) or [feature updates](../operate/windows-autopatch-fu-overview.md) through the release cycle | :x: | :heavy_check_mark: | -| Review [update reports](../operate/windows-autopatch-wqu-reports-overview.md) | :heavy_check_mark: | :x: | -| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-wqu-signals.md) | :x: | :heavy_check_mark: | -| [Pause updates (initiated by you)](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: | +| Monitor [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md) or [feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) through the release cycle | :x: | :heavy_check_mark: | +| Review [update reports](../operate/windows-autopatch-windows-quality-update-reports-overview.md) | :heavy_check_mark: | :x: | +| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-windows-quality-update-signals.md) | :x: | :heavy_check_mark: | +| [Pause updates (initiated by you)](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: | | Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: | | [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: | -| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | -| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: | -| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: | +| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: | +| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: | | [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: | | [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: | | [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: | | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: | | [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: | -| Review and respond to Message Center and Service Health Dashboard notifications
                  • [Windows quality and feature update communications](../operate/windows-autopatch-wqu-communications.md)
                  • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
                  | :heavy_check_mark: | :x: | +| Review and respond to Message Center and Service Health Dashboard notifications
                  • [Windows quality update communications](../operate/windows-autopatch-windows-quality-update-communications.md)
                  • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
                  | :heavy_check_mark: | :x: | | [Highlight Windows Autopatch Tenant management alerts that require customer action](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :x: | :heavy_check_mark: | | [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: | | [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md index a1c0a63417..e223d515a4 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Configure your network diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index b091a73a97..7e202554d2 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Enroll your tenant @@ -19,7 +19,7 @@ Before you enroll in Windows Autopatch, there are settings, and other parameters > [!IMPORTANT] > You must be a Global Administrator to enroll your tenant. -The Readiness assessment tool, accessed in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch. +The Readiness assessment tool, accessed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch. ## Step 1: Review all prerequisites @@ -37,7 +37,7 @@ The Readiness assessment tool checks the settings in [Microsoft Intune](#microso > [!IMPORTANT] > You must be a Global Administrator to run the Readiness assessment tool. -1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**. > [!IMPORTANT] @@ -109,7 +109,7 @@ Windows Autopatch retains the data associated with these checks for 12 months af **To delete the data we collect:** -1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to Windows Autopatch > **Tenant enrollment**. 3. Select **Delete all data**. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index c36be7a98b..c36d207090 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -9,12 +9,12 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Submit a tenant enrollment support request -If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. +If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. > [!NOTE] > After you've successfully enrolled your tenant, this feature will no longer be accessible. You must [submit a support request through the Tenant administration menu](../operate/windows-autopatch-support-request.md). @@ -35,6 +35,6 @@ If you have a question about the case, the best way to get in touch is to reply **To view all your active tenant enrollment support requests:** -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. 1. In the **Windows Autopatch** section, select **Tenant Enrollment**. 1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 8e9d0f1a63..0c4b7973da 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Fix issues found by the Readiness assessment tool @@ -35,7 +35,7 @@ For each check, the tool will report one of four possible results: ## Microsoft Intune settings -You can access Intune settings at the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). ### Unlicensed admins @@ -45,13 +45,13 @@ This setting must be turned on to avoid a "lack of permissions" error when we in | ----- | ----- | | Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

                  For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | -### Deployment rings for Windows 10 or later +### Windows 10 and later update rings -Your "Windows 10 deployment ring" policy in Intune must not target any Windows Autopatch devices. +Your "Windows 10 and later update ring" policy in Intune must not target any Windows Autopatch devices. | Result | Meaning | | ----- | ----- | -| Not ready | You have an "update ring" policy that targets all devices, all users, or both.

                  To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.

                  For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

                  | +| Not ready | You have an "update ring" policy that targets all devices, all users, or both.

                  To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.

                  For more information, see [Manage Windows 10 and later software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

                  | | Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.

                  You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).

                  | ## Azure Active Directory settings diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 5ff4c62390..8d449d67e8 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 09/16/2022 +ms.date: 02/17/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Prerequisites @@ -44,12 +44,15 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | -The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch: +The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch: - Windows 10 (1809+)/11 Pro - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations +> [!NOTE] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). + ## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 10fa706030..fed0830f19 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 12/01/2022 +ms.date: 01/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -9,12 +9,12 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Changes made at tenant enrollment -The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service. +The following configuration details explain the changes made to your tenant when enrolling into the Windows Autopatch service. > [!IMPORTANT] > The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. @@ -27,17 +27,19 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Enterprise application name | Usage | Permissions | | ----- | ------ | ----- | -| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
                  • DeviceManagementApps.ReadWrite.All
                  • DeviceManagementConfiguration.ReadWrite.All
                  • DeviceManagementManagedDevices.PriviligedOperation.All
                  • DeviceManagementManagedDevices.ReadWrite.All
                  • DeviceManagementRBAC.ReadWrite.All
                  • DeviceManagementServiceConfig.ReadWrite.All
                  • Directory.Read.All
                  • Group.Create
                  • Policy.Read.All
                  • WindowsUpdates.Read.Write.All
                  | +| Modern Workplace Management | The Modern Workplace Management application:
                  • Manages the service
                  • Publishes baseline configuration updates
                  • Maintains overall service health
                  |
                  • DeviceManagementApps.ReadWrite.All
                  • DeviceManagementConfiguration.ReadWrite.All
                  • DeviceManagementManagedDevices.PriviligedOperation.All
                  • DeviceManagementManagedDevices.ReadWrite.All
                  • DeviceManagementRBAC.ReadWrite.All
                  • DeviceManagementServiceConfig.ReadWrite.All
                  • Directory.Read.All
                  • Group.Create
                  • Policy.Read.All
                  • WindowsUpdates.ReadWrite.All
                  | ### Service principal -Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: +Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: - Modern Workplace Customer APIs ## Azure Active Directory groups -Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications). +Windows Autopatch will create the required Azure Active Directory groups to operate the service. + +The following groups target Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications). | Group name | Description | | ----- | ----- | @@ -56,13 +58,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to - Windows Autopatch - Set MDM to Win Over GPO - Windows Autopatch - Data Collection -- Windows Autopatch-Window Update Detection Frequency | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked | -| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  |
                  1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
                  2. [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
                  3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
                  4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
                  5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
                  6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
                  |
                  1. Enable telemetry change notifications
                  2. Enable Telemetry opt-in Settings
                  3. Full
                  4. Enabled
                  5. Enabled
                  6. Enabled
                  | -| Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | +| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) |
                  • MDM policy is used
                  • GP policy is blocked
                  | +| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  |
                  1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
                  2. [Configure Telemetry Opt In Settings UX](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
                  3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
                  4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
                  5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
                  6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
                  |
                  1. Enable telemetry change notifications
                  2. Enable Telemetry opt-in Settings
                  3. Full
                  4. Enabled
                  5. Enabled
                  6. Enabled
                  | ## Deployment rings for Windows 10 and later @@ -78,21 +78,21 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Fast
                  |
                  • QualityUpdatesDeferralPeriodInDays
                  • FeatureUpdatesDeferralPeriodInDays
                  • FeatureUpdatesRollbackWindowInDays
                  • BusinessReadyUpdatesOnly
                  • AutomaticUpdateMode
                  • InstallTime
                  • DeadlineForFeatureUpdatesInDays
                  • DeadlineForQualityUpdatesInDays
                  • DeadlineGracePeriodInDays
                  • PostponeRebootUntilAfterDeadline
                  • DriversExcluded
                  |
                  • 6
                  • 0
                  • 30
                  • All
                  • WindowsDefault
                  • 3
                  • 5
                  • 2
                  • 2
                  • False
                  • False
                    • | | Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Broad
                    |
                    • QualityUpdatesDeferralPeriodInDays
                    • FeatureUpdatesDeferralPeriodInDays
                    • FeatureUpdatesRollbackWindowInDays
                    • BusinessReadyUpdatesOnly
                    • AutomaticUpdateMode
                    • InstallTime
                    • DeadlineForFeatureUpdatesInDays
                    • DeadlineForQualityUpdatesInDays
                    • DeadlineGracePeriodInDays
                    • PostponeRebootUntilAfterDeadline
                    • DriversExcluded
                    |
                    • 9
                    • 0
                    • 30
                    • All
                    • WindowsDefault
                    • 3
                    • 5
                    • 5
                    • 2
                    • False
                    • False
                      • | -## Feature update policies +## Windows feature update policies -- Modern Workplace DSS Policy [Test] -- Modern Workplace DSS Policy [First] -- Modern Workplace DSS Policy [Fast] -- Modern Workplace DSS Policy [Broad] +- Windows Autopatch - DSS Policy [Test] +- Windows Autopatch - DSS Policy [First] +- Windows Autopatch - DSS Policy [Fast] +- Windows Autopatch - DSS Policy [Broad] - Modern Workplace DSS Policy [Windows 11] | Policy name | Policy description | Value | | ----- | ----- | ----- | -| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Test

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | -| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                        • | -| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Fast

                        Exclude from:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | -| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Broad

                        Exclude from:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | -| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | +| Windows Autopatch - DSS Policy [Test] | DSS policy for Test device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Test

                        Exclude from:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | +| Windows Autopatch - DSS Policy [First] | DSS policy for First device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                          • | +| Windows Autopatch - DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
                          • Modern Workplace Devices-Windows Autopatch-Fast

                          Exclude from:
                          • Modern Workplace - Windows 11 Pre-Release Test Devices
                          | +| Windows Autopatch - Policy [Broad] | DSS policy for Broad device group | Assigned to:
                          • Modern Workplace Devices-Windows Autopatch-Broad

                          Exclude from:
                          • Modern Workplace - Windows 11 Pre-Release Test Devices
                          | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
                          • Modern Workplace - Windows 11 Pre-Release Test Devices
                          | ## Microsoft Office update policies @@ -105,10 +105,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                          Assigned to:

                          1. Modern Workplace Devices-Windows Autopatch-Test
                          2. Modern Workplace Devices-Windows Autopatch-First
                          3. Modern Workplace Devices-Windows Autopatch-Fast
                          4. Modern Workplace Devices-Windows Autopatch-Broad
                          |
                          1. Enable Automatic Updates
                          2. Hide option to enable or disable updates
                          3. Update Channel
                          4. Channel Name (Device)
                          5. Hide Update Notifications
                          6. Update Path
                          |
                          1. Enabled
                          2. Enabled
                          3. Enabled
                          4. Monthly Enterprise Channel
                          5. Disabled
                          6. Enabled
                          | -| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

                          Assigned to:

                          1. Modern Workplace Devices-Windows Autopatch-Test
                          |
                          1. Delay downloading and installing updates for Office
                          2. Update Deadline
                          |
                          1. Enabled;Days(Device) == 0 days
                          2. Enabled;Update Deadline(Device) == 7 days
                          | -| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

                          Assigned to:

                          1. Modern Workplace Devices-Windows Autopatch-First
                          |
                          1. Delay downloading and installing updates for Office
                          2. Update Deadline
                          |
                          1. Enabled;Days(Device) == 0 days
                          2. Enabled;Update Deadline(Device) == 7 days
                          | -| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

                          Assigned to:

                          1. Modern Workplace Devices-Windows Autopatch-Fast
                          |
                          1. Delay downloading and installing updates for Office
                          2. Update Deadline
                          |
                          1. Enabled;Days(Device) == 3 days
                          2. Enabled;Update Deadline(Device) == 7 days
                          | -| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
                          Assigned to:
                          1. Modern Workplace Devices-Windows Autopatch-Broad
                            2. |
                            1. Delay downloading and installing updates for Office
                            2. Update Deadline
                            |
                            1. Enabled;Days(Device) == 7 days
                            2. Enabled;Update Deadline(Device) == 7 days
                            | +| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

                            Assigned to:

                            1. Modern Workplace Devices-Windows Autopatch-Test
                            |
                            1. Delay downloading and installing updates for Office
                            2. Update Deadline
                            |
                            1. Enabled; `Days(Device) == 0 days`
                            2. Enabled; `Update Deadline(Device) == 7 days`
                            | +| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

                            Assigned to:

                            1. Modern Workplace Devices-Windows Autopatch-First
                            |
                            1. Delay downloading and installing updates for Office
                            2. Update Deadline
                            |
                            1. Enabled; `Days(Device) == 0 days`
                            2. Enabled; `Update Deadline(Device) == 7 days`
                            | +| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

                            Assigned to:

                            1. Modern Workplace Devices-Windows Autopatch-Fast
                            |
                            1. Delay downloading and installing updates for Office
                            2. Update Deadline
                            |
                            1. Enabled; `Days(Device) == 3 days`
                            2. Enabled; `Update Deadline(Device) == 7 days`
                            | +| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
                            Assigned to:
                            1. Modern Workplace Devices-Windows Autopatch-Broad
                              2. |
                              1. Delay downloading and installing updates for Office
                              2. Update Deadline
                              |
                              1. Enabled; `Days(Device) == 7 days`
                              2. Enabled; `Update Deadline(Device) == 7 days`
                              | ## Microsoft Edge update policies diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md index 85965b7535..47d7aa1795 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Microsoft 365 Apps for enterprise update policies diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index 60f5f47988..869de01cce 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy -description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 11/08/2022 +description: This article provides details about the data platform and privacy compliance for Autopatch +ms.date: 02/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # Privacy @@ -25,7 +25,7 @@ The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Mic | Data source | Purpose | | ------ | ------ | | [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. | -| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. | +| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update. | | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:
                              • [Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.
                              • [Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.
                              | [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) | Data provided by the customer or generated by the service during running of the service. | | [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. | @@ -53,13 +53,18 @@ Windows Autopatch Service Engineering Team is in the United States, India and Ro Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, fix problems, and make product improvements. -The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection. +The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10/11 diagnostic data setting and data collection. The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection). -Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data. +Windows Autopatch only processes and stores system-level data from Windows 10/11 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data. -For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. +For more information about the diagnostic data collection of Microsoft Windows 10/11, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. + +For more information about how Windows diagnostic data is used, see: + +- [Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration) +- [Features that require Windows diagnostic data](/mem/intune/protect/data-enable-windows-data) ## Tenant access diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md similarity index 91% rename from windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md rename to windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md index 09842260a5..4047120921 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: adnich +ms.reviewer: adnich --- # Windows update policies @@ -26,10 +26,10 @@ The following policies contain settings which apply to both Windows quality and | ----- | ----- | ----- | ----- | ----- | | Microsoft product updates | Allow | Allow | Allow | Allow | | Windows drivers | Allow | Allow | Allow | Allow | -| Quality update deferral period | 0 | 1 | 6 | 9 | -| Feature update deferral period | 0 | 0 | 0 | 0 | +| Windows quality update deferral period | 0 | 1 | 6 | 9 | +| Windows feature update deferral period | 0 | 0 | 0 | 0 | | Upgrade Windows 10 to latest Windows 11 release | No | No | No | No | -| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days | +| Set Windows feature update uninstall period | 30 days | 30 days | 30 days | 30 days | | Servicing channel | General availability | General availability | General availability | General availability | ### Windows 10 and later user experience settings @@ -41,8 +41,8 @@ The following policies contain settings which apply to both Windows quality and | Option to pause updates | Disable | Disable | Disable | Disable | | Option to check for Windows updates | Default | Default | Default | Default | | Change notification update level | Default | Default | Default | Default | -| Deadline for feature updates | 5 | 5 | 5 | 5 | -| Deadline for quality updates | 0 | 2 | 2 | 5 | +| Deadline for Windows feature updates | 5 | 5 | 5 | 5 | +| Deadline for Windows quality updates | 0 | 2 | 2 | 5 | | Grace period | 0 | 2 | 2 | 2 | | Auto-restart before deadline | Yes | Yes | Yes | Yes | @@ -53,24 +53,24 @@ The following policies contain settings which apply to both Windows quality and | Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad | | Excluded groups | None | None | None | None | -## Feature update policies +## Windows feature update policies -The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices. +The service deploys policies using Microsoft Intune to control how Windows feature updates are deployed to devices. -### Feature updates for Windows 10 and later +### Windows feature updates for Windows 10 and later These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention: **Modern Workplace DSS Policy [ring name]** -#### Feature update deployment settings +#### Windows feature update deployment settings | Setting name | Test | First | Fast | Broad | | ----- | ----- | ----- | ----- | ----- | | Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | | Rollout options | Immediate start | Immediate start | Immediate start | Immediate start | -#### Feature update policy assignments +#### Windows feature update policy assignments | Setting name | Test | First | Fast | Broad | | ----- | ----- | ----- | ----- | ----- | diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index 5e36572e92..93303c80c3 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # What's new 2022 @@ -24,12 +24,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Added information about:
                              • Turning off service-driven expedited quality update releases
                                • [MC482178](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                              • Viewing deployed out of band releases
                                • [MC484915](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                              | +| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added information about:
                              • Turning off service-driven expedited quality update releases
                                • [MC482178](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                              • Viewing deployed out of band releases
                                • [MC484915](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                              | | [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md) | Added Roles and responsibilities article | | [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added more licenses to the More about licenses section
                              • [MC452168](https://admin.microsoft.com/adminportal/home#/MessageCenter) | -| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section | +| [Unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md) | Updated to include other policy managers in the Group policy section | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the Device configuration, Microsoft Office and Edge policies | -| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports | +| [Windows quality update reports](../operate/windows-autopatch-windows-quality-update-reports-overview.md) | Added Windows quality update reports | ### December service release diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index bb56fa10e7..6cea21afbf 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 01/09/2023 +ms.date: 03/03/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +ms.reviewer: hathind --- # What's new 2023 @@ -18,17 +18,42 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## February 2023 + +### February feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Added [Allow or block Microsoft 365 App updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) section | +| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md#) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version) | +| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) | +| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | +| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section | +| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) |
                                • Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section
                                • Added more information about assigning less-privileged user accounts
                                | + +### February service release + +| Message center post number | Description | +| ----- | ----- | +| [MC521882](https://admin.microsoft.com/adminportal/home#/MessageCenter) | February 2023 Windows Autopatch baseline configuration update | +| [MC517330](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Ability to opt out of Microsoft 365 App updates | +| [MC517327](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned service maintenance downtime for European Union (EU) Windows Autopatch customers enrolled before November 8, 2022 | + ## January 2023 ### January feature releases or updates | Article | Description | | ----- | ----- | -| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. | +| [Windows feature update](../operate/windows-autopatch-windows-feature-update-overview.md) | Updated Windows feature update information | +| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment | | [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section | ### January service release | Message center post number | Description | | ----- | ----- | +| [MC500889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 Windows Autopatch baseline configuration update | | [MC494386](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 (2023.01 B) Windows quality update deployment | diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 7e8bbc7ba7..4ca53207b6 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -7,8 +7,7 @@ ms.technology: itpro-deploy ms.localizationpriority: medium author: frankroj ms.author: frankroj -ms.collection: - - highpri +ms.collection: highpri, tier2 ms.topic: tutorial ms.date: 10/28/2022 --- @@ -400,7 +399,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B ### Autopilot registration using Intune -1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. ![Intune device import.](images/enroll1.png) @@ -456,7 +455,7 @@ Pick one: The Autopilot deployment profile wizard asks for a device group, so you must create one first. To create a device group: -1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**. +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**. 2. In the **Group** pane: 1. For **Group type**, choose **Security**. @@ -605,7 +604,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n ### Delete (deregister) Autopilot device -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. > [!div class="mx-imgBorder"] > ![Delete device step 1.](images/delete-device1.png) diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml index 567e5d62a8..82cba08343 100644 --- a/windows/deployment/windows-autopilot/index.yml +++ b/windows/deployment/windows-autopilot/index.yml @@ -9,8 +9,7 @@ metadata: ms.topic: landing-page ms.prod: windows-client ms.technology: itpro-deploy - ms.collection: - - highpri + ms.collection: highpri, tier1 author: frankroj ms.author: frankroj manager: aaroncz diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index f1b885b970..c1b07ce9d8 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier1" + ], "audience": "ITPro", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", diff --git a/windows/hub/index.yml b/windows/hub/index.yml index aa9a8e5a92..34186301e4 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -233,9 +233,9 @@ additionalContent: url: /mem/endpoint-manager-overview - text: What is Microsoft Intune? url: /mem/intune/fundamentals/what-is-intune - - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11 + - text: Microsoft Intune services simplify upgrades to Windows 11 url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886 - - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager + - text: Understanding readiness for Windows 11 with Microsoft Intune services url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866 - text: Microsoft endpoint management blog url: https://aka.ms/memblog diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index c7c58e1c97..0e92139786 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/13/2018 ms.topic: how-to --- @@ -179,4 +180,4 @@ When resetting the size of your data history to a lower value, be sure to turn o ## Related Links - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) -- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?) \ No newline at end of file +- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ad82dd742d..d94dfccb33 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 08d84ce2f3..e5c6bbb3a2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 82c0da11c8..dc1df5efdf 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f49ab2e417..b0975595c9 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -7,6 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- @@ -2163,7 +2164,7 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID - **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -5029,12 +5030,27 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly. +The following fields are available: - -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly. - +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 0511791230..c1efb0d547 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -7,6 +7,7 @@ localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/27/2017 ms.topic: reference --- diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 3c972e9333..01ea346024 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/04/2020 ms.topic: conceptual --- diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 669941fd55..247eab8256 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/11/2016 ms.collection: highpri ms.topic: conceptual --- diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 122f0717a3..ea7edc20e5 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/09/2018 ms.collection: highpri ms.topic: how-to --- @@ -172,4 +173,4 @@ The **Review problem reports** tool opens, showing you your Windows Error Report - Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer. -**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text. \ No newline at end of file +**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text. diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 01d4412ac3..4810a1dd57 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 10/12/2017 ms.topic: reference --- diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index f111d92f7a..fb53b23a7e 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/28/2021 ms.collection: highpri ms.topic: reference --- diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index d3e9576785..5494398cf6 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/15/2019 ms.topic: conceptual --- diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f1c14f475f..f83a2778dc 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/07/2016 ms.collection: highpri ms.topic: conceptual --- diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 9de85e40cf..37ab742b30 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 0bd15bbb50..4f20129c27 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- @@ -495,4 +496,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file +- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 20e9fec7fb..d83acf0faf 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 1903 diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index bfbd385697..71a9674bfc 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 1909 diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index a95f038a8d..9e492fa5e4 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 2004 diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index c292c6f1ed..dbce1a6460 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 0e47b473b6..9292ba3890 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index 49eb5a3b58..423e60aac0 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 01/18/2018 ms.topic: reference --- diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index 1665c4605a..76b11fdfd5 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -8,6 +8,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 08/26/2022 ms.topic: reference --- @@ -35,10 +36,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - - - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -1286,7 +1283,6 @@ The following fields are available: - **objectInstanceId** Object identity which is unique within the device scope. - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - ## Component-based servicing events @@ -1714,6 +1710,18 @@ The following fields are available: ## Holographic events +### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated + +This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **IsForCompositor** True/False to indicate whether the holographic space is for compositor process. +- **Source** An enumeration indicating the source of the log. +- **WindowInstanceId** Unique value for each window instance. + + ### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly. @@ -2195,6 +2203,33 @@ The following fields are available: - **resultCode** HR result of the cancellation. +## Other events + +### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered + +This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **SessionID** Unique value for each attempt. +- **TargetAsId** The sequence number for the process. +- **windowInstanceId** Unique value for each window instance. + + +### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave + +This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **EventHistory** Unique number of event history. +- **ExternalComponentState** State of external component. +- **LastEvent** Unique number of last event. +- **SessionID** Unique value for each attempt. +- **TargetAsId** The sequence number for the process. +- **windowInstanceId** Unique value for each window instance. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -2404,6 +2439,22 @@ The following fields are available: ## Update events +### Update360Telemetry.FellBackToDownloadingAllPackageFiles + +This event indicates whether a failure occurred during Missing File List generation and is applicable to Quality Update downloads. + +The following fields are available: + +- **ErrorCode** Error code returned during Missing File List generation. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique ID for each flight. +- **Package** Name of the package for which Missing File List generation failed and we fell back to downloading all package files. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each Update. + + ### Update360Telemetry.UpdateAgentDownloadRequest This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. @@ -3322,6 +3373,29 @@ The following fields are available: This event is derived event results for the LaunchPageDuration scenario. + +### Microsoft.Windows.Update.WUClient.DownloadPaused + +This event is fired when the Download stage is paused. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **CallerName** Name of application making the Windows Update request. Used to identify context of request. +- **ClassificationId** Classification identifier of the update content. +- **DownloadPriority** Indicates the priority of the download activity. +- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. +- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **HandlerInfo** Blob of Handler related information. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **Props** Commit Props {MergedUpdate} +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc). +- **UpdateId** Identifier associated with the specific piece of content. +- **UusVersion** The version of the Update Undocked Stack. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -3374,4 +3448,4 @@ The following fields are available: - **ScenarioSupported** Whether the updated scenario that was passed in was supported. - **SessionId** The UpdateAgent “SessionId” value. - **UpdateId** Unique identifier for the Update. -- **WuId** Unique identifier for the Windows Update client. +- **WuId** Unique identifier for the Windows Update client. \ No newline at end of file diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 3deb6ead41..2c8573d89d 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -7,6 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/28/2020 ms.collection: highpri ms.topic: reference --- @@ -1915,7 +1916,11 @@ Fires at the beginning and end of the HVCI auto-enablement process in sysprep. The following fields are available: -- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. +- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciAlreadyEnabled + +Fires when HVCI is already enabled so no need to continue auto-enablement. ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed @@ -2159,6 +2164,7 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. + ## Common data fields ### Ms.Device.DeviceInventoryChange @@ -2173,6 +2179,7 @@ The following fields are available: - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -3031,6 +3038,18 @@ The following fields are available: - **Version** The version number of the program. +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component +- **ProgramIds** The unique program identifier the driver is associated with + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly. @@ -3419,12 +3438,6 @@ This event sends details collected for a specific application on the source devi -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly. - - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd This event provides basic information about active memory slots on the device. @@ -3757,6 +3770,17 @@ The following fields are available: ## Migration events +### Microsoft.Windows.MigrationCore.MigObjectCountDLSys + +This event is used to indicate object count for system paths during different phases of Windows feature update. + +The following fields are available: + +- **migDiagSession->CString** Indicates the phase of the update. +- **objectCount** Number of files being tracked for the corresponding phase of the update. +- **sfInfo.Name** This indicates well know folder location path (Ex: PUBLIC_downloads etc.) + + ### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios. @@ -6142,6 +6166,26 @@ The following fields are available: - **updateId** Unique identifier for each update. +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows secure and up-to-date by indicating when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.Client.BizCriticalStoreAppInstallResult This event returns the result after installing a business critical store application. The data collected with this event is used to help keep Windows secure and up to date. @@ -6230,7 +6274,6 @@ The following fields are available: - **uptimeMinutes** Duration USO for up for in the current boot session. - **wilActivity** Wil Activity related information. - ### Microsoft.Windows.Update.WUClientExt.UUSLoadModuleFailed This is the UUSLoadModule failed event and is used to track the failure of loading an undocked component. The data collected with this event is used to help keep Windows up to date and secure. @@ -6344,6 +6387,27 @@ The following fields are available: - **WuId** Unique ID for the Windows Update client. +### Mitigation360Telemetry.MitigationCustom.CryptcatsvcRebuild + +This event sends data specific to the CryptcatsvcRebuild mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** The unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationNeeded** Information on whether the mitigation was needed. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **ServiceDisabled** Information on whether the service was disabled. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + ### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date. @@ -6467,7 +6531,7 @@ The following fields are available: - **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade. - **UpdateScratchFinalUsedSpace** The used space in the scratch reserve. - **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization. -- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization. +- **UpdateScratchReserveFinalSize** The final size of the scratch reserve. - **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization. @@ -6510,8 +6574,6 @@ The following fields are available: This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date. - - ### Microsoft.Windows.UpdateReserveManager.TurnOffReserves This event is sent when the Update Reserve Manager turns off reserve functionality for certain operations. The data collected with this event is used to help keep Windows secure and up to date. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 1fba0d455b..a001e395da 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -7,6 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/28/2020 ms.collection: highpri ms.topic: reference --- @@ -1226,8 +1227,8 @@ The following fields are available: - **CpuStepping** Cpu stepping. - **CpuVendor** Cpu vendor. - **PlatformId** CPU platform identifier. -- **ProcessorName** OEM processor name. -- **ProductName** OEM product name. +- **ProcessorName** The name of the processor. +- **ProductName** The name of the product. - **SysReqOverride** Appraiser decision about system requirements override. @@ -2473,6 +2474,7 @@ The following fields are available: - **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. + ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed Fires when driver scanning fails to get results. @@ -3112,6 +3114,290 @@ The following fields are available: ## Direct to update events +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **CV_new** New correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckIfCoordinatorMinApplicableVersion call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded + +This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + ### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess This event indicates that the Handler Download and Extract cab call succeeded. The data collected with this event is used to help keep Windows secure and up to date. @@ -3124,6 +3410,193 @@ The following fields are available: - **CV** Correlation vector. +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEnteringState + +This event indicates that DTUNotificationUX has started processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** The coordinator version of Direct To Update. +- **CV** Correlation vector. +- **State** State of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEvaluationError + +This event indicates that Applicability DLL failed on a test. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **FailedTest** The enumeration code of the test that failed. +- **HRESULT** An error (if any) that occurred. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExitingState + +This event indicates that DTUNotificationUX has stopped processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **HRESULT** Error (if any) that occurred. +- **NextState** Next workflow state we will enter. +- **State** The state of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFinalAcceptDialogDisplayed + +This event indicates that the Final Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot. +- **HRESULT** Error (if any) that occurred. +- **UserResponse** The enumeration code indicating the user response to a dialog. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFirstAcceptDialogDisplayed + +This event indicates that the First Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot. +- **HRESULT** Error (if any) that occurred. +- **UserResponse** Enumeration code indicating the user response to a dialog. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXLaunch + +This event indicates that DTUNotificationUX has launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CommandLine** Command line passed to DTUNotificationUX. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + ## DISM events ### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU @@ -3726,6 +4199,35 @@ The following fields are available: - **devinv** The file version of the Device inventory component. +### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd + +This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **CatalogSigners** Signers from catalog. Each signer starts with Chain. +- **DigestAlgorithm** The pseudonymizing (hashing) algorithm used when the file or package was signed. +- **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package. +- **EmbeddedSigners** Embedded signers. Each signer starts with Chain. +- **FileName** The file name of the file whose signatures are listed. +- **FileType** Either exe or sys, depending on if a driver package or application executable. +- **InventoryVersion** The version of the inventory file generating the events. +- **Thumbprint** Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma. + + +### Microsoft.Windows.Inventory.Core.FileSigningInfoStartSync + +The FileSigningInfoStartSync event indicates that a new set of FileSigningInfoAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date. @@ -4214,12 +4716,6 @@ This event sends details collected for a specific application on the source devi -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly. - - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd This event provides basic information about active memory slots on the device. @@ -4570,12 +5066,12 @@ The following fields are available: - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. - **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply. -- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. E.g. Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z -- **appPingEventDownloadMetricsCdnCache** Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) E.g. HIT from proxy.domain.tld, MISS from proxy.local +- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z. +- **appPingEventDownloadMetricsCdnCache** Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) For example, HIT from proxy.domain.tld, MISS from proxy.local. - **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. - **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. -- **appPingEventDownloadMetricsCdnMSEdgeRef** Used to help correlate client-to-AFD (Azure Front Door) conversations. E.g. Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z -- **appPingEventDownloadMetricsCdnP3P** Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. E.g. CP=\"CAO PSA OUR\" +- **appPingEventDownloadMetricsCdnMSEdgeRef** Used to help correlate client-to-AFD (Azure Front Door) conversations. For example, Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z. +- **appPingEventDownloadMetricsCdnP3P** Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. For example, CP=\"CAO PSA OUR\". - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. - **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. - **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. @@ -6364,7 +6860,7 @@ The following fields are available: - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is managed by Windows Update for Business. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device ismanaged by Windows Update for Business. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is managed by Windows Update for Business. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -8281,7 +8777,7 @@ The following fields are available: - **seekerUpdateIdList** The list of “seeker” update identifiers. - **seekerUpdateList** The list of “seeker” updates. - **services** The list of services that were called during update. -- **wilActivity** The activity results. +- **wilActivity** The activity results. ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded @@ -8736,6 +9232,16 @@ The following fields are available: - **ResultId** The final result of the interaction campaign. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSDownloadAndExtractCabResult + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) attempted DownloadAndExtractCab. + +The following fields are available: + +- **failureReason** The failure reason returned by DownloadAndExtractCab. +- **hrResult** Error encountered (if any) during download and extract CAB step. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -8783,6 +9289,27 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U +### Microsoft.Windows.WindowsUpdate.RUXIM.IHBeginPresentation + +This event is generated when RUXIM is about to present an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying interaction campaign being presented. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEndPresentation + +This event is generated when Interaction Handler completes presenting an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrPresentation** Error, if any, occurring during the presentation. +- **InteractionCampaignID** GUID identifying the interaction campaign being presented. +- **ResultId** Result generated by the presentation. +- **WasCompleted** True if the interaction campaign is now considered complete. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -8832,7 +9359,7 @@ The following fields are available: - **PresentationCount** Number of times the interaction campaign has been presented. - **ResultId** The result ID currently recorded for the interaction campaign. - **StateCreationTime** Time the state was created. -- **StateModificationTime** Time the state was last modified. +- **StateModificationTime** Time the state was last modified. - **ThrottlingRoll** Randomly generated throttling roll for the interaction campaign. @@ -9022,7 +9549,7 @@ The following fields are available: - **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade. - **UpdateScratchFinalUsedSpace** The used space in the scratch reserve. - **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization. -- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization. +- **UpdateScratchReserveFinalSize** The final size of the scratch reserve. - **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization. @@ -9183,4 +9710,4 @@ The following fields are available: - **videoResolution** Video resolution to use. - **virtualMachineName** VM name. - **waitForClientConnection** True if we should wait for client connection. -- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled. +- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled. \ No newline at end of file diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 0dc8c28071..c981c76fa6 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/20/2019 ms.topic: conceptual --- @@ -251,4 +252,4 @@ An administrator can configure privacy-related settings, such as choosing to onl * [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) * [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report) * [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md) -* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \ No newline at end of file +* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index 480e474f63..7b46179c9d 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/17/2020 ms.topic: reference --- # Windows 11 connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index f4777d4afa..164bc33b67 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/31/2017 ms.topic: reference --- diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 04381116ab..63ed56d1a2 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 03/31/2017 ms.collection: highpri ms.topic: reference --- diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index 692ea4127b..85910f867e 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/29/2018 ms.topic: reference --- # Windows 10, version 1809, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index cffad0f0e4..544fdaf06d 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 06/29/2018 ms.topic: reference --- diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 364bbda151..6ff9f92fef 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 07/20/2020 ms.topic: reference --- # Windows 10, version 1909, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md index 72c2c99868..095cbad7b5 100644 --- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 05/11/2020 ms.topic: reference --- # Windows 10, version 2004, connection endpoints for non-Enterprise editions @@ -195,4 +196,3 @@ The following methodology was used to derive the network endpoints: |www.microsoft.com|HTTP|Connected User Experiences and Telemetry, Microsoft Data Management service |www.msftconnecttest.com|HTTP|Network Connection (NCSI) |www.office.com|HTTPS|Microsoft Office - diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md index a909428902..7980832e2b 100644 --- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/17/2020 ms.topic: reference --- # Windows 10, version 20H2, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md index 379e4110bc..d168f6790d 100644 --- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.date: 12/17/2020 ms.topic: reference --- # Windows 10, version 21H1, connection endpoints for non-Enterprise editions diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 26288c8351..d2d1fa36bd 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -310,7 +310,7 @@ href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md - name: Passwordless items: - - name: Windows Hello for Business + - name: Windows Hello for Business ⇒ href: identity-protection/hello-for-business/index.yml - name: FIDO 2 security keys href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key?context=/windows/security/context/context @@ -328,8 +328,6 @@ href: identity-protection/credential-guard/credential-guard-requirements.md - name: Manage Credential Guard href: identity-protection/credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: identity-protection/credential-guard/dg-readiness-tool.md - name: Credential Guard protection limits href: identity-protection/credential-guard/credential-guard-protection-limits.md - name: Considerations when using Credential Guard @@ -387,19 +385,19 @@ href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md - name: Smart Card Events href: identity-protection/smart-cards/smart-card-events.md - - name: Virtual Smart Cards + - name: Virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md items: - - name: Understanding and Evaluating Virtual Smart Cards + - name: Understand and evaluate virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md items: - - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" + - name: Get started with virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md - - name: Use Virtual Smart Cards + - name: Use virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md - - name: Deploy Virtual Smart Cards + - name: Deploy virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md - - name: Evaluate Virtual Smart Card Security + - name: Evaluate virtual smart card security href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md - name: Tpmvscmgr href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 27db0f26ae..6d99441988 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table:
                                Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

                                To learn more, see [Mobile device management](/windows/client-management/mdm/). | -| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

                                The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

                                To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

                                The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

                                To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

                                The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

                                If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

                                With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

                                To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md index 768b1e3c3f..2edd15d942 100644 --- a/windows/security/cryptography-certificate-mgmt.md +++ b/windows/security/cryptography-certificate-mgmt.md @@ -1,7 +1,6 @@ --- title: Cryptography and Certificate Management description: Get an overview of cryptography and certificate management in Windows -search.appverid: MET150 author: paolomatarazzo ms.author: paoloma manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: conceptual ms.date: 09/07/2021 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: skhadeer, raverma --- diff --git a/windows/security/docfx.json b/windows/security/docfx.json index bb2804df03..0310c13313 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.localizationpriority": "medium", @@ -65,15 +68,28 @@ }, "fileMetadata": { "author":{ - "identity-protection/**/*.md": "paolomatarazzo" + "identity-protection/**/*.md": "paolomatarazzo", + "threat-protection/windows-firewall/**/*.md": "aczechowski" }, "ms.author":{ - "identity-protection/**/*.md": "paoloma" + "identity-protection/**/*.md": "paoloma", + "threat-protection/windows-firewall/*.md": "aaroncz" }, "ms.reviewer":{ "identity-protection/hello-for-business/*.md": "erikdau", "identity-protection/credential-guard/*.md": "zwhittington", - "identity-protection/access-control/*.md": "sulahiri" + "identity-protection/access-control/*.md": "sulahiri", + "threat-protection/windows-firewall/*.md": "paoloma" + }, + "ms.collection":{ + "identity-protection/hello-for-business/*.md": "tier1", + "information-protection/bitlocker/*.md": "tier1", + "information-protection/personal-data-encryption/*.md": "tier1", + "information-protection/pluton/*.md": "tier1", + "information-protection/tpm/*.md": "tier1", + "threat-protection/auditing/*.md": "tier3", + "threat-protection/windows-defender-application-control/*.md": "tier3", + "threat-protection/windows-firewall/*.md": "tier3" } }, "template": [], diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md index 262ed05694..781c1f164d 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/encryption-data-protection.md @@ -1,7 +1,6 @@ --- title: Encryption and data protection in Windows description: Get an overview encryption and data protection in Windows 11 and Windows 10 -search.appverid: MET150 author: frankroj ms.author: frankroj manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: overview ms.date: 09/22/2022 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: rafals --- diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index 0f1ca8d5c4..4ddce5cb4e 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -29,14 +29,14 @@ Object owners generally grant permissions to security groups rather than to indi This content set contains: -- [Dynamic Access Control Overview](dynamic-access-control.md) -- [Security identifiers](security-identifiers.md) -- [Security Principals](security-principals.md) +- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview) +- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers) +- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals) - [Local Accounts](local-accounts.md) - - [Active Directory Accounts](active-directory-accounts.md) - - [Microsoft Accounts](microsoft-accounts.md) - - [Service Accounts](service-accounts.md) - - [Active Directory Security Groups](active-directory-security-groups.md) + - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts) + - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts) + - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts) + - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups) ## Practical applications diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif deleted file mode 100644 index fb60cd5599..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png deleted file mode 100644 index 93e5e8e098..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png deleted file mode 100644 index 7aad6b6a7b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png deleted file mode 100644 index 2b6c1394b9..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png deleted file mode 100644 index 65508e5cf4..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png deleted file mode 100644 index 4653a66f29..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png deleted file mode 100644 index b4e379a357..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png deleted file mode 100644 index c725fd4f55..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png deleted file mode 100644 index 999303a2d6..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png deleted file mode 100644 index b80fc69397..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png deleted file mode 100644 index 412f425ccf..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png deleted file mode 100644 index b80fc69397..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png deleted file mode 100644 index b2f6d3e1e2..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png deleted file mode 100644 index 8dda5403cf..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png deleted file mode 100644 index e96b26abe1..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif b/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif deleted file mode 100644 index d8a4d99dd2..0000000000 Binary files a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/corpnet.gif b/windows/security/identity-protection/access-control/images/corpnet.gif deleted file mode 100644 index f76182ee25..0000000000 Binary files a/windows/security/identity-protection/access-control/images/corpnet.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png deleted file mode 100644 index e70fa02c92..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png deleted file mode 100644 index 085993f92c..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png deleted file mode 100644 index 282cdb729d..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png deleted file mode 100644 index 89fc916400..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png deleted file mode 100644 index d8d5af1336..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png deleted file mode 100644 index ba3f15f597..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png deleted file mode 100644 index 2d44e29e1b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png deleted file mode 100644 index 89136d1ba0..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png deleted file mode 100644 index f2d3a7596b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg b/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg deleted file mode 100644 index cd7d341065..0000000000 Binary files a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg and /dev/null differ diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 5a35d2853f..f6baab162b 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -4,6 +4,7 @@ description: Learn how to secure and manage access to the resources on a standal ms.date: 12/05/2022 ms.collection: - highpri + - tier2 ms.topic: article appliesto: - ✅ Windows 10 and later diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 5714236fec..bde6066c0c 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -1,7 +1,7 @@ --- title: Considerations when using Windows Defender Credential Guard -description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows. -ms.date: 08/31/2017 +description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard. +ms.date: 01/06/2023 ms.topic: article appliesto: - ✅ Windows 10 and later @@ -10,58 +10,72 @@ appliesto: # Considerations when using Windows Defender Credential Guard -Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. +It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. -Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported. +## Wi-fi and VPN considerations -## Wi-fi and VPN Considerations +When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\ +If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. -When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. +For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS). -## Kerberos Considerations +## Kerberos considerations -When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead. +When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\ +Use constrained or resource-based Kerberos delegation instead. -## 3rd Party Security Support Providers Considerations +## Third party Security Support Providers considerations -Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN. +Some third party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\ +It's recommended that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. -## Upgrade Considerations +For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package). -As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. +## Upgrade considerations -### Saved Windows Credentials Protected +As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, new releases of Windows with Windows Defender Credential Guard running may affect scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. -Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. +Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. + +## Saved Windows credentials protected + +Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: + +- Windows credentials +- Certificate-based credentials +- Generic credentials + +Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: -* Windows credentials saved by Remote Desktop Client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." -* Applications that extract Windows credentials fail. -* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials. +- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed.* +- Applications that extract Windows credentials fail +- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials -## Clearing TPM Considerations +## Clearing TPM considerations -Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost. +Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost. >[!WARNING] -> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.
                                -> When a TPM is cleared ALL features, which use VBS to protect data can no longer decrypt their protected data. +> Clearing the TPM results in loss of protected data for all features that use VBS to protect data. +> +> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data. -As a result Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever. +As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever. >[!NOTE] -> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup. +> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup. ### Windows credentials saved to Credential Manager Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. -### Domain-joined device’s automatically provisioned public key +### Domain-joined device's automatically provisioned public key -Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). +Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). -Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). +Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). @@ -70,29 +84,22 @@ Also if any access control checks including authentication policies require devi On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible. >[!IMPORTANT] -> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
                                -Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. +> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. +Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following. Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller: -|Credential Type | Windows version | Behavior +|Credential Type | Behavior |---|---|---| -| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | -| Password | Windows 10 v1709 or later | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. -| Password | Windows 10 v1703 | If the user signed in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected. -| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data. +| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | +| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. | Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. #### Impact of DPAPI failures on Windows Information Protection -When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. +When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. -**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). - - -## See also - -- [What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) +**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index e4eb399ed3..a4f523f78b 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -1,9 +1,10 @@ --- title: Manage Windows Defender Credential Guard (Windows) -description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. +description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry. ms.date: 11/23/2022 ms.collection: - highpri + - tier2 ms.topic: article appliesto: - ✅ Windows 10 and later @@ -38,7 +39,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the ## Enable Windows Defender Credential Guard -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. > [!NOTE] @@ -66,7 +67,7 @@ To enforce processing of the group policy, you can run `gpupdate /force`. ### Enable Windows Defender Credential Guard by using Microsoft Intune -1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**. +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**. 1. Select **Configuration Profiles**. @@ -151,19 +152,6 @@ To enable, use the Control Panel or the Deployment Image Servicing and Managemen > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. -### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool - -You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool.ps1 -Enable -AutoReboot -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - ### Review Windows Defender Credential Guard performance #### Is Windows Defender Credential Guard running? @@ -178,17 +166,6 @@ You can view System Information to check that Windows Defender Credential Guard :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: -You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool_v3.6.ps1 -Ready -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - > [!NOTE] > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md deleted file mode 100644 index 86b9533f7a..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ /dev/null @@ -1,636 +0,0 @@ ---- -title: Windows Defender Credential Guard protection limits & mitigations (Windows) -description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use. -ms.topic: article -ms.date: 08/17/2017 -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Credential Guard protection limits and mitigations - -Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) -in the Deep Dive into Windows Defender Credential Guard video series. - -Some ways to store credentials are not protected by Windows Defender Credential Guard, including: - -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. -- Key loggers -- Physical attacks -- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host. -- Windows logon cached password verifiers (commonly called "cached credentials") -do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available. - -## Additional mitigations - -Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust. - -### Restricting domain users to specific domain-joined devices - -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. - -#### Kerberos armoring - -Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. - -**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - -- Users need to be in domains that are running Windows Server 2012 R2 or higher -- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. - -#### Protecting domain-joined device secrets - -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. - -Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain functional level or higher. -- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension -- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. -- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. - -##### Deploying domain-joined device certificates - -To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. - -For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. - -**Creating a new certificate template** - -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -1. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -1. Right-click the new template, and then click **Properties**. -1. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -1. Click **Client Authentication**, and then click **Remove**. -1. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: - - Name: Kerberos Client Auth - - Object Identifier: 1.3.6.1.5.2.3.4 -1. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -1. Under **Issuance Policies**, click**High Assurance**. -1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. - -Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created. - -**Enrolling devices in a certificate** - -Run the following command: -```powershell -CertReq -EnrollCredGuardCert MachineAuthentication -``` - -> [!NOTE] -> You must restart the device after enrolling the machine authentication certificate. - -##### How a certificate issuance policy can be used for access control - -Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) on TechNet. - -**To see the issuance policies available** - -- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.\ -From a Windows PowerShell command prompt, run the following command: - - ```powershell - .\get-IssuancePolicy.ps1 –LinkedToGroup:All - ``` - -**To link an issuance policy to a universal security group** - -- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. - From a Windows PowerShell command prompt, run the following command: - - ```powershell - .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" - ``` - -#### Restricting user sign-on - -So we now have completed the following: - -- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on -- Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. - -Authentication policies have the following requirements: -- User accounts are in a Windows Server 2012 domain functional level or higher domain. - -**Creating an authentication policy restricting users to the specific universal security group** - -1. Open Active Directory Administrative Center. -2. Click **Authentication**, click **New**, and then click **Authentication Policy**. -3. In the **Display name** box, enter a name for this authentication policy. -4. Under the **Accounts** heading, click **Add**. -5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. -6. Under the **User Sign On** heading, click the **Edit** button. -7. Click **Add a condition**. -8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -10. Click **OK** to close the **Edit Access Control Conditions** box. -11. Click **OK** to create the authentication policy. -12. Close Active Directory Administrative Center. - -> [!NOTE] -> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. - -##### Discovering authentication failures due to authentication policies - -To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. - -To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)). - - - - -### Appendix: Scripts - - -Here is a list of scripts mentioned in this topic. - -#### Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -#### Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -## See also - -**Deep Dive into Windows Defender Credential Guard: Related videos** - -[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md deleted file mode 100644 index 5051ce94cd..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ /dev/null @@ -1,494 +0,0 @@ ---- -title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows) -description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows. -ms.date: 11/22/2022 -ms.topic: reference -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Credential Guard: scripts for certificate authority issuance policies - -Expand each section to see the PowerShell scripts: - -
                                -
                                -Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -
                                - -
                                -
                                -Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -
                                diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 6548d02f17..0ab05c22ab 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -5,6 +5,7 @@ ms.date: 11/22/2022 ms.topic: article ms.collection: - highpri + - tier2 appliesto: - ✅ Windows 10 and later - ✅ Windows Server 2016 and later diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md deleted file mode 100644 index d834db9710..0000000000 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ /dev/null @@ -1,1381 +0,0 @@ ---- -title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool -description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script -ms.date: 11/22/2022 -ms.topic: reference -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool - -```powershell -# Script to find out if a machine is Device Guard compliant. -# The script requires a driver verifier present on the system. - -param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) - -Set-StrictMode -Version Latest - -$path = "C:\DGLogs\" -$LogFile = $path + "DeviceGuardCheckLog.txt" - -$CompatibleModules = New-Object System.Text.StringBuilder -$FailingModules = New-Object System.Text.StringBuilder -$FailingExecuteWriteCheck = New-Object System.Text.StringBuilder - -$DGVerifyCrit = New-Object System.Text.StringBuilder -$DGVerifyWarn = New-Object System.Text.StringBuilder -$DGVerifySuccess = New-Object System.Text.StringBuilder - - -$Sys32Path = "$env:windir\system32" -$DriverPath = "$env:windir\system32\drivers" - -#generated by certutil -encode -$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA -HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC -NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC -NwoDFQwAAAABCisGAQQBgjdMAwEMAAAAAQorBgEEAYI3TAUBDAAAAAEKKwYBBAGC -N0wLAQEAAAAGAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -BgAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAA -AQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAABAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAAAEAAAABAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAYAAAABAAAAAgAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABgAAAAEAAAADAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAUAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAADgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAEAAAAOAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAA4AAAABAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA4AAAABAAAA -AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADgAAAAEAAAADAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAAAQAAAAEAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQAAAABAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAPye3j3MoJGGstO/m3OKIFDLGlVN -otyttV8/cu4XchN4AQAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAHAAAA -AQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAoAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAKAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAYAAAABAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAABwAAAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAAFAAAAIMAAAAAAAAADIAAAAsAAAAAAAAAAAAAAAEAAAAAAAAA -AgAAAAAAAAADAAAAAAAAAAQAAAAAAAAABQAAAAAAAAALAAAAAAAAAAwAAAAAAAAA -DQAAAAAAAAAOAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAMAAAAAAAAAAyAAAASAAAABgAAAAAAAAAHAAAAAAAAAAgAAAAAAAAA -CQAAAAAAAAAKAAAAAAAAABMAAAAAAAAADwAAAAAAAAAQAAAAAAAAABEAAAAAAAAA -EgAAAAAAAAAUAAAAAAAAABUAAAAAAAAAGgAAAAAAAAAbAAAAAAAAABwAAAAAAAAA -FgAAAAAAAAAXAAAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAgAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAQAAABJAGQAAAAAAAMAAAAMAAAA -MAAzADEAMAAxADcAAAAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAgAAABOAGEAbQBlAAAAAAADAAAA -JgAAAEQAZQBmAGEAdQBsAHQAVwBpAG4AZABvAHcAcwBBAHUAZABpAHQAAAAAAAAA -AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAA -BQAAAAYAAAA=" - -$HSTITest_Encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADxXZfstTz5v7U8+b+1PPm/2GH4vrc8+b+8RGq/ojz5v9hh+r63PPm/2GH9vr48+b+1PPi/qjz5v9hh+b60PPm/2GHwvrc8+b/YYfu+tDz5v1JpY2i1PPm/AAAAAAAAAABQRQAAZIYFAGt3EVgAAAAAAAAAAPAAIiALAg4AABIAAAAaAAAAAAAAkBsAAAAQAAAAAACAAQAAAAAQAAAAAgAACgAAAAoAAAAKAAAAAAAAAABwAAAABAAAxcwAAAMAYEEAAAQAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAEDkAAGQAAAB0OQAABAEAAAAAAAAAAAAAAFAAACABAAAAAAAAAAAAAABgAAAYAAAAwDUAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAA0AAAAAAAAAAAAAAA4DAAAEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAMURAAAAEAAAABIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4DwAAADAAAAAQAAAAFgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAwAUAAABAAAAAAgAAACYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAACABAAAAUAAAAAIAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAYAAAAAGAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIiVwkCFVWV0FWQVdIi+xIg+wwM/9IjUU4TIv5iX1ISI1NSIl9QEUzyYl9OEyNRUBIiUQkIDPS6AwJAACL2D1XAAeAD4WrAAAAi0VASGnYDCIAAP8V/yAAAI13CEyLw0iLyIvW/xX2IAAATIvwSIXAdQe7DgAHgOtxi104/xXWIAAARIvDi9ZIi8j/FdAgAABIi/BIhcB1B7sOAAeA6x5IjUU4TIvOTI1FQEiJRCQgSYvWSI1NSOiNCAAAi9j/FZUgAABNi8Yz0kiLyP8VlyAAAEiF9nQU/xV8IAAATIvGM9JIi8j/FX4gAAA5fUhAD5THQYk/i8NIi1wkYEiDxDBBX0FeX15dw8zMzMzMzMzMzOkzCAAAzMzMzMzMzEiJXCQYSIl0JCBXSIHscAEAAEiLBbsuAABIM8RIiYQkYAEAAA8QBRkhAACL8kiL+TPSSI1MJGBBuPQAAADzD39EJFDo6g4AAEiDZCQwAEiNTCRQg2QkQABFM8nHRCQogAAAALoAAABAx0QkIAMAAABFjUEB/xWSHwAASIvYSIP4/3RGQbkCAAAARTPAM9JIi8j/FX0fAACD+P90HkiDZCQgAEyNTCRARIvGSIvXSIvL/xVmHwAAhcB1Bv8VPB8AAEiLy/8VYx8AAEiLjCRgAQAASDPM6AsLAABMjZwkcAEAAEmLWyBJi3MoSYvjX8PMzMzMzMxIg+woM9JMi8lIhcl0Hrr///9/M8BEi8I4AXQJSP/BSYPoAXXzTYXAdSEz0rhXAAeAM8mFwEgPScp4C41RAUmLyejG/v//SIPEKMNJK9Dr4czMzMzMzMzMSIlcJAhIiXQkEFdIg+wgQYvZSYv4SIvy6Iv///+L00iLz+iN/v//SIvOSItcJDBIi3QkOEiDxCBf6Wr////MzMzMzMyJVCQQSIPsKAkRSI0Nsx8AAOhO////ugQAAABIjUwkOOhL/v//SI0NqB8AAOgz////SIPEKMPMzMzMzMxAVVNWV0FUQVVBVkFXSI1sJOFIgeyYAAAASIsF6CwAAEgzxEiJRQ9FM/ZIiVXnM9JIiU3vRIl1p0GL3kiJXbdJi8BIiUXXTYvpRIl1r0GL/kSJdfdFi+ZIiVX7RYv+SIlVA0yJdc9IhckPhBEFAABIhcAPhAgFAABNhckPhP8EAABBgzkBdBHHRaeAAAAAvwJAAIDp7QQAAEiNDQkfAADohP7//0WLfQREiX2/SWnfDCIAAP8Vtx0AAEyLw7oIAAAASIvI/xWuHQAATIvgSIXAdShIjQ3vHgAA6Er+////FUwdAAAPt/iBzwAAB4CFwA9O+EmL3umLBAAASI0N9x4AAOgi/v//RIl1s0WF/w+EiwIAAEmNXQhIiV3HSY20JAwCAABIjQ32HgAA6Pn9//+LQwiJhvT9//+FwHktPbsAAMB1EUiNDe4eAADo2f3//+kaAgAASI0N/R4AAOjI/f//g02nQOkFAgAAixtJA92DOwN0Gw+6bacIugEAAABIjY78/f//6Dv+///p4AEAAEyNhgD+//+6BAAAAEmLwEiNSwgPEAFIjYmAAAAADxEASI2AgAAAAA8QSZAPEUiQDxBBoA8RQKAPEEmwDxFIsA8QQcAPEUDADxBJ0A8RSNAPEEHgDxFA4A8QSfAPEUjwSIPqAXWuQbkAAgAASI0VgB4AAEiNDYEeAADodP3//4uLCAIAALoAEAAAQYv+TI0ES0iBwQwCAABMA8FIi85MK8ZIjYL+7/9/SIXAdBdBD7cECGaFwHQNZokBSIPBAkiD6gF13UiF0nUJSIPpAr96AAeAZkSJMUiNFSYeAABIjQ0nHgAAQbkAIAAATIvG6AH9//9MjXMEQYsOjUH/g/gDD4fDAAAA/0SN90iNFQMeAACJjvj9//9BuQQAAABIjQ34HQAATYvG6Mj8//9BiwaDfIX3AXZESI2O/P3//7oEAAAA6PH8//9Biw6D6QF0JYPpAXQag+kBdA+D+QEPhaIAAACDTacI63eDTacE63GDTacC62uDTacB62WD+AF1YIuDCAIAAEyNRa9BuQQAAACJRa9IjRWTHQAASI0NrB0AAOhP/P//RTP2RDl1r3UOD7ptpwlBjVYI6TX+//9IjYMMAgAASIlFz+sZD7ptpwlIjY78/f//ugIAAADoWfz//0Uz9otFs0iBxgwiAABIg0XHDP/AiUWzQTvHcxdIi13H6ZP9//+/BUAAgEiLXbfp5wEAAEQ5dad0DkiNDU0dAADoePv//+vji12v/xW1GgAARIvDuggAAABIi8j/FawaAABIiUW3SIvYSIXAdRZIjQ1JHQAA6ET7//+/FwAA0OmXAQAASI0NYx0AAOgu+///i0WvRI2wBgEAAEaNNHBEiXWzRYX/D4TFAAAASY1cJAhJjXUISI0N+xsAAOj++v//gXv4uwAAwHUOSI0N/hsAAOjp+v//63xEOXYEcxS6EAAAAA+6bacJSIvL6Gv7///rYosOSQPNi4EIAgAAO0WvdAe6CAAAAOvaRTPATI0MQUyNFAhEOUWvdjpMi3W3Qw+2jBAMAgAA99FDhIwIDAIAAHQID7ptpwmDCyBDioQIDAIAAEMIBDBB/8BEO0Wvcs5Ei3WzSIPGDEiBwwwiAABJg+8BD4VM////RIt9v0iLXbdFM/ZEOXWndBFIjQ0OHAAA6Dn6///pkQAAAEGL9kQ5da8PhoQAAABMi3W3TIttz0iNDYgcAADoE/r//4vGTI1Fq0G5AQAAAEiNFZgcAABCigwwSo0cKCILiE2rSI0NlBwAAOg/+v//QbkBAAAASI0VkhwAAEyLw0iNDZgcAADoI/r//4oDOEWrdBBIjQ2dHAAA6Lj5//+DTacg/8Y7da9yjuly+///v1cAB4BIjQ2sHAAA6Jf5//9BuQQAAABMjUWnSI0VphwAAEiNDa8cAADo0vn//02F5HRdTIt150iLdddNhfZ0NEQ5PnIvSI0NnBwAAOhX+f//QYvHSYvUTGnADCIAAEmLzuh0BwAASI0NmxwAAOg2+f//6wW/VwAHgESJPv8VbhgAAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkFdQVxfXltdw8zMzMzMzMxIi8RIiVgISIloEEiJcBhXQVZBV0iD7DCDYNgATYvxSYv4TI1I2EiL8kyL+UUzwDPSuaYAAAD/FWwYAACL2D0EAADAdAkPuusc6dkAAACDfCQgFHMKuwVAAIDpyAAAAItcJCD/FacXAABEi8O6CAAAAEiLyP8VnhcAAEiL6EiFwHUKuw4AB4DpmwAAAESLRCQgRTPJSIvQuaYAAAD/FQYYAACL2IXAeQYPuusc6zdIjQ2TGwAA6A74//+LVCQgSIvN6A73//9IjQ2LGwAA6Pb3//9Mi81Mi8dIi9ZJi8/ovfj//4vYSIt8JHCLdCQgSIX/dBk5N3IVTYX2dBBEi8ZIi9VJi87o8AUAAOsFu1cAB4CJN/8V9xYAAEyLxTPSSIvI/xX5FgAASItsJFiLw0iLXCRQSIt0JGBIg8QwQV9BXl/DzMzMzMzMSIlcJAhXSIPsIIP6AXU8SI0VmhcAAEiNDYsXAADoaAMAAIXAdAczwOmjAAAASI0VbBcAAEiNDV0XAADoVgMAAP8FKiUAAOmAAAAAhdJ1fDkVUyUAAHRtSIsNGiUAAOgxAgAASIsNFiUAAEiL+OgiAgAASI1Y+OsXSIsL6BQCAABIhcB0Bv8VBRcAAEiD6whIO99z5IM9DSUAAAR2FP8VJRYAAEyLxzPSSIvI/xUnFgAA6O4BAABIiQXDJAAASIkFtCQAAIMlpSQAAAC4AQAAAEiLXCQwSIPEIF/DzMzMzMzMzMzMzMzMzMzMzMzMzMzMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1BeijAQAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pBwAAAMzMzMzMzMxMiUQkGIlUJBBIiUwkCFNWV0iB7JAAAACL+kiL8cdEJCABAAAAhdJ1EzkVDSQAAHULM9uJXCQg6d8AAACNQv+D+AF3MkyLhCTAAAAA6Hv+//+L2IlEJCDrFTPbiVwkIIu8JLgAAABIi7QksAAAAIXbD4SlAAAATIuEJMAAAACL10iLzujoAQAAi9iJRCQg6xUz24lcJCCLvCS4AAAASIu0JLAAAACD/wF1SIXbdURFM8Az0kiLzui1AQAA6xOLvCS4AAAASIu0JLAAAACLXCQgRTPAM9JIi87o7/3//+sTi7wkuAAAAEiLtCSwAAAAi1wkIIX/dAWD/wN1IEyLhCTAAAAAi9dIi87ov/3//4vYiUQkIOsGM9uJXCQgi8NIgcSQAAAAX15bw8zMzMzMzMzMzMxmZg8fhAAAAAAASDsN6SIAAHUQSMHBEGb3wf//dQHDSMHJEOmSAQAAzMzMzMzMSP8ltRQAAMzMzMzMzMzMzDPJSP8lmxQAAMzMzMzMzMxIiVwkIFVIi+xIg+wgSINlGABIuzKi3y2ZKwAASIsFiSIAAEg7ww+FjwAAAEiNTRj/FU4UAABIi0UYSIlFEP8VABQAAIvASDFFEP8V/BMAAIvASDFFEP8VIBQAAIvASMHgGEgxRRD/FRAUAACLwEiNTRBIM0UQSDPBSI1NIEiJRRD/FeUTAACLRSBIuf///////wAASMHgIEgzRSBIM0UQSCPBSLkzot8tmSsAAEg7w0gPRMFIiQXxIQAASItcJEhI99BIiQXqIQAASIPEIF3DzMzMzMzM/yXYEgAAzMzMzMzM/yXEEgAAzMzMzMzMzMxIg+wog/oBdQb/FTUTAAC4AQAAAEiDxCjDzMzMzMzMzMzMzMzMzMzMzMzMzMIAAMzMzMzMzMzMzEBTSIPsIEiL2TPJ/xWTEgAASIvL/xWCEgAA/xUUEwAASIvIugkEAMBIg8QgW0j/JfgSAADMzMzMzMzMzMzMzMzMzMzMSIlMJAhIgeyIAAAASI0NHSIAAP8VLxMAAEiLBQgjAABIiUQkSEUzwEiNVCRQSItMJEj/FSATAABIiUQkQEiDfCRAAHRCSMdEJDgAAAAASI1EJFhIiUQkMEiNRCRgSIlEJChIjQXHIQAASIlEJCBMi0wkQEyLRCRISItUJFAzyf8VyxIAAOsjSIsFOiIAAEiLAEiJBZAiAABIiwUpIgAASIPACEiJBR4iAABIiwV3IgAASIkF6CAAAEiLhCSQAAAASIkF6SEAAMcFvyAAAAkEAMDHBbkgAAABAAAAxwXDIAAAAwAAALgIAAAASGvAAEiNDbsgAABIxwQBAgAAALgIAAAASGvAAUiNDaMgAABIixUsIAAASIkUAbgIAAAASGvAAkiNDYggAABIixUZIAAASIkUAbgIAAAASGvAAEiLDf0fAABIiUwEaLgIAAAASGvAAUiLDfAfAABIiUwEaEiNDdwPAADoU/7//0iBxIgAAADDzMzMzMzMzMzMzMzMzMzMzMzMzMzM/yWUEAAAzMzMzMzM/yWQEAAAzMzMzMzM/yWMEAAAzMzMzMzMzMxIg+woTYtBOEiLykmL0egRAAAAuAEAAABIg8Qow8zMzMzMzMxAU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIA0sI9kEDD3QMD7ZBA4Pg8EiYTAPITDPKSYvJW+kl/P//zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMxAVUiD7CBIi+pIiU04SIsBixCJVSRIiU1AM8BIg8QgXcPMQFVIg+wgSIvqSIlNSEiLAYsQiVUoSIlNUDPASIPEIF3DzEBVSIPsIEiL6kiJTVhIiwGLEIlVLEiJTWAzwEiDxCBdw8xAVUiD7CBIi+pIiU1oSIsBixCJVTBIiU1wM8BIg8QgXcPMQFVIg+wgSIvqSIlNeEiLAYsQiVU0SImNgAAAADPASIPEIF3DzEBVSIPsIEiL6kiDxCBdw8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA8EAAgAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAEAAAAAAAAAAAAAAAAAAAAAAAAAKDIAgAEAAAAwMgCAAQAAAFgyAIABAAAABQAAAAAAAAAANQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeD4AAAAAAABkPwAAAAAAAG4/AAAAAAAAAAAAAAAAAADOOwAAAAAAAMA7AAAAAAAAAAAAAAAAAAAQPQAAAAAAACw9AAAAAAAA6j4AAAAAAAAAAAAAAAAAAPo+AAAAAAAA2D4AAAAAAADMPgAAAAAAAAAAAAAAAAAACD8AAAAAAAAAAAAAAAAAAFI8AAAAAAAAFj8AAAAAAABGPAAAAAAAAAAAAAAAAAAA9DwAAAAAAAAAAAAAAAAAAJ48AAAAAAAAtDwAAAAAAABePQAAAAAAAEo9AAAAAAAAAAAAAAAAAACEPAAAAAAAAAAAAAAAAAAA5DwAAAAAAADKPAAAAAAAAAAAAAAAAAAAZDwAAAAAAAB0PAAAAAAAAAAAAAAAAAAAsD4AAAAAAAD6OwAAAAAAACg8AAAAAAAADjwAAAAAAAAAAAAAAAAAAHAeAIABAAAAACEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAgEQAAkBsAAHAeAADAHgAAAAAAAC5caHN0aXRyYWNlLmxvZwAgUHJvdmlkZXJFcnJvcjoAOlByb3ZpZGVyRXJyb3IgAERldGVybWluaW5nIENvdW50LiAAAAAAAAAAAAAAAAAAICEhISBFcnJvciBidWZmZXIgZmFpbGVkIGFsbG9jYXRpb24gISEhIAAAAAAAAAAARGV0ZXJtaW5lIFNlY3VyaXR5RmVhdHVyZXNTaXplLiAAAAAAAAAAAExvb3AuLi4gAAAAAAAAAAAAAAAAAAAAACBVbnN1cHBvcnRlZCBBSVAgaWdub3JlZCAAAAAAAAAAICEhISBVRUZJIFByb3RvY29sIEVycm9yIERldGVjdGVkICEhISAAADpJRCAAAAAAIElEOgAAAAA6RVJST1IgACBFUlJPUjoAOlJPTEUgAAAgUk9MRToAAAAAAAAAAAAAOnNlY3VyaXR5RmVhdHVyZXNTaXplIAAAAAAAAAAAAAAgc2VjdXJpdHlGZWF0dXJlc1NpemU6AAAAAAAAAAAAACAhISEgRXJyb3IgZGV0ZWN0ZWQsIGJhaWxpbmcgb3V0ICEhISAAAAAAAAAAAAAAAFZlcmlmaWVkIGJ1ZmZlciBhbGxvY2F0aW9uIGZhaWxlZC4AAAAAAAAAAAAAAAAAAExvb3Bpbmcgb24gcHJvdmlkZXJzIHRvIGFjY3VtdWxhdGUgaW1wbGVtZW50ZWQgYW5kIHZlcmlmaWVkLgAAAABDb21wYXJpbmcgcmVxdWlyZWQgYnl0ZSB0byB2ZXJpZmllZC4uLgAAOlZFUklGSUVEIAAAAAAAACBWRVJJRklFRDoAAAAAAAA6UkVRVUlSRUQgAAAAAAAAIFJFUVVJUkVEOgAAAAAAAAAAAAAAAAAAISEhIHZlcmlmaWVkIGJ5dGUgZG9lcyBub3QgbWF0Y2ggcmVxdWlyZWQgISEhAAAAQ0xFQU5VUCAAAAAAAAAAADpPVkVSQUxMAAAAAAAAAABPVkVSQUxMOgAAAAAAAAAAUHJvdmlkZXIgRXJyb3JzIGNvcHkgc3RhcnQAAAAAAABQcm92aWRlciBFcnJvcnMgY29weSBlbmQAAAAAAAAAAEJMT0IgU3RhcnQ6AAAAAAA6QkxPQiBFbmQgIAAAAAAAAAAAAGt3EVgAAAAAAgAAACUAAAD4NQAA+BsAAAAAAABrdxFYAAAAAA0AAACgAQAAIDYAACAcAABSU0RT1J4Ttoijw0G4zY0uYG3g7wEAAABIc3RpVGVzdC5wZGIAAAAAR0NUTAAQAADwEAAALnRleHQkbW4AAAAA8CAAABIAAAAudGV4dCRtbiQwMAACIQAAwwAAAC50ZXh0JHgAADAAAOAAAAAucmRhdGEkYnJjAADgMAAASAEAAC5pZGF0YSQ1AAAAACgyAAAQAAAALjAwY2ZnAAA4MgAACAAAAC5DUlQkWENBAAAAAEAyAAAIAAAALkNSVCRYQ1oAAAAASDIAAAgAAAAuQ1JUJFhJQQAAAABQMgAACAAAAC5DUlQkWElaAAAAAFgyAAAYAAAALmNmZ3VhcmQAAAAAcDIAAIgDAAAucmRhdGEAAPg1AADIAQAALnJkYXRhJHp6emRiZwAAAMA3AABQAQAALnhkYXRhAAAQOQAAZAAAAC5lZGF0YQAAdDkAAPAAAAAuaWRhdGEkMgAAAABkOgAAFAAAAC5pZGF0YSQzAAAAAHg6AABIAQAALmlkYXRhJDQAAAAAwDsAALgDAAAuaWRhdGEkNgAAAAAAQAAAEAAAAC5kYXRhAAAAEEAAALAFAAAuYnNzAAAAAABQAAAgAQAALnBkYXRhAAABEwgAEzQMABNSDPAK4AhwB2AGUBkkBwASZDMAEjQyABIBLgALcAAAbCAAAGABAAABBAEABEIAAAEPBgAPZAcADzQGAA8yC3ABCAEACEIAABknCgAZARMADfAL4AnQB8AFcARgAzACUGwgAACIAAAAARgKABhkDAAYVAsAGDQKABhSFPAS4BBwGRgFABgBEgARcBBgDzAAAEYgAAAGAAAAGBwAAC0cAAAIIQAALRwAAEocAABkHAAAKiEAAGQcAACCHAAAkRwAAEwhAACRHAAApBwAALMcAABuIQAAsxwAAM8cAADpHAAAkCEAAOkcAAD5GwAA7xwAALUhAAAAAAAAAQYCAAYyAlABCgQACjQGAAoyBnAAAAAAAQAAAAENBAANNAkADTIGUAEGAgAGMgIwAQwCAAwBEQABAAAAAQIBAAIwAAAAAAAAAAAAAAAAAAAAAAAAd24RWAAAAABMOQAAAQAAAAIAAAACAAAAODkAAEA5AABIOQAAEBAAACARAABZOQAAYzkAAAAAAQBIU1RJVEVTVC5kbGwAUXVlcnlIU1RJAFF1ZXJ5SFNUSWRldGFpbHMAmDoAAAAAAAAAAAAA2jsAAAAxAACYOwAAAAAAAAAAAAA8PAAAADIAAAA7AAAAAAAAAAAAAHI9AABoMQAAgDsAAAAAAAAAAAAAkj0AAOgxAABYOwAAAAAAAAAAAACyPQAAwDEAADA7AAAAAAAAAAAAANY9AACYMQAAaDsAAAAAAAAAAAAAAD4AANAxAAAgOwAAAAAAAAAAAAAkPgAAiDEAALA6AAAAAAAAAAAAAE4+AAAYMQAAeDoAAAAAAAAAAAAAkD4AAOAwAADQOgAAAAAAAAAAAAAiPwAAODEAAPA6AAAAAAAAAAAAAEI/AABYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4PgAAAAAAAGQ/AAAAAAAAbj8AAAAAAAAAAAAAAAAAAM47AAAAAAAAwDsAAAAAAAAAAAAAAAAAABA9AAAAAAAALD0AAAAAAADqPgAAAAAAAAAAAAAAAAAA+j4AAAAAAADYPgAAAAAAAMw+AAAAAAAAAAAAAAAAAAAIPwAAAAAAAAAAAAAAAAAAUjwAAAAAAAAWPwAAAAAAAEY8AAAAAAAAAAAAAAAAAAD0PAAAAAAAAAAAAAAAAAAAnjwAAAAAAAC0PAAAAAAAAF49AAAAAAAASj0AAAAAAAAAAAAAAAAAAIQ8AAAAAAAAAAAAAAAAAADkPAAAAAAAAMo8AAAAAAAAAAAAAAAAAABkPAAAAAAAAHQ8AAAAAAAAAAAAAAAAAACwPgAAAAAAAPo7AAAAAAAAKDwAAAAAAAAOPAAAAAAAAAAAAAAAAAAABwBfaW5pdHRlcm1fZQAGAF9pbml0dGVybQBhcGktbXMtd2luLWNvcmUtY3J0LWwyLTEtMC5kbGwAANACUnRsQ2FwdHVyZUNvbnRleHQAjQRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAC3BVJ0bFZpcnR1YWxVbndpbmQAAG50ZGxsLmRsbAAGAEhlYXBGcmVlAAAAAEdldFByb2Nlc3NIZWFwAAAEAEVuY29kZVBvaW50ZXIAAQBEZWNvZGVQb2ludGVyAAAAUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIADQBHZXRDdXJyZW50UHJvY2Vzc0lkABEAR2V0Q3VycmVudFRocmVhZElkAAAUAEdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAA8AU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAwAR2V0Q3VycmVudFByb2Nlc3MATQBUZXJtaW5hdGVQcm9jZXNzAABhcGktbXMtd2luLWNvcmUtaGVhcC1sMS0yLTAuZGxsAGFwaS1tcy13aW4tY29yZS11dGlsLWwxLTEtMC5kbGwAYXBpLW1zLXdpbi1jb3JlLXByb2ZpbGUtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLXByb2Nlc3N0aHJlYWRzLWwxLTEtMi5kbGwAYXBpLW1zLXdpbi1jb3JlLXN5c2luZm8tbDEtMi0xLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWxpYnJhcnlsb2FkZXItbDEtMi0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWVycm9yaGFuZGxpbmctbDEtMS0xLmRsbAAAAABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAYXBpLW1zLXdpbi1jb3JlLWNydC1sMS0xLTAuZGxsAADbAU50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbgAAWQBXcml0ZUZpbGUAUwBTZXRGaWxlUG9pbnRlcgAABQBHZXRMYXN0RXJyb3IAAAUAQ3JlYXRlRmlsZUEAAABDbG9zZUhhbmRsZQACAEhlYXBBbGxvYwBhcGktbXMtd2luLWNvcmUtZmlsZS1sMS0yLTEuZGxsAGFwaS1tcy13aW4tY29yZS1oYW5kbGUtbDEtMS0wLmRsbAAzAG1lbWNweQAANwBtZW1zZXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAXEQAAwDcAACwRAAAaEgAA1DcAACASAABwEgAA8DcAAHgSAAC2EgAA+DcAALwSAADyEgAACDgAAPgSAABRGQAAEDgAAFgZAACaGgAAMDgAAKAaAAB7GwAAyDgAAJAbAADNGwAA+DcAANQbAAD8HAAASDgAABAdAAAuHQAA2DgAAFQdAAAkHgAA3DgAAEQeAABdHgAA8DcAAHweAACwHgAA6DgAAMAeAAAxIAAA8DgAAGwgAACJIAAA8DcAAJAgAADrIAAA/DgAAAAhAAACIQAA+DgAAAghAAAqIQAAwDgAACohAABMIQAAwDgAAEwhAABuIQAAwDgAAG4hAACQIQAAwDgAAJAhAAC1IQAAwDgAALUhAADFIQAAwDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAABgAAAAAoAigaKCAoIigkKAoojCiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - -function Log($message) -{ - $message | Out-File $LogFile -Append -Force -} - -function LogAndConsole($message) -{ - Write-Host $message - Log $message -} - -function LogAndConsoleWarning($message) -{ - Write-Host $message -foregroundcolor "Yellow" - Log $message -} - -function LogAndConsoleSuccess($message) -{ - Write-Host $message -foregroundcolor "Green" - Log $message -} - -function LogAndConsoleError($message) -{ - Write-Host $message -foregroundcolor "Red" - Log $message -} - -function IsExempted([System.IO.FileInfo] $item) -{ - $cert = (Get-AuthenticodeSignature $item.FullName).SignerCertificate - if($cert.ToString().Contains("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")) - { - Log $item.FullName + "MS Exempted" - return 1 - } - else - { - Log $item.FullName + "Not-exempted" - Log $cert.ToString() - return 0 - } -} - -function CheckExemption($_ModName) -{ - $mod1 = Get-ChildItem $Sys32Path $_ModName - $mod2 = Get-ChildItem $DriverPath $_ModName - if($mod1) - { - Log "NonDriver module" + $mod1.FullName - return IsExempted($mod1) - } - elseif($mod2) - { - Log "Driver Module" + $mod2.FullName - return IsExempted($mod2) - } - -} - -function CheckFailedDriver($_ModName, $CIStats) -{ - Log "Module: " $_ModName.Trim() - if(CheckExemption($_ModName.Trim()) - eq 1) - { - $CompatibleModules.AppendLine("Windows Signed: " + $_ModName.Trim()) | Out-Null - return - } - $index = $CIStats.IndexOf("execute pool type count:".ToLower()) - if($index -eq -1) - { - return - } - $_tempStr = $CIStats.Substring($index) - $Result = "PASS" - $separator = "`r`n","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $stats = $_tempStr.Split($separator,$option) - Log $stats.Count - - $FailingStat = "" - foreach( $stat in $stats) - { - $_t =$stat.Split(":") - if($_t.Count -eq 2 -and $_t[1].trim() -ne "0") - { - $Result = "FAIL" - $FailingStat = $stat - break - } - } - if($Result.Contains("PASS")) - { - $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null - } - elseif($FailingStat.Trim().Contains("execute-write")) - { - $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - else - { - $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - Log "Result: " $Result -} - -function ListCIStats($_ModName, $str1) -{ - $i1 = $str1.IndexOf("Code Integrity Statistics:".ToLower()) - if($i1 -eq -1 ) - { - Log "String := " $str1 - Log "Warning! CI Stats are missing for " $_ModName - return - } - $temp_str1 = $str1.Substring($i1) - $CIStats = $temp_str1.Substring(0).Trim() - - CheckFailedDriver $_ModName $CIStats -} - -function ListDrivers($str) -{ - $_tempStr= $str - - $separator = "module:","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $index1 = $_tempStr.IndexOf("MODULE:".ToLower()) - if($index1 -lt 0) - { - return - } - $_tempStr = $_tempStr.Substring($Index1) - $_SplitStr = $_tempStr.Split($separator,$option) - - - Log $_SplitStr.Count - LogAndConsole "Verifying each module please wait ... " - foreach($ModuleDetail in $_Splitstr) - { - #LogAndConsole $Module - $Index2 = $ModuleDetail.IndexOf("(") - if($Index2 -eq -1) - { - "Skipping .." - continue - } - $ModName = $ModuleDetail.Substring(0,$Index2-1) - Log "Driver: " $ModName - Log "Processing module: " $ModName - ListCIStats $ModName $ModuleDetail - } - - $DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile - LogAndConsole $DriverScanCompletedMessage - - if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 ) - { - $WarningMessage = "Incompatible HVCI Kernel Driver Modules found" - if($HLK) - { - LogAndConsoleError $WarningMessage - } - else - { - LogAndConsoleWarning $WarningMessage - } - - LogAndConsoleError $FailingExecuteWriteCheck.ToString() - if($HLK) - { - LogAndConsoleError $FailingModules.ToString() - } - else - { - LogAndConsoleWarning $FailingModules.ToString() - } - if($FailingModules.Length -ne 0 -or $FailingExecuteWriteCheck.Length -ne 0 ) - { - if($HLK) - { - $DGVerifyCrit.AppendLine($WarningMessage) | Out-Null - } - else - { - $DGVerifyWarn.AppendLine($WarningMessage) | Out-Null - } - } - } - else - { - LogAndConsoleSuccess "No Incompatible Drivers found" - } -} - -function ListSummary() -{ - if($DGVerifyCrit.Length -ne 0 ) - { - LogAndConsoleError "Machine is not Device Guard / Credential Guard compatible because of the following:" - LogAndConsoleError $DGVerifyCrit.ToString() - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 0 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 0 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 0 /f ' - } - - } - elseif ($DGVerifyWarn.Length -ne 0 ) - { - LogAndConsoleSuccess "Device Guard / Credential Guard can be enabled on this machine.`n" - LogAndConsoleWarning "The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:" - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 1 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 1 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 1 /f ' - } - } - else - { - LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n" - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 2 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 2 /f ' - } - } -} - - -function Instantiate-Kernel32 { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - - public static class Kernel32 - { - [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)] - public static extern IntPtr LoadLibrary( - [MarshalAs(UnmanagedType.LPStr)]string lpFileName); - - [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] - public static extern IntPtr GetProcAddress( - IntPtr hModule, - string procName); - } - -"@ - } - catch - { - Log $_.Exception.Message - LogAndConsole "Instantiate-Kernel32 failed" - } -} - -function Instantiate-HSTI { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - using System.Net; - - public static class HstiTest3 - { - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTIdetails( - ref HstiOverallError pHstiOverallError, - [In, Out] HstiProviderErrorDuple[] pHstiProviderErrors, - ref uint pHstiProviderErrorsCount, - byte[] hstiPlatformSecurityBlob, - ref uint pHstiPlatformSecurityBlobBytes); - - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTI(ref bool Pass); - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] - public struct HstiProviderErrorDuple - { - internal uint protocolError; - internal uint role; - internal HstiProviderErrors providerError; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] - internal string ID; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)] - internal string ErrorString; - } - - [FlagsAttribute] - public enum HstiProviderErrors : int - { - None = 0x00000000, - VersionMismatch = 0x00000001, - RoleUnknown = 0x00000002, - RoleDuplicated = 0x00000004, - SecurityFeatureSizeMismatch = 0x00000008, - SizeTooSmall = 0x00000010, - VerifiedMoreThanImplemented = 0x00000020, - VerifiedNotMatchImplemented = 0x00000040 - } - - [FlagsAttribute] - public enum HstiOverallError : int - { - None = 0x00000000, - RoleTooManyPlatformReference = 0x00000001, - RoleTooManyIbv = 0x00000002, - RoleTooManyOem = 0x00000004, - RoleTooManyOdm = 0x00000008, - RoleMissingPlatformReference = 0x00000010, - VerifiedIncomplete = 0x00000020, - ProtocolErrors = 0x00000040, - BlobVersionMismatch = 0x00000080, - PlatformSecurityVersionMismatch = 0x00000100, - ProviderError = 0x00000200 - } - - } -"@ - - $LibHandle = [Kernel32]::LoadLibrary("C:\Windows\System32\hstitest.dll") - $FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails") - $FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI") - - if ([System.IntPtr]::Size -eq 8) - { - #assuming 64 bit - Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())" - Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" - } - else - { - return - } - $overallError = New-Object HstiTest3+HstiOverallError - $providerErrorDupleCount = New-Object int - $blobByteSize = New-Object int - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) - - [byte[]]$blob = New-Object byte[] $blobByteSize - [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) - $string = $null - $blob | foreach { $string = $string + $_.ToString("X2")+"," } - - $hstiStatus = New-Object bool - $hr = [HstiTest3]::QueryHSTI([ref] $hstiStatus) - - LogAndConsole "HSTI Duple Count: $providerErrorDupleCount" - LogAndConsole "HSTI Blob size: $blobByteSize" - LogAndConsole "String: $string" - LogAndConsole "HSTIStatus: $hstiStatus" - if(($blobByteSize -gt 512) -and ($providerErrorDupleCount -gt 0) -and $hstiStatus) - { - LogAndConsoleSuccess "HSTI validation successful" - } - elseif(($providerErrorDupleCount -eq 0) -or ($blobByteSize -le 512)) - { - LogAndConsoleWarning "HSTI is absent" - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - else - { - $ErrorMessage = "HSTI validation failed" - if($HLK) - { - LogAndConsoleError $ErrorMessage - $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null - } - else - { - LogAndConsoleWarning $ErrorMessage - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - } - - } - catch - { - LogAndConsoleError $_.Exception.Message - LogAndConsoleError "Instantiate-HSTI failed" - } -} - - -function CheckDGRunning($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - for($i=0; $i -lt $DGObj.SecurityServicesRunning.length; $i++) - { - if($DGObj.SecurityServicesRunning[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function CheckDGFeatures($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - Log "DG_obj $DG_obj" - Log "DG_obj.AvailableSecurityProperties.length $DG_obj.AvailableSecurityProperties.length" - for($i=0; $i -lt $DGObj.AvailableSecurityProperties.length; $i++) - { - if($DGObj.AvailableSecurityProperties[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function PrintConfigCIDetails($_ConfigCIState) -{ - $_ConfigCIRunning = "Config-CI is enabled and running." - $_ConfigCIDisabled = "Config-CI is not running." - $_ConfigCIMode = "Not Enabled" - switch ($_ConfigCIState) - { - 0 { $_ConfigCIMode = "Not Enabled" } - 1 { $_ConfigCIMode = "Audit mode" } - 2 { $_ConfigCIMode = "Enforced mode" } - default { $_ConfigCIMode = "Not Enabled" } - } - - if($_ConfigCIState -ge 1) - { - LogAndConsoleSuccess "$_ConfigCIRunning ($_ConfigCIMode)" - } - else - { - LogAndConsoleWarning "$_ConfigCIDisabled ($_ConfigCIMode)" - } -} - -function PrintHVCIDetails($_HVCIState) -{ - $_HvciRunning = "HVCI is enabled and running." - $_HvciDisabled = "HVCI is not running." - - if($_HVCIState) - { - LogAndConsoleSuccess $_HvciRunning - } - else - { - LogAndConsoleWarning $_HvciDisabled - } -} - -function PrintCGDetails ($_CGState) -{ - $_CGRunning = "Credential-Guard is enabled and running." - $_CGDisabled = "Credential-Guard is not running." - - if($_CGState) - { - LogAndConsoleSuccess $_CGRunning - } - else - { - LogAndConsoleWarning $_CGDisabled - } -} - -if(![IO.Directory]::Exists($path)) -{ - New-Item -ItemType directory -Path $path -} -else -{ - #Do Nothing!! -} - -function IsRedstone -{ - $_osVersion = [environment]::OSVersion.Version - Log $_osVersion - #Check if build Major is Windows 10 - if($_osVersion.Major -lt 10) - { - return 0 - } - #Check if the build is post Threshold2 (1511 release) => Redstone - if($_osVersion.Build -gt 10586) - { - return 1 - } - #default return False - return 0 -} - -function ExecuteCommandAndLog($_cmd) -{ - try - { - Log "Executing: $_cmd" - $CmdOutput = Invoke-Expression $_cmd | Out-String - Log "Output: $CmdOutput" - } - catch - { - Log "Exception while exectuing $_cmd" - Log $_.Exception.Message - } - - -} - -function PrintRebootWarning -{ - LogAndConsoleWarning "Please reboot the machine, for settings to be applied." -} - -function AutoRebootHelper -{ - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - PrintRebootWarning - } - -} - -function VerifierReset -{ - $verifier_state = verifier /query | Out-String - if(!$verifier_state.ToString().Contains("No drivers are currently verified.")) - { - ExecuteCommandAndLog 'verifier.exe /reset' - } - AutoRebootHelper -} - -function PrintHardwareReq -{ - LogAndConsole "###########################################################################" - LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT" - LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr" - LogAndConsole "########################################################################### `n" -} - -function CheckDriverCompat -{ - $_HVCIState = CheckDGRunning(2) - if($_HVCIState) - { - LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be complete." - LogAndConsoleWarning "Please disable HVCI and run the script again..." - } - $verifier_state = verifier /query | Out-String - if($verifier_state.ToString().Contains("No drivers are currently verified.")) - { - LogAndConsole "Enabling Driver verifier" - verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity - - LogAndConsole "Enabling Driver Verifier and Rebooting system" - Log $verifier_state - LogAndConsole "Please re-execute this script after reboot...." - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - LogAndConsole "Please reboot manually and run the script again...." - } - exit - } - else - { - LogAndConsole "Driver verifier already enabled" - Log $verifier_state - ListDrivers($verifier_state.Trim().ToLowerInvariant()) - } -} -function IsDomainController -{ - $_isDC = 0 - $CompConfig = Get-WmiObject Win32_ComputerSystem - foreach ($ObjItem in $CompConfig) - { - $Role = $ObjItem.DomainRole - Log "Role=$Role" - Switch ($Role) - { - 0 { Log "Standalone Workstation" } - 1 { Log "Member Workstation" } - 2 { Log "Standalone Server" } - 3 { Log "Member Server" } - 4 - { - Log "Backup Domain Controller" - $_isDC=1 - break - } - 5 - { - Log "Primary Domain Controller" - $_isDC=1 - break - } - default { Log "Unknown Domain Role" } - } - } - return $_isDC -} - -function CheckOSSKU -{ - $osname = $((Get-ComputerInfo).WindowsProductName).ToLower() - $_SKUSupported = 0 - Log "OSNAME:$osname" - $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server") - $HLKAllowed = @("windows 10 pro") - foreach ($SKUent in $SKUarray) - { - if($osname.ToString().Contains($SKUent.ToLower())) - { - $_SKUSupported = 1 - break - } - } - - # For running HLK tests only, professional SKU's are marked as supported. - if($HLK) - { - if($osname.ToString().Contains($HLKAllowed.ToLower())) - { - $_SKUSupported = 1 - } - } - $_isDomainController = IsDomainController - if($_SKUSupported) - { - LogAndConsoleSuccess "This PC edition is Supported for DeviceGuard"; - if(($_isDomainController -eq 1) -and !$HVCI -and !$DG) - { - LogAndConsoleError "This PC is configured as a Domain Controller, Credential Guard is not supported on DC." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "This PC edition is Unsupported for Device Guard" - $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 0 /f ' - } -} - -function CheckOSArchitecture -{ - $OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower() - Log $OSArch - if($OSArch -match ("^64\-?\s?bit")) - { - LogAndConsoleSuccess "64 bit architecture" - } - elseif($OSArch -match ("^32\-?\s?bit")) - { - LogAndConsoleError "32 bit architecture" - $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null - } - else - { - LogAndConsoleError "Unknown architecture" - $DGVerifyCrit.AppendLine("Unknown OS, OS Architecture failure.") | Out-Null - } -} - -function CheckSecureBootState -{ - try { - $_secureBoot = Confirm-SecureBootUEFI - } - catch - { - $_secureBoot = $false - } - Log $_secureBoot - if($_secureBoot) - { - LogAndConsoleSuccess "Secure Boot is present" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Secure Boot is absent / not enabled." - LogAndConsoleError "If Secure Boot is supported on the system, enable Secure Boot in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Secure boot validation failed.") | Out-Null - } -} - -function CheckVirtualization -{ - $_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions - $_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled - $_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent - Log "VMMonitorModeExtensions $_vmmExtension" - Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension" - Log "HyperVisorPresent $_vmHyperVPresent" - - #success if either processor supports and enabled or if hyper-v is present - if(($_vmmExtension -and $_vmFirmwareExtension) -or $_vmHyperVPresent ) - { - LogAndConsoleSuccess "Virtualization firmware check passed" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Virtualization firmware check failed." - LogAndConsoleError "If Virtualization extensions are supported on the system, enable hardware virtualization (Intel Virtualization Technology, Intel VT-x, Virtualization Extensions, or similar) in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Virtualization firmware check failed.") | Out-Null - } -} - -function CheckTPM -{ - $TPMLockout = $(get-tpm).LockoutCount - - if($TPMLockout) - { - - if($TPMLockout.ToString().Contains("Not Supported for TPM 1.2")) - { - if($HLK) - { - LogAndConsoleSuccess "TPM 1.2 is present." - } - else - { - $WarningMsg = "TPM 1.2 is Present. TPM 2.0 is Preferred." - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - } - else - { - LogAndConsoleSuccess "TPM 2.0 is present." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "TPM is absent or not ready for use" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSecureMOR -{ - $isSecureMOR = CheckDGFeatures(4) - Log "isSecureMOR= $isSecureMOR " - if($isSecureMOR -eq 1) - { - LogAndConsoleSuccess "Secure MOR is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "Secure MOR is absent" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 0 /f ' - } -} - -function CheckNXProtection -{ - $isNXProtected = CheckDGFeatures(5) - Log "isNXProtected= $isNXProtected " - if($isNXProtected -eq 1) - { - LogAndConsoleSuccess "NX Protector is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "NX Protector is absent" - $DGVerifyWarn.AppendLine("NX Protector is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSMMProtection -{ - $isSMMMitigated = CheckDGFeatures(6) - Log "isSMMMitigated= $isSMMMitigated " - if($isSMMMitigated -eq 1) - { - LogAndConsoleSuccess "SMM Mitigation is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "SMM Mitigation is absent" - $DGVerifyWarn.AppendLine("SMM Mitigation is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 0 /f ' - } -} - -function CheckHSTI -{ - LogAndConsole "Copying HSTITest.dll" - try - { - $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) - - } - catch - { - LogAndConsole $_.Exception.Message - LogAndConsole "Copying and loading HSTITest.dll failed" - } - - Instantiate-Kernel32 - Instantiate-HSTI -} - -function PrintToolVersion -{ - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - -} - -PrintToolVersion - -if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -and !($ResetVerifier)) -{ - #Print Usage if none of the options are specified - LogAndConsoleWarning "How to read the output:" - LogAndConsoleWarning "" - LogAndConsoleWarning " 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG" - LogAndConsoleWarning " 2. Yellow Warnings: This device can be used to enable and use DG/CG, but `n additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr" - LogAndConsoleWarning " 3. Green Messages: This device is fully compliant with DG/CG requirements`n" - - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsoleWarning " 1. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" - - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path" - LogAndConsoleWarning "Log file with details is found here: C:\DGLogs `n" - - LogAndConsoleWarning "To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path `n" - - LogAndConsoleWarning "To Enable only HVCI" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -HVCI `n" - - LogAndConsoleWarning "To Enable only CG" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -CG `n" - - LogAndConsoleWarning "To Verify if DG/CG is enabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Disable DG/CG." - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Disable `n" - - LogAndConsoleWarning "To Verify if DG/CG is disabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Verify if this device is DG/CG Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable`n" - - LogAndConsoleWarning "To Verify if this device is HVCI Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable -HVCI`n" - - LogAndConsoleWarning "To Auto reboot with each option" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot`n" - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "When the Readiness Tool with '-capable' is run the following RegKey values are set:" - LogAndConsoleWarning "" - LogAndConsoleWarning "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" - LogAndConsoleWarning "CG_Capable" - LogAndConsoleWarning "DG_Capable" - LogAndConsoleWarning "HVCI_Capable" - LogAndConsoleWarning "" - LogAndConsoleWarning "Value 0 = not possible to enable DG/CG/HVCI on this device" - LogAndConsoleWarning "Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI" - LogAndConsoleWarning "Value 2 = fully compatible for DG/CG/HVCI" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" -} - -$user = [Security.Principal.WindowsIdentity]::GetCurrent(); -$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) - -if(!$TestForAdmin) -{ - LogAndConsoleError "This script requires local administrator privileges. Please execute this script as a local administrator." - exit -} - -$isRunningOnVM = (Get-WmiObject win32_computersystem).model -if($isRunningOnVM.Contains("Virtual")) -{ - LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization." -} - - -<# Check the DG status if enabled or disabled, meaning if the device is ready or not #> -if($Ready) -{ - PrintHardwareReq - - $DGRunning = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - $_ConfigCIState = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).CodeIntegrityPolicyEnforcementStatus - Log "Current DGRunning = $DGRunning, ConfigCI= $_ConfigCIState" - $_HVCIState = CheckDGRunning(2) - $_CGState = CheckDGRunning(1) - - if($HVCI) - { - Log "_HVCIState: $_HVCIState" - PrintHVCIDetails $_HVCIState - } - elseif($CG) - { - Log "_CGState: $_CGState" - PrintCGDetails $_CGState - - if($_CGState) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 0 /f' - } - } - elseif($DG) - { - Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if($_ConfigCIState -and $_HVCIState) - { - LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Not all services are running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' - } - } - else - { - Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintCGDetails $_CGState - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if(($DGRunning.Length -ge 2) -and ($_CGState) -and ($_HVCIState) -and ($_ConfigCIState -ge 1)) - { - LogAndConsoleSuccess "HVCI, Credential Guard, and Config CI are enabled and running." - } - else - { - LogAndConsoleWarning "Not all services are running." - } - } -} - -<# Enable and Disable #> -if($Enable) -{ - PrintHardwareReq - - LogAndConsole "Enabling Device Guard and Credential Guard" - LogAndConsole "Setting RegKeys to enable DG/CG" - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f' - #Only SecureBoot is required as part of RequirePlatformSecurityFeatures - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f' - } - - if(!$HVCI -and !$DG) - { - # value is 2 for both Th2 and RS1 - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f' - } - if(!$CG) - { - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' - } - } - - try - { - if(!$HVCI -and !$CG) - { - if(!$SIPolicyPath) - { - Log "Writing Decoded SIPolicy.p7b" - $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) - } - else - { - LogAndConsole "Copying user provided SIpolicy.p7b" - $CmdOutput = Copy-Item $SIPolicyPath "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" | Out-String - Log $CmdOutput - } - } - } - catch - { - LogAndConsole "Writing SIPolicy.p7b file failed" - } - - LogAndConsole "Enabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Online /All /NoRestart | Out-String - } - - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Enabling Hyper-V and IOMMU successful" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Enabling Hyper-V failed please check the log file" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 0 /f' - } - AutoRebootHelper -} - -if($Disable) -{ - LogAndConsole "Disabling Device Guard and Credential Guard" - LogAndConsole "Deleting RegKeys to disable DG/CG" - - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f' - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f' - } - else - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f' - } - - if(!$CG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f' - if($_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f' - } - } - - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f' - } - - if(!$HVCI -and !$CG) - { - ExecuteCommandAndLog 'del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"' - } - - if(!$HVCI -and !$DG -and !$CG) - { - LogAndConsole "Disabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Online /NoRestart | Out-String - } - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Disabling Hyper-V and IOMMU successful" - } - else - { - LogAndConsoleWarning "Disabling Hyper-V failed please check the log file" - } - - #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS - #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always - #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS - $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random - Log "FreeDrive=$FreeDrive" - ExecuteCommandAndLog 'mountvol $FreeDrive /s' - $CmdOutput = Copy-Item "$env:windir\System32\SecConfig.efi" $FreeDrive\EFI\Microsoft\Boot\SecConfig.efi -Force | Out-String - LogAndConsole $CmdOutput - ExecuteCommandAndLog 'bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut /application osloader' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path \EFI\Microsoft\Boot\SecConfig.efi' - ExecuteCommandAndLog 'bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}"' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-ISO,DISABLE-VBS' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=$FreeDrive' - ExecuteCommandAndLog 'mountvol $FreeDrive /d' - #steps complete - - } - AutoRebootHelper -} - -if($Clear) -{ - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" /f' - VerifierReset -} - -if($ResetVerifier) -{ - VerifierReset -} - -<# Is machine Device Guard / Cred Guard Capable and Verify #> -if($Capable) -{ - PrintHardwareReq - - LogAndConsole "Checking if the device is DG/CG Capable" - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsoleWarning "Capable is currently fully supported in Redstone only.." - } - $_StepCount = 1 - if(!$CG) - { - LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " - $_StepCount++ - CheckDriverCompat - } - - LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " - $_StepCount++ - CheckSecureBootState - - if(!$HVCI -and !$DG -and !$CG) - { - #check only if sub-options are absent - LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " - $_StepCount++ - CheckHSTI - } - - LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " - $_StepCount++ - CheckOSArchitecture - - LogAndConsole " ====================== Step $_StepCount Supported OS SKU ====================== " - $_StepCount++ - CheckOSSKU - - LogAndConsole " ====================== Step $_StepCount Virtualization Firmware ====================== " - $_StepCount++ - CheckVirtualization - - if(!$HVCI -and !$DG) - { - LogAndConsole " ====================== Step $_StepCount TPM version ====================== " - $_StepCount++ - CheckTPM - - LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " - $_StepCount++ - CheckSecureMOR - } - - LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " - $_StepCount++ - CheckNXProtection - - LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " - $_StepCount++ - CheckSMMProtection - - LogAndConsole " ====================== End Check ====================== " - - LogAndConsole " ====================== Summary ====================== " - ListSummary - LogAndConsole "To learn more about required hardware and software please visit: https://aka.ms/dgwhcr" -} - - -# SIG # Begin signature block -## REPLACE -# SIG # End signature block - -``` diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 33c5c76b9f..3e62a517a6 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -10,7 +10,7 @@ ms.topic: article Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim. +Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock them. Which organizations can take advantage of Multi-factor unlock? Those who: @@ -65,7 +65,7 @@ For example, if you include the PIN and fingerprint credential providers in both The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. ### Rule element -You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0. +You represent signal rules in XML. Each signal rule has a starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0. **Example** ```xml @@ -267,7 +267,7 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, 10.10.0.1 10.10.0.2 corp.contoso.com - + ``` @@ -280,12 +280,12 @@ This example configures an IpConfig signal type using a dnsSuffix element and a ```xml - - corp.contoso.com - + + corp.contoso.com + , - + ``` diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 004083bb85..fa405ca079 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -8,7 +8,7 @@ ms.topic: article --- # Cloud-only deployment -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)] +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-cloud.md)] ## Introduction @@ -47,9 +47,9 @@ We recommend that you disable or manage Windows Hello for Business provisioning ### Disable Windows Hello for Business using Intune Enrollment policy -The following method explains how to disable Windows Hello for Business enrollment without Intune. +The following method explains how to disable Windows Hello for Business enrollment using Intune. -1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. 3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**. diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index b7b06e3193..299c09d7f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -37,5 +37,5 @@ Suppose instead that you sign in on **Device B** and change your password for yo - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index c9bc5a12f3..e6a01bb2b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -89,4 +89,4 @@ To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index d258d207f7..c765eb789e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,6 +1,6 @@ --- -title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust -description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business certificate trust model. +title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model +description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model. ms.date: 12/12/2022 appliesto: - ✅ Windows 10 and later @@ -9,7 +9,7 @@ ms.topic: tutorial --- # Prepare and deploy Active Directory Federation Services - on-premises certificate trust -[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] +[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*. @@ -179,11 +179,11 @@ Sign-in the AD FS server with *domain administrator* equivalent credentials. Open a **Windows PowerShell** prompt and type the following command: - ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication +```PowerShell +Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication ``` - >[!NOTE] - > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. ### Enrollment agent certificate enrollment diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 870fc37596..5d92d9dcb7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -3,6 +3,7 @@ title: Configure Windows Hello for Business Policy settings in an on-premises ce description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario ms.collection: - highpri + - tier1 ms.date: 12/12/2022 appliesto: - ✅ Windows 10 and later @@ -11,7 +12,7 @@ ms.topic: tutorial --- # Configure Windows Hello for Business group policy settings - on-premises certificate Trust -[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] +[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings: - Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index bac1a4e528..629e59b1e2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -9,7 +9,7 @@ ms.topic: tutorial --- # Validate Active Directory prerequisites - on-premises certificate trust -[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] +[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index e5c4b9a2a4..c7c5b09a61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -10,7 +10,7 @@ ms.topic: tutorial # Validate and deploy multi-factor authentication - on-premises certificate trust -[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] +[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: @@ -20,9 +20,9 @@ Windows Hello for Business requires users perform multi-factor authentication (M > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. -For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) +For information about third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). To create a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method). -Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). +Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). > [!div class="nextstepaction"] > [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index f543372332..27f2375bae 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -9,261 +9,27 @@ ms.topic: tutorial --- # Configure and validate the Public Key Infrastructure - on-premises certificate trust -[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] +[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. -## Deploy an enterprise certification authority +[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] -This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role. +## Configure the enterprise PKI -### Lab-based PKI +[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] -The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. +[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] -Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. +[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)] ->[!NOTE] ->Never install a certification authority on a domain controller in a production environment. +[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)] -1. Open an elevated Windows PowerShell prompt -1. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools - ``` -3. Use the following command to configure the CA using a basic certification authority configuration - ```PowerShell - Install-AdcsCertificationAuthority - ``` +[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)] -## Configure a PKI +[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] -If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session. - -Expand the following sections to configure the PKI for Windows Hello for Business. - -
                                -
                                -Configure domain controller certificates - -Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template. - -By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates > Manage** -1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab - - Type *Domain Controller Authentication (Kerberos)* in Template display name - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -1. On the **Subject Name** tab: - - Select the **Build from this Active Directory information** button if it isn't already selected - - Select **None** from the **Subject name format** list - - Select **DNS name** from the **Include this information in alternate subject** list - - Clear all other items -1. On the **Cryptography** tab: - - select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. Select **OK** -1. Close the console - -
                                - -
                                -
                                -Supersede existing domain controller certificates - -The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. - -The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\ -The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template. - -Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates > Manage** -1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties** -1. Select the **Superseded Templates** tab. Select **Add** -1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add** -1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK** -1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK** -1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab -1. Select **OK** and close the **Certificate Templates** console - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities. - -
                                - -
                                -
                                -Configure an internal web server certificate template - -Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate recipient** list -1. On the **General** tab: - - Type *Internal Web Server* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -1. On the **Request Handling** tab, select **Allow private key to be exported** -1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected -1. On the **Security** tab: - - Select **Add** - - Type **Domain Computers** in the **Enter the object names to select** box - - Select **OK** - - Select the **Allow** check box next to the **Enroll** permission -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list - - Select **OK** -1. Close the console - -
                                - -
                                -
                                -Configure a certificate registration authority template - -A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the CRA. - -The CRA enrolls for an *enrollment agent* certificate. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list. - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Enrollment Agent* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs -1. On the **Subject** tab, select the **Supply in the request** button if it is not already selected - - > [!NOTE] - > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Security** tab, select **Add** -1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** -1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** -1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: - - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission - - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared - - Select **OK** -1. Close the console - -
                                - -
                                -
                                -Configure a Windows Hello for Business authentication certificate template - -During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. Right-click the **Smartcard Logon** template and choose **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Authentication* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -1. On the **Cryptography** tab - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon** -1. On the **Issuance Requirements** tab, - - Select the **This number of authorized signatures** check box. Type *1* in the text box - - Select **Application policy** from the **Policy type required in signature** - - Select **Certificate Request Agent** from in the **Application policy** list - - Select the **Valid existing certificate** option -1. On the **Subject** tab, - - Select the **Build from this Active Directory information** button - - Select **Fully distinguished name** from the **Subject name format** list - - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** -1. On the **Request Handling** tab, select the **Renew with same key** check box -1. On the **Security** tab, select **Add**. Type *Window Hello for Business Users* in the **Enter the object names to select** text box and select **OK** -1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section: - - Select the **Allow** check box for the **Enroll** permission - - Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared - - Select **OK** -1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template -1. Select on the **Apply** to save changes and close the console - -#### Mark the template as the Windows Hello Sign-in template - -Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials - -Open an elevated command prompt end execute the following command - -```cmd -certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -``` - ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace *WHFBAuthentication* in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on your certification authority. - - -
                                - -
                                -
                                -Unpublish Superseded Certificate Templates - -The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane > **Certificate Templates** -1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window -1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates - -
                                - -
                                -
                                -Publish certificate templates to the CA +### Publish certificate templates to the CA A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. @@ -278,71 +44,13 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation 1. Close the console -
                                +## Configure and deploy certificates to domain controllers -### Configure automatic certificate enrollment for the domain controllers - -Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU). - -1. Open the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type *Domain Controller Auto Certificate Enrollment* in the name box and select **OK** -1. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **Computer Configuration** -1. Expand **Windows Settings > Security Settings > Public Key Policies** -1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** -1. Select **Enabled** from the **Configuration Model** list -1. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box -1. Select the **Update certificates that use certificate templates** check box -1. Select **OK** -1. Close the **Group Policy Management Editor** - -### Deploy the domain controller auto certificate enrollment GPO - -Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created -1. Select **OK** +[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] ## Validate the configuration -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. - -### Use the event logs - -Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log -1. Look for an event indicating a new certificate enrollment (autoenrollment): - - The details of the event include the certificate template on which the certificate was issued - - The name of the certificate template used to issue the certificate should match the certificate template name included in the event - - The certificate thumbprint and EKUs for the certificate are also included in the event - - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template - -Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. - -### Certificate Manager - -You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager. - -### Certutil.exe - -You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates. - -To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. - -### Troubleshooting - -Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate.exe /force`. - -Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt. - -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions. +[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] > [!div class="nextstepaction"] > [Next: prepare and deploy AD FS >](hello-cert-trust-adfs.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index d19452cbd8..0775ea4e9d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -9,7 +9,7 @@ ms.topic: tutorial --- # Deployment guide overview - on-premises certificate trust -[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] +[!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)] Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 64b6af4819..22f170e86e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -55,7 +55,7 @@ Following are the various deployment guides and models included in this topic: - [On Premises Key Trust Deployment](hello-deployment-key-trust.md) - [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) -For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments. +For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments. ## Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 34d860c531..6104c34401 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -9,7 +9,7 @@ ms.topic: tutorial --- # Deployment guide overview - on-premises key trust -[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] +[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)] Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 5fe62506a6..8896bacc2b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -3,6 +3,7 @@ title: Deploy certificates for remote desktop sign-in description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials. ms.collection: - ContentEngagementFY23 + - tier1 ms.topic: article ms.date: 11/15/2022 appliesto: @@ -12,9 +13,9 @@ appliesto: # Deploy certificates for remote desktop (RDP) sign-in This document describes Windows Hello for Business functionalities or scenarios that apply to: -- **Deployment type:** [!INCLUDE [hybrid](../../includes/hello-deployment-hybrid.md)] -- **Trust type:** [!INCLUDE [cloud-kerberos](../../includes/hello-trust-cloud-kerberos.md)], [!INCLUDE [key](../../includes/hello-trust-key.md)] -- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](../../includes/hello-join-hybrid.md)] +- **Deployment type:** [!INCLUDE [hybrid](./includes/hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [cloud-kerberos](./includes/hello-trust-cloud-kerberos.md)], [!INCLUDE [key](./includes/hello-trust-key.md)] +- **Join type:** [!INCLUDE [hello-join-aadj](./includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](./includes/hello-join-hybrid.md)] --- Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user: @@ -30,11 +31,7 @@ Windows Hello for Business supports using a certificate as the supplied credenti To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template. -Expand the following sections to learn more about the process. - -
                                -
                                -Create a Windows Hello for Business certificate template +### Create a Windows Hello for Business certificate template Follow these steps to create a certificate template: @@ -81,11 +78,7 @@ Follow these steps to create a certificate template: 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list 1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service** -
                                - -
                                -
                                -Request a certificate +### Request a certificate 1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA 1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc` @@ -95,8 +88,6 @@ Follow these steps to create a certificate template: 1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll** 1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen -
                                - ## Deploy certificates via Intune > [!NOTE] @@ -111,13 +102,11 @@ Next, you should deploy the root CA certificate (and any other intermediate cert Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device. -
                                -
                                -Create a policy in Intune +### Create a policy in Intune This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy. -1. Go to the Microsoft Endpoint Manager admin center +1. Go to the Microsoft Intune admin center 1. Select **Devices > Configuration profiles > Create profile** 1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate** 1. Select **Create** @@ -147,11 +136,8 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3]. To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4]. -
                                +### Request a certificate for Intune clients -
                                -
                                -Request a certificate Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps: 1. Sign in to a client targeted by the Intune policy @@ -159,8 +145,6 @@ Once the Intune policy is created, targeted clients will request a certificate d 1. In the left pane of the MMC, expand **Personal** and select **Certificates** 1. In the right-hand pane of the MMC, check for the new certificate -
                                - ## Use third-party certification authorities If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6]. diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md deleted file mode 100644 index 484985c43d..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Event ID 300 - Windows Hello successfully created (Windows) -description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.date: 07/27/2017 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- - -# Event ID 300 - Windows Hello successfully created - -This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. - -## Event details - -| **Product:** | Windows 10 or Windows 11 operating system | -|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Log:** | Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin | -| **ID:** | 300 | -| **Source:** | Microsoft Azure Device Registration Service | -| **Version:** | 10 or 11 | -| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
                                Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} | - -## Resolve - -This is a normal condition. No further action is required. - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](/troubleshoot/windows-client/user-profiles-and-logon/windows-hello-errors-during-pin-creation-in-windows-10) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 7d673787ba..fd1630c12b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -1,220 +1,103 @@ ### YamlMime:FAQ metadata: title: Windows Hello for Business Frequently Asked Questions (FAQ) - description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. - keywords: identity, PIN, biometric, Hello, passport - ms.prod: windows-client - ms.technology: itpro-security - ms.sitesec: library - ms.pagetype: security, mobile - audience: ITPro + description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. author: paolomatarazzo ms.author: paoloma - manager: aaroncz - ms.reviewer: prsriva ms.collection: - highpri + - tier1 ms.topic: faq - localizationpriority: medium - ms.date: 11/11/2022 + ms.date: 01/06/2023 appliesto: - ✅ Windows 10 and later -title: Windows Hello for Business Frequently Asked Questions (FAQ) -summary: | +title: Common questions about Windows Hello for Business +summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business. sections: - - name: Ignored + + - name: Concepts questions: - - - question: What is Windows Hello for Business cloud Kerberos trust? + - question: What's the difference between Windows Hello and Windows Hello for Business? answer: | - Windows Hello for Business *cloud Kerberos trust* is a **trust model** that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). - - - - question: What about virtual smart cards? - answer: | - Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business. - - - question: What about convenience PIN? - answer: | - While *convenience PIN* provides a convenient way to sign in to Windows, it stills uses a password for authentication. Customers using *convenience PINs* should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. - - - question: Can I use Windows Hello for Business key trust and RDP? - answer: | - Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. - - - - question: Can I deploy Windows Hello for Business by using Microsoft Configuration Manager? - answer: | - Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings). - - - question: Can I deploy Windows Hello for Business by using Microsoft Intune? - answer: | - Windows Hello for Business deployments using Intune allow for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - - - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer? - answer: | - The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, we strongly encourage the use of FIDO2 security keys. - - - question: Can I use Windows Hello for Business credentials in private browser mode or "incognito" mode? - answer: | - Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode. - + Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. - question: How can a PIN be more secure than a password? answer: | When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - + - question: How does Windows Hello for Business authentication work? + answer: | + When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. + These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It's important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device. + For more information about the different authentication flows used by Windows Hello for Business, see [Windows Hello for Business and Authentication](hello-how-it-works-authentication.md). + - question: What happens after a user registers a PIN during the Windows Hello for Business enrollment process? + answer: | + Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, when using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. + At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures. - question: What's a container? - answer: | - In the context of Windows Hello for Business, it's shorthand for a logical grouping of key material or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. + answer: | + In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. - Note that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials of Windows Hello stores, are protected without the creation of actual containers or folders. + + > [!NOTE] + > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders. + The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\ :::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys"::: - - question: How do I delete a Windows Hello for Business container on a device? - answer: | - You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device. - - - question: How does Windows Hello for Business work with Azure AD registered devices? + Containers can contain several types of key material: + - An authentication key, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. + - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: + - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. + - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI. + - question: How are keys protected? answer: | - A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their existing gestures. - - If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. - - It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. - - For more information, please read [Azure AD registered devices](/azure/active-directory/devices/concept-azure-ad-register). - - - question: I have Windows Server 2016 domain controller(s), so why is the Key Admins group missing? + Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IDP before the IDP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. + - question: How does PIN caching work with Windows Hello for Business? answer: | - The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server can't translate the security identifier (SID) to a name. To resolve this issue, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. - - - question: Can I use a convenience PIN with Azure Active Directory? - answer: | - It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - - - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? - answer: | - Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). - - - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? - answer: | - Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in Windows 11, version 22H2. - - - question: Why does authentication fail immediately after provisioning hybrid key trust? - answer: | - In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. - - - question: What is the password-less strategy? - answer: | - Watch Principal Program Manager Karanbir Singh's **Microsoft's guide for going password-less** Ignite 2017 presentation. + Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. - [Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy) + Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. - - question: What is the user experience for Windows Hello for Business? + The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching. + - question: Where is Windows Hello biometrics data stored? answer: | - The user experience for Windows Hello for Business occurs after the user signs in, after you deploy Windows Hello for Business policy settings to your environment. - - - question: What happens when a user forgets their PIN? + When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + - question: What is the format used to store Windows Hello biometrics data on the device? answer: | - If the user can sign in with a password, they can reset their PIN by selecting the "I forgot my PIN" link in Settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by selecting the "I forgot my PIN" link on the PIN credential provider. - - For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). - - - question: What URLs do I need to allow for a hybrid deployment? + Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. + - question: Who has access on Windows Hello biometrics data? answer: | - Communicating with Azure Active Directory uses the following URLs: - - enterpriseregistration.windows.net - - login.microsoftonline.com - - login.windows.net - - account.live.com - - accountalt.azureedge.net - - secure.aadcdn.microsoftonline-p.com - - If your environment uses Microsoft Intune, you will also need these other URLs: - - enrollment.manage.microsoft.com - - portal.manage.microsoft.com - + Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it. - question: What's the difference between non-destructive and destructive PIN reset? answer: | Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid Azure Active Directory joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - - - question: | - Which is better or more secure, key trust or certificate trust? - answer: | - The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The differences between the two trust types are: - - Required domain controllers - - Issuing end entity certificates - - The **key trust** model authenticates to Active Directory by using a raw key. Windows Server 2016 domain controllers enable this authentication. Key trust authenticate doesn't require an enterprise issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed). - - The **certificate trust** model authenticates to Active Directory by using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to users, but you don't need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing certificate authority. - - - question: Do I need Windows Server 2016 domain controllers? - answer: | - There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you've deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment. - - - question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business? - answer: | - Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes. - - - question: Is Windows Hello for Business multi-factor authentication? - answer: | - Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". - - - question: Where is Windows Hello biometrics data stored? - answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - - - question: What is the format used to store Windows Hello biometrics data on the device? - answer: | - Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. - - - question: Who has access on Windows Hello biometrics data? - answer: | - Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it. - - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? answer: | - Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a pin. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just select on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. - + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? answer: | - To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). - - - question: What about any diagnostic data coming out when WHFB is enabled? + To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). + + - name: Management and operations + questions: + - question: Can I deploy and manage Windows Hello for Business using Microsoft Intune? answer: | - To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). - - - question: What are the biometric requirements for Windows Hello for Business? + Yes, hybrid and cloud-only Windows Hello for Business deployments can use Microsoft Intune. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). + - question: Can I deploy and manage Windows Hello for Business by using Microsoft Configuration Manager? answer: | - Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. + Starting in Configuration Manager, version 2203, Windows Hello for Business deployments using Configuration Manager are no longer supported. + - question: How do I delete a Windows Hello for Business container on a device? + answer: | + You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device. + - question: What happens when a user forgets their PIN? + answer: | + If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app. Users can reset also their PIN from the lock screen by selecting the *I forgot my PIN* link on the PIN credential provider. - - question: Can I use both a PIN and biometrics to unlock my device? - answer: | - Starting in Windows 10, version 1709, you can use multi-factor unlock to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md). - - - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication? - answer: | - Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, consider unenrolling from face authentication and only using PIN or fingerprint. - - - question: What's the difference between Windows Hello and Windows Hello for Business? - answer: | - Windows Hello represents the biometric framework provided in Windows 10. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. - - - question: Why can't I enroll biometrics for my local, built-in administrator? - answer: | - Windows 10 doesn't allow the local administrator to enroll biometric gestures (face or fingerprint). - - - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? - answer: | - No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. - + For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). - question: Does Windows Hello for Business prevent the use of simple PINs? answer: | Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at 10 ('zero'). @@ -230,33 +113,37 @@ sections: - The PIN 1872 doesn't have a constant delta (7,9,5), so it's allowed This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs. - - - question: How does PIN caching work with Windows Hello for Business? + - question: Which diagnostic data is collected when Windows Hello for Business is enabled? answer: | - Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. - - Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. - - The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching. - + To help Microsoft keep things working properly, to help detecting and preventing fraud, and to continue improving Windows Hello, diagnostic data about how people use Windows Hello is collected. For example: + - Data about whether people sign in with their face, iris, fingerprint, or PIN + - The number of times they use it + - Whether it works or not + All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). - question: Can I disable the PIN while using Windows Hello for Business? answer: | No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. - - - question: How are keys protected? + - question: What is Event ID 300? answer: | - Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business don't require a TPM. Administrators can choose to allow key operations in software. - - Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against various known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to reauthenticate to the IDP before the IDP allows them to re-register). - + This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required. + + - name: Design and planning + questions: - question: Can Windows Hello for Business work in air-gapped environments? answer: | Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that doesn't require internet connectivity to achieve an air-gapped Windows Hello for Business deployment. - - - question: Can I use third-party authentication providers with Windows Hello for Business? + - question: How many users can enroll for Windows Hello for Business on a single Windows device? answer: | - Yes, if you're using federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). - + The maximum number of supported enrollments on a single device is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, or for users that sign-in to many devices (for example, a support technician), it's recommended the use of FIDO2 security keys. + - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? + answer: | + No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. + - question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business? + answer: | + Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes. + - question: Can I use third-party MFA providers with Windows Hello for Business? + answer: | + Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). - question: Does Windows Hello for Business work with third-party federation servers? answer: | Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.

                                @@ -267,12 +154,100 @@ sections: | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. | | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define other claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define more provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | - - - question: Does Windows Hello for Business work with Mac and Linux clients? + - question: Can I enroll local Windows accounts in Windows Hello for Business? answer: | - Windows Hello for Business is a feature of Windows 10. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. - + Windows Hello for Business is not designed to work with local accounts. + - question: What are the biometric requirements for Windows Hello for Business? + answer: | + Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. + - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication? + answer: | + Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint. + - question: How does Windows Hello for Business work with Azure AD registered devices? + answer: | + A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures. + + If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. + + It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. + + For more information, please read [Azure AD registered devices](/azure/active-directory/devices/concept-azure-ad-register). + - question: Does Windows Hello for Business work with non-Windows operating systems? + answer: | + Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? - answer: | + answer: | No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS. + - question: Is Windows Hello for Business considered multi-factor authentication? + answer: | + Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". + + > [!NOTE] + > The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim). + - question: Which is a better or more secure for of authentication, key or certificate? + answer: | + Both types of authentication provide the same security; one is not more secure than the other. + The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates: + - The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed) + - The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA + - question: What is convenience PIN? + answer: | + *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. + - question: Can I use a convenience PIN with Azure Active Directory? + answer: | + No. While it's possible to set a convenience PIN on Azure AD joined and hybrid Azure AD joined devices, convenience PIN isn't supported for Azure AD user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users. + - question: What about virtual smart cards? + answer: | + Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business. + - question: What URLs do I need to allow for a hybrid deployment? + answer: | + For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online). + + If your environment uses Microsoft Intune, see [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints). + + - name: Features + questions: + - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? + answer: | + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). + - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? + answer: | + Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in Windows 11, version 22H2. + - question: Can I use Windows Hello for Business credentials in private browser mode or "incognito" mode? + answer: | + Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode. + - question: Can I use both a PIN and biometrics to unlock my device? + answer: | + You can use *multi-factor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md). + + - name: Cloud Kerberos trust + questions: + - question: What is Windows Hello for Business cloud Kerberos trust? + answer: | + Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). + - question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment? + answer: | + This feature doesn't work in a pure on-premises AD domain services environment. + - question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment? + answer: | + Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work. + - question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust? + answer: | + Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when: + - a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning + - attempting to access on-premises resources secured by Active Directory + - question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust? + answer: | + Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][/windows/security/identity-protection/remote-credential-guard] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. + - question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust? + answer: | + No, only the number necessary to handle the load from all cloud Kerberos trust devices. + + - name: Key trust + questions: + - question: Why does authentication fail immediately after provisioning hybrid key trust? + answer: | + In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. + - question: Can I use Windows Hello for Business key trust and RDP? + answer: | + Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md deleted file mode 100644 index a96e6d66b5..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Conditional Access -description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. -ms.date: 09/09/2019 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- - -# Conditional access - -**Requirements:** - -* Azure Active Directory -* Hybrid Windows Hello for Business deployment - -In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals: - -* Empower the end users to be productive wherever and whenever -* Protect the corporate assets at any time - -To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access. - -> [!NOTE] -> For more details about the way Windows Hello for Business interacts with Azure AD Multi-Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032). - -Read [Conditional access in Azure Active Directory](/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access. - -## Related topics - -* [Windows Hello for Business](hello-identity-verification.md) -* [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -* [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -* [Windows Hello and password changes](hello-and-password-changes.md) -* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index adfbe58657..d6d35b189a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -76,5 +76,5 @@ The computer is ready for dual enrollment. Sign in as the privileged user first * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) * [Windows Hello and password changes](hello-and-password-changes.md) * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 6bae92fc12..9f461f9697 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -55,5 +55,5 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) * [Windows Hello and password changes](hello-and-password-changes.md) * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index e1aa2e7acb..7b1fdf338f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -3,6 +3,7 @@ title: Pin Reset description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. ms.collection: - highpri + - tier1 ms.date: 07/29/2022 appliesto: - ✅ Windows 10 and later @@ -128,7 +129,7 @@ Before you can remotely reset PINs, your devices must be configured to enable PI You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Configuration profiles** > **Create profile**. 1. Enter the following properties: - **Platform**: Select **Windows 10 and later**. @@ -150,7 +151,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi >[!NOTE] > You can also configure PIN recovery from the **Endpoint security** blade: -> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). > 1. Select **Endpoint security** > **Account protection** > **Create Policy**. #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) @@ -231,7 +232,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au ### Configure Web Sign-in Allowed URLs using Microsoft Intune -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) 1. Select **Devices** > **Configuration profiles** > **Create profile** 1. Enter the following properties: - **Platform**: Select **Windows 10 and later** @@ -265,5 +266,5 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 2281821bdc..2f1c460668 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -5,6 +5,8 @@ ms.date: 02/24/2021 appliesto: - ✅ Windows 10 and later ms.topic: article +ms.collection: + - tier1 --- # Remote Desktop @@ -56,5 +58,5 @@ Users appreciate convenience of biometrics and administrators value the security - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 7bec9c2543..b3765851fa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -101,7 +101,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while ### More information on cloud experience host -[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md) +[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works) ## Cloud Kerberos trust diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 9f3670151c..40e094e6c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -52,5 +52,5 @@ For more information read [how authentication works](hello-how-it-works-authenti - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md deleted file mode 100644 index a53b5977d6..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ /dev/null @@ -1,336 +0,0 @@ ---- -title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business -description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. -ms.date: 01/14/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] - -## Prerequisites - -Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. - -- Azure Active Directory Connect synchronization -- Device Registration -- Certificate Revocation List (CRL) Distribution Point (CDP) -- 2016 Domain Controllers -- Domain Controller certificate -- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, you can use any VPN solution. - -### Azure Active Directory Connect synchronization -Azure AD join, and hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you're using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect). - -If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks. -![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png) - -### Azure Active Directory Device Registration -A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user can't provision Windows Hello for Business unless the device from which they're trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview). - -You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. -![dsregcmd output.](images/aadj/dsregcmd.png) - -### CRL Distribution Point (CDP) - -Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid. - -![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) - -The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. The value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the certificate revocation list. The authentication becomes a circular problem. The user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated. - -To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS). - -If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. - -> [!NOTE] -> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. - -### Windows Server 2016 Domain Controllers - -If you're interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We're glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. - -If you're interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you're the right place. The same certificate configuration on the domain controllers is needed, whether you're using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can ignore the Windows Server 2016 domain controller requirement. - -### Domain Controller Certificates - -Certificate authorities write CRL distribution points in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory - -#### Why does Windows need to validate the domain controller certificate? - -Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met: - -- The domain controller has the private key for the certificate provided. -- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. -- Use the **Kerberos Authentication certificate template** instead of any other older template. -- The domain controller's certificate has the **KDC Authentication** enhanced key usage (EKU). -- The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. -- The domain controller's certificate's signature hash algorithm is **sha256**. -- The domain controller's certificate's public key is **RSA (2048 Bits)**. - -Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you're adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) - -> [!Tip] -> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. - -## Configuring a CRL Distribution Point for an issuing certificate authority - -Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. - -Steps you'll perform include: - -- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point) -- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list) -- [Configure the new CRL distribution point and Publishing location in the issuing certificate authority](#configure-the-new-crl-distribution-point-and-publishing-location-in-the-issuing-certificate-authority) -- [Publish CRL](#publish-a-new-crl) -- [Reissue domain controller certificates](#reissue-domain-controller-certificates) - - -### Configure Internet Information Services to host CRL distribution point - -You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point. - -> [!IMPORTANT] -> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. - -#### Installing the Web Server - -1. Sign-in to your server as a local administrator and start **Server Manager** if it didn't start during your sign in. -2. Select the **Local Server** node in the navigation pane. Select **Manage** and select **Add Roles and Features**. -3. In the **Add Role and Features Wizard**, select **Server Selection**. Verify the selected server is the local server. Select **Server Roles**. Select the check box next to **Web Server (IIS)**. -4. Select **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role. - -#### Configure the Web Server - -1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**. -2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and select **Add Virtual Directory...**. -3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you'll host the certificate revocation list. For this example, the path **c:\cdp** is used. Select **OK**. - ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) - > [!NOTE] - > Make note of this path as you will use it later to configure share and file permissions. - -4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Select **Enable** in the details pane. -5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**. -6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**. - ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png) - In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Select **Apply** in the actions pane. - ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png) -7. Close **Internet Information Services (IIS) Manager**. - -#### Create a DNS resource record for the CRL distribution point URL - -1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**. -2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and select **New Host (A or AAAA)...**. -3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Select **Add Host**. Select **OK** to close the **DNS** dialog box. Select **Done**. -![Create DNS host record.](images/aadj/dns-new-host-dialog.png) -4. Close the **DNS Manager**. - -### Prepare a file share to host the certificate revocation list - -These procedures configure NTFS and share permissions on the web server to allow the certificate authority to automatically publish the certificate revocation list. - -#### Configure the CDP file share - -1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). -2. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**. -3. Select **Share this folder**. Type **cdp$** in **Share name**. Select **Permissions**. -![cdp sharing.](images/aadj/cdp-sharing.png) -4. In the **Permissions for cdp$** dialog box, select **Add**. -5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**, and then select **OK**. -7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then select **Check Names**. Select **OK**. -8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**. -![CDP Share Permissions.](images/aadj/cdp-share-permissions.png) -9. In the **Advanced Sharing** dialog box, select **OK**. - -> [!Tip] -> Make sure that users can access **\\\Server FQDN\sharename**. - -#### Disable Caching -1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). -2. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**. -3. Select **Caching**. Select **No files or programs from the shared folder are available offline**. -![CDP disable caching.](images/aadj/cdp-disable-caching.png) -4. Select **OK**. - -#### Configure NTFS permission for the CDP folder - -1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). -2. Right-click the **cdp** folder and select **Properties**. Select the **Security** tab. -3. On the **Security** tab, select Edit. -5. In the **Permissions for cdp** dialog box, select **Add**. -![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png) -6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**. Select **OK**. -7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then select **Check Names**. Select **OK**. -8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**. -9. Select **Close** in the **cdp Properties** dialog box. - - -### Configure the new CRL distribution point and Publishing location in the issuing certificate authority - -The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point - - -#### Configure the CRL distribution Point -1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. -2. In the navigation pane, right-click the name of the certificate authority and select **Properties** -3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. -4. On the **Extensions** tab, select **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (don't forget the trailing forward slash). - ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png) -5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. -6. Type **.crl** at the end of the text in **Location**. Select **OK**. -7. Select the CDP you just created. - ![CDP complete http.](images/aadj/cdp-extension-complete-http.png) -8. Select **Include in CRLs. Clients use this to find Delta CRL locations**. -9. Select **Include in the CDP extension of issued certificates**. -10. Select **Apply** save your selections. Select **No** when ask to restart the service. - -> [!NOTE] -> Optionally, you can remove unused CRL distribution points and publishing locations. - -#### Configure the CRL publishing location - -1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. -2. In the navigation pane, right-click the name of the certificate authority and select **Properties** -3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. -4. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash). -5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. -6. Type **.crl** at the end of the text in **Location**. Select **OK**. -7. Select the CDP you just created.
                                - ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) -8. Select **Publish CRLs to this location**. -9. Select **Publish Delta CRLs to this location**. -10. Select **Apply** save your selections. Select **Yes** when ask to restart the service. Select **OK** to close the properties dialog box. - -### Publish a new CRL - -1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. -2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish** -![Publish a New CRL.](images/aadj/publish-new-crl.png) -3. In the **Publish CRL** dialog box, select **New CRL** and select **OK**. - -#### Validate CDP Publishing - -Validate your new CRL distribution point is working. - -1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`. You should see two files created from publishing your new CRL. - ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png) - -### Reissue domain controller certificates - -With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point. - -1. Sign-in a domain controller using administrative credentials. -2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. -3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png) -4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, select **Next**. -![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) -5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Select **Enroll**. -6. After the enrollment completes, select **Finish** to close the wizard. -7. Repeat this procedure on all your domain controllers. - -> [!NOTE] -> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](./hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers. - -> [!IMPORTANT] -> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire. - -#### Validate CDP in the new certificate - -1. Sign-in a domain controller using administrative credentials. -2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. -3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -4. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**. -5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**.
                                -![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) - -## Configure and Assign a Trusted Certificate Device Configuration Profile - -Your domain controllers have new certificates that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to the device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. - -Steps you'll perform include: -- [Export Enterprise Root certificate](#export-enterprise-root-certificate) -- [Create and Assign a Trust Certificate Device Configuration Profile](#create-and-assign-a-trust-certificate-device-configuration-profile) - -### Export Enterprise Root certificate - -1. Sign-in a domain controller using administrative credentials. -2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. -3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -4. Select the **Certification Path** tab. In the **Certification path** view, select the topmost node and select **View Certificate**. -![Certificate Path.](images/aadj/certlm-cert-path-tab.png) -5. In the new **Certificate** dialog box, select the **Details** tab. Select **Copy to File**. -![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) -6. In the **Certificate Export Wizard**, select **Next**. -7. On the **Export File Format** page of the wizard, select **Next**. -8. On the **File to Export** page in the wizard, type the name and location of the root certificate and select **Next**. Select **Finish** and then select **OK** to close the success dialog box.
                                -![Export root certificate.](images/aadj/certlm-export-root-certificate.png) -9. Select **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. - -### Create and Assign a Trust Certificate Device Configuration Profile - -A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD-joined devices. - -1. Sign-in to the [Microsoft Azure portal](https://portal.azure.com) and select **Microsoft Intune**. -2. Select **Device configuration**. In the **Device Configuration** blade, select **Create profile**. -![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png) -3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Select **Configure**. -4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Select **OK**. Select **Create**. -![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png) -5. In the **Enterprise Root Certificate** blade, select **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Select **Save**. -![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png) -6. Sign out of the Microsoft Azure portal. -> [!NOTE] -> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. - -## Configure Windows Hello for Business Device Enrollment - -Sign-in a workstation with access equivalent to a _domain user_. - -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices**. -3. Choose **Enroll devices**. -4. Select **Windows enrollment**. -5. Under **Windows enrollment**, select **Windows Hello for Business**. - ![Create Windows Hello for Business Policy.](images/aadj/MEM.png) -6. Select **Enabled** from the **Configure Windows Hello for Business** list. -7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and doesn't allow fall back to software-based keys. -8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. - > [!IMPORTANT] - > The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six. - -9. Select the appropriate configuration for the following settings: - * **Lowercase letters in PIN** - * **Uppercase letters in PIN** - * **Special characters in PIN** - * **PIN expiration (days)** - * **Remember PIN history** - - > [!NOTE] - > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - -10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. -11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. -12. Choose **Save**. -13. Sign out of the Microsoft Endpoint Manager admin center. - -> [!IMPORTANT] -> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](./hello-how-it-works-authentication.md). - -> [!NOTE] -> For access issues in the context of VPN, make sure to check the resolution and workaround described in [Workaround for user security context and access control](/troubleshoot/windows-client/group-policy/group-membership-changes-not-updating-over-some-vpn-connections#workarounds). - -## Section Review -> [!div class="checklist"] -> * Configure Internet Information Services to host CRL distribution point -> * Prepare a file share to host the certificate revocation list -> * Configure the new CRL distribution point in the issuing certificate authority -> * Publish CRL -> * Reissue domain controller certificates -> * Export Enterprise Root certificate -> * Create and Assign a Trust Certificate Device Configuration Profile -> * Configure Windows Hello for Business Device Enrollment - -If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index e8e87a1d23..fbed200f77 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -4,17 +4,17 @@ description: If you want to use certificates for on-premises single-sign on for ms.date: 08/19/2018 appliesto: - ✅ Windows 10 and later -ms.topic: article +ms.topic: how-to --- # Using Certificates for AADJ On-premises Single-sign On -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)] +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust-aad.md)] If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] -> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. +> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue. Steps you'll perform include: @@ -848,7 +848,7 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices**, and then select **Configuration Profiles**. @@ -901,7 +901,7 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign-in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices**, and then select **Configuration Profiles**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 1acc6aa213..d0aa2590f7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,37 +1,255 @@ --- -title: Azure AD Join Single Sign-on Deployment -description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. -ms.date: 08/19/2018 +title: Configure single sign-on (SSO) for Azure AD joined devices +description: Learn how to configure single sign-on to on-premises resources for Azure AD-joined devices, using Windows Hello for Business. +ms.date: 12/30/2022 appliesto: - ✅ Windows 10 and later ms.topic: article --- -# Azure AD Join Single Sign-on Deployment +# Configure single sign-on for Azure AD joined devices -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-keycert-trust-aad.md)] -Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. +Windows Hello for Business combined with Azure AD-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Azure AD-joined devices using Windows Hello for Business, using a key or a certificate. -## Key vs. Certificate +> [!NOTE] +> These steps are not needed when using the cloud Kerberos trust model. -Enterprises can use either a key or a certificate to provide single-sign on for on-premises resources. Both types of authentication provide the same security; one is not more secure than the other. +## Prerequisites -When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices: -When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD-joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. +> [!div class="checklist"] +> - Certificate Revocation List (CRL) Distribution Point +> - Domain controller certificates +> - Network infrastructure in place to reach the on-premises domain controllers. If the machines are external, you can use any VPN solution -To deploy single sign-on for Azure AD-joined devices using keys, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). -To deploy single sign-on for Azure AD-joined devices using certificates, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for Azure Active Directory-joined On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). +### CRL Distribution Point (CDP) -## Related topics +Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\ +During certificate validation, Windows compares the current certificate with information in the CRL to determine if the certificate is valid. -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) +The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure AD joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated. +To resolve this issue, the CRL distribution point must be a location accessible by Azure AD joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS). + +If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first, in the list of distribution points. + +> [!NOTE] +> If your CA has published both the *Base* and the *Delta CRL*, make sure to publish the *Delta CRL* in the HTTP path. Include web server to fetch the *Delta CRL* by allowing **double escaping** in the (IIS) web server. + +### Domain controller certificates + +Certificate authorities write CDP information in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CDP. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory. + +#### Why does Windows need to validate the domain controller certificate? + +Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met: + +- The domain controller has the private key for the certificate provided +- The root CA that issued the domain controller's certificate is in the device's *Trusted Root Certificate Authorities* +- Use the *Kerberos Authentication certificate template* instead of any other older template +- The domain controller's certificate has the *KDC Authentication* extended key usage (EKU) +- The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain +- The domain controller's certificate's signature hash algorithm is **sha256** +- The domain controller's certificate's public key is **RSA (2048 Bits)** + +Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU. + +## Configure a CRL distribution point for an issuing CA + +Use this set of procedures to update the CA that issues domain controller certificates to include an http-based CRL distribution point. + +### Configure Internet Information Services to host CRL distribution point + +You need to host your new certificate revocation list on a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point. + +> [!IMPORTANT] +> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. + +### Install the web server + +1. Sign-in to your server as a local administrator and start **Server Manager** if it didn't start during your sign in +1. Select the **Local Server** node in the navigation pane. Select **Manage** and select **Add Roles and Features** +1. In the **Add Role and Features Wizard**, select **Server Selection**. Verify the selected server is the local server. Select **Server Roles**. Select the check box next to **Web Server (IIS)** +1. Select **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role + +### Configure the web server + +1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager** +1. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and select **Add Virtual Directory...** +1. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you'll host the certificate revocation list. For this example, the path `c:\cdp` is used. Select **OK** + ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) + > [!NOTE] + > Make note of this path as you will use it later to configure share and file permissions. + +1. Select **CDP** under **Default Web Site** in the navigation pane. Open **Directory Browsing** in the content pane. Select **Enable** in the details pane +1. Select **CDP** under **Default Web Site** in the navigation pane. Open **Configuration Editor** +1. In the **Section** list, navigate to **system.webServer/security/requestFiltering** + ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png) +1. In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Select **Apply** in the actions pane + ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png) +1. Close **Internet Information Services (IIS) Manager** + +### Create a DNS resource record for the CRL distribution point URL + +1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools** +1. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and select **New Host (A or AAAA)...** +1. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Select **Add Host**. Select **OK** to close the **DNS** dialog box. Select **Done** + ![Create DNS host record.](images/aadj/dns-new-host-dialog.png) +1. Close the **DNS Manager** + +### Prepare a file share to host the certificate revocation list + +These procedures configure NTFS and share permissions on the web server to allow the certificate authority to automatically publish the certificate revocation list. + +### Configure the CDP file share + +1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server) +1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing** +1. Select **Share this folder**. Type **cdp$** in **Share name**. Select **Permissions** + ![cdp sharing.](images/aadj/cdp-sharing.png) +1. In the **Permissions for cdp$** dialog box, select **Add** +1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**, and then select **OK** +1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then select **Check Names**. Select **OK** +1. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK** + ![CDP Share Permissions.](images/aadj/cdp-share-permissions.png) +1. In the **Advanced Sharing** dialog box, select **OK** + +> [!Tip] +> Make sure that users can access **\\\Server FQDN\sharename**. + +### Disable Caching +1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server) +1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing** +1. Select **Caching**. Select **No files or programs from the shared folder are available offline** + ![CDP disable caching.](images/aadj/cdp-disable-caching.png) +1. Select **OK** + +### Configure NTFS permission for the CDP folder + +1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server) +1. Right-click the **cdp** folder and select **Properties**. Select the **Security** tab +1. On the **Security** tab, select Edit +1. In the **Permissions for cdp** dialog box, select **Add** + ![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png) +1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**. Select **OK** +1. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then select **Check Names**. Select **OK** +1. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK** +1. Select **Close** in the **cdp Properties** dialog box + +### Configure the new CDP and publishing location in the issuing CA + +The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point. + +#### Configure the CRL distribution Point + +1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certification Authority** console from **Administrative Tools** +1. In the navigation pane, right-click the name of the certificate authority and select **Properties** +1. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list +1. On the **Extensions** tab, select **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (don't forget the trailing forward slash) + ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png) +1. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert** +1. Type **.crl** at the end of the text in **Location**. Select **OK** +1. Select the CDP you just created + ![CDP complete http.](images/aadj/cdp-extension-complete-http.png) +1. Select **Include in CRLs. Clients use this to find Delta CRL locations** +1. Select **Include in the CDP extension of issued certificates** +1. Select **Apply** save your selections. Select **No** when ask to restart the service + +> [!NOTE] +> Optionally, you can remove unused CRL distribution points and publishing locations. + +#### Configure the CRL publishing location + +1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools** +1. In the navigation pane, right-click the name of the certificate authority and select **Properties** +1. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list +1. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash) +1. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert** +1. Type **.crl** at the end of the text in **Location**. Select **OK** +1. Select the CDP you just created + ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) +1. Select **Publish CRLs to this location** +1. Select **Publish Delta CRLs to this location** +1. Select **Apply** save your selections. Select **Yes** when ask to restart the service. Select **OK** to close the properties dialog box + +#### Publish a new CRL + +1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools** +1. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish** + ![Publish a New CRL.](images/aadj/publish-new-crl.png) +1. In the **Publish CRL** dialog box, select **New CRL** and select **OK** + +#### Validate CDP Publishing + +Validate the new CRL distribution point is working. + +1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`. You should see two files created from publishing the new CRL + ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png) + +#### Reissue domain controller certificates + +With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point. + +1. Sign-in a domain controller using administrative credentials +1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer +1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, select the existing domain controller certificate that includes **KDC Authentication** in the list of **Intended Purposes** + ![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png) +1. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, select **Next** + ![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) +1. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Select **Enroll** +1. After the enrollment completes, select **Finish** to close the wizard +1. Repeat this procedure on all your domain controllers + +> [!NOTE] +> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](./hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers. + +> [!IMPORTANT] +> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire. + +#### Validate CDP in the new certificate + +1. Sign-in a domain controller using administrative credentials +1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer +1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes** +1. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point** +1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK** + ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) + +## Deploy the root CA certificate to Azure AD-joined devices + +The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. + +### Export the enterprise root certificate + +1. Sign-in a domain controller using administrative credentials +1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer +1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes** +1. Select the **Certification Path** tab. In the **Certification path** view, select the topmost node and select **View Certificate** + ![Certificate Path.](images/aadj/certlm-cert-path-tab.png) +1. In the new **Certificate** dialog box, select the **Details** tab. Select **Copy to File** + ![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) +1. In the **Certificate Export Wizard**, select **Next** +1. On the **Export File Format** page of the wizard, select **Next** +1. On the **File to Export** page in the wizard, type the name and location of the root certificate and select **Next**. Select **Finish** and then select **OK** to close the success dialog box + ![Export root certificate.](images/aadj/certlm-export-root-certificate.png) +1. Select **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager** + +### Deploy the certificate via Intune + +To configure devices with Microsoft Intune, use a custom policy: + +1. Go to the Microsoft Intune admin center +1. Select **Devices > Configuration profiles > Create profile** +1. Select **Platform > Windows 8.1 and later** and **Profile type > Trusted certificate** +1. Select **Create** +1. In **Configuration settings**, select the folder icon and browse for the enterprise root certificate file. Once the file is selected, select **Open** to upload it to Intune +1. Under **Destination store** dropdown, select **Computer certificate store - Root** +1. Select **Next** +1. Under **Assignment**, select a security group that contains as members the devices or users that you want to configure > **Next** +1. Review the policy configuration and select **Create** + +If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). Otherwise, you can sign in to an Azure AD joined device with Windows Hello for Business and test SSO to an on-premises resource. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md deleted file mode 100644 index 234f257566..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) -description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] - -Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - -- [Active Directory](#active-directory) -- [Public Key Infrastructure](#public-key-infrastructure) -- [Azure Active Directory](#azure-active-directory) -- [Multifactor Authentication Services](#multifactor-authentication-services) - -New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration. - -The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers. - -## Active Directory ## - -Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization. - -Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. - -### Section Review - -> [!div class="checklist"] -> * Minimum Windows Server 2008 R2 domain controllers -> * Minimum Windows Server 2008 R2 domain and forest functional level -> * Functional networking, name resolution, and Active Directory replication - -## Public Key Infrastructure - -Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. - -This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. - -For more details about configuring a Windows enterprise public key infrastructure and installing Active Directory Certificate Services, see [Follow the Windows Hello for Business hybrid key trust deployment guide](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki#follow-the-windows-hello-for-business-hybrid-key-trust-deployment-guide) and [Install the Certification Authority](/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority). - -> [!NOTE] -> Never install a certificate authority on a domain controller in a production environment. - -### Lab-based public key infrastructure - -The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. - -Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. - -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools - ``` - -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. - ```PowerShell - Install-AdcsCertificationAuthority - ``` - -### Configure a Production Public Key Infrastructure - -If you do have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session. - -### Section Review ### - -> [!div class="checklist"] -> * Minimum Windows Server 2012 Certificate Authority. -> * Enterprise Certificate Authority. -> * Functioning public key infrastructure. - -## Azure Active Directory ## -You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. - -The next step of the deployment is to follow the [Creating an Azure AD tenant](/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. - -### Section Review - -> [!div class="checklist"] -> * Review the different ways to establish an Azure Active Directory tenant. -> * Create an Azure Active Directory Tenant. -> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. - -## Multifactor Authentication Services -Windows Hello for Business uses multi-factor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multi-factor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA - -Review the [What is Azure AD Multi-Factor Authentication](/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. - -### Azure AD Multi-Factor Authentication (MFA) Cloud ### -> [!IMPORTANT] -> As long as your users have licenses that include Azure AD Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: -> * Azure AD Multi-Factor Authentication -> * Azure Active Directory Premium -> * Enterprise Mobility + Security -> -> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. - -#### Azure MFA Provider #### -If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. - -#### Configure Azure MFA Settings #### -Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure AD Multi-Factor Authentication settings](/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. - -#### Azure MFA User States #### -After you have completed configuring your Azure MFA settings, you want to review configure [User States](/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. - -### Azure MFA via ADFS 2016 ### -Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section - -### Section Review - -> [!div class="checklist"] - -> * Review the overview and uses of Azure AD Multi-Factor Authentication Authentication. -> * Review your Azure Active Directory subscription for Azure AD Multi-Factor Authentication. -> * Create an Azure AD Multi-Factor Authentication Provider, if necessary. -> * Configure Azure AD Multi-Factor Authentication features and settings. -> * Understand the different User States and their effect on Azure AD Multi-Factor Authentication. -> * Consider using Azure AD Multi-Factor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. - -> [!div class="nextstepaction"] -> [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. New Installation Baseline (*You are here*) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md deleted file mode 100644 index 997dbea6e9..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ /dev/null @@ -1,553 +0,0 @@ ---- -title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business -description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] - -Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. - -> [!IMPORTANT] -> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. - ->[!TIP] ->Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration. - -Use this three-phased approach for configuring device registration. - -1. [Configure devices to register in Azure](#configure-hybrid-azure-ad-join) -2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization) -3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) - -> [!NOTE] -> Before proceeding, you should familiarize yourself with device registration concepts such as: -> -> - Azure AD registered devices -> - Azure AD-joined devices -> - Hybrid Azure AD-joined devices -> -> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction) - ->[!IMPORTANT] -> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594). - -## Configure Hybrid Azure AD join - -To support hybrid Windows Hello for Business, configure hybrid Azure AD join. - -Follow the guidance on [How to configure hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment. - -If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: - -- Configure Azure AD Connect to sync the user's on-premises UPN to the `onPremisesUserPrincipalName attribute` in Azure AD. -- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. - -You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join). - -> [!NOTE] -> Windows Hello for Business Hybrid key trust is not supported, if your users' on-premises domain cannot be added as a verified domain in Azure AD. - -## Configure Active Directory to support Azure device synchronization - -Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD-joined devices. Begin with upgrading the Active Directory Schema - -### Upgrading Active Directory to the Windows Server 2016 or later Schema - -To use Windows Hello for Business with Hybrid Azure AD-joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. - -> [!IMPORTANT] -> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section). - -#### Identify the schema role domain controller - -To locate the schema master role holder, open and command prompt and type: - -```Netdom query fsmo | findstr -i schema``` - -![Netdom example output.](images/hello-cmd-netdom.png) - -The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. - -#### Updating the Schema - -Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. - -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. - -Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. - -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign out. - -> [!NOTE] -> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured. - -### Setup Active Directory Federation Services - -If you're new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. -Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. - -Once you have your AD FS design ready, review [Deploying a Federation Server farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. -> [!IMPORTANT] -> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. - -The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) - -#### ADFS Web Proxy ### - -Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. -Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. - -### Deploy Azure AD Connect - -Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771). - -When you're ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. - -### Create AD objects for AD FS Device Authentication - -If your AD FS farm isn't already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. -![Device Registration: AD FS](images/hybridct/device1.png) - -> [!NOTE] -> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. - -1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. - ![Device Registration: Overview](images/hybridct/device2.png) -2. On your AD FS primary server, ensure you're logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: - `Import-module activedirectory` - `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName ""` -3. On the pop-up window, click **Yes**. - - > [!NOTE] - > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" - - ![Device Registration: Domain](images/hybridct/device3.png) - The above PSH creates the following objects: - - - RegisteredDevices container under the AD domain partition - - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration - - ![Device Registration: Tests](images/hybridct/device4.png)
                                -4. Once this is done, you'll see a successful completion message. - - ![Device Registration: Completion](images/hybridct/device5.png) - -### Create Service Connection Point (SCP) in Active Directory -If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS - -1. Open Windows PowerShell and execute the following: - - `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"` - - > [!NOTE] - > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep - - ![Device Registration AdPrep](images/hybridct/device6.png) -2. Provide your Azure AD global administrator credentials - - `PS C:>$aadAdminCred = Get-Credential` - - ![Device Registration: Credential](images/hybridct/device7.png) -3. Run the following PowerShell command - - `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred` - - Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. - -The above commands enable Windows clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. - -### Prepare AD for Device Write Back -To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. - -1. Open Windows PowerShell and execute the following: - - `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name]` - - Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format - -The above command creates the following objects for device write back to AD DS, if they don't exist already, and allows access to the specified AD connector account name - -- RegisteredDevices container in the AD domain partition -- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - -### Enable Device Write Back in Azure AD Connect - -If you haven't done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets - -## Configure AD FS to use Azure registered devices - -### Configure issuance of claims - -In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a third party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS). - -Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. - -When you're using AD FS, you need to enable the following WS-Trust endpoints: -`/adfs/services/trust/2005/windowstransport` -`/adfs/services/trust/13/windowstransport` -`/adfs/services/trust/2005/usernamemixed` -`/adfs/services/trust/13/usernamemixed` -`/adfs/services/trust/2005/certificatemixed` -`/adfs/services/trust/13/certificatemixed` - -> [!WARNING] -> Both **adfs/services/trust/2005/windowstransport** and **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. - -> [!NOTE] ->If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX). - -The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information that is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. - -- `http://schemas.microsoft.com/ws/2012/01/accounttype` -- `http://schemas.microsoft.com/identity/claims/onpremobjectguid` -- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` - -If you've more than one verified domain name, you need to provide the following claim for computers: - -- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` - -If you're already issuing an ImmutableID claim (for example, alternate sign in ID) you need to provide one corresponding claim for computers: - -- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` - -In the following sections, you find information about: - -- The values each claim should have -- How a definition would look like in AD FS - -The definition helps you to verify whether the values are present or if you need to create them. - -> [!NOTE] -> If you don't use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims. - -#### Issue account type claim - -**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: - -```powershell - - @RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - ); -``` - -#### Issue objectGUID of the computer account on-premises - -**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - -```powershell - - @RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - ); -``` - -#### Issue objectSID of the computer account on-premises - -**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - -```powershell - - @RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2); -``` - -#### Issue issuerID for computer when multiple verified domain names in Azure AD - -**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or third party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. - -```powershell - - @RuleName = "Issue account type with the value User when it is not a computer" - - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http:///adfs/services/trust/" - ); -``` - -In the claim above, - -- `$` is the AD FS service URL -- `` is a placeholder you need to replace with one of your verified domain names in Azure AD - -For more information about verified domain names, see [Add a custom domain name to Azure Active Directory](/azure/active-directory/active-directory-add-domain). -To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0&preserve-view=true) cmdlet. - -#### Issue ImmutableID for computer when one for users exist (for example, alternate login ID is set) - -**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: - -```powershell - - @RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - ); -``` - -#### Helper script to create the AD FS issuance transform rules - -The following script helps you with the creation of the issuance transform rules described above. - -```powershell - - $multipleVerifiedDomainNames = $false - $immutableIDAlreadyIssuedforUsers = $false - $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains - - $rule1 = '@RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - );' - - $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - );' - - $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2);' - - $rule4 = '' - if ($multipleVerifiedDomainNames -eq $true) { - $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" - );' - } - - $rule5 = '' - if ($immutableIDAlreadyIssuedforUsers -eq $true) { - $rule5 = '@RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - );' - } - - $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules - - $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 - - $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules - - Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString -``` - -#### Remarks - -- This script appends the rules to the existing rules. Don't run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again. - -- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule: - - ```Claims Rule Language - c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] - => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); - ``` - -- If you've already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. - -#### Configure Device Authentication in AD FS - -Using an elevated PowerShell command window, configure AD FS policy by executing the following command - -`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` - -#### Check your configuration - -For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work - -- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> - - read access to the AD FS service account - - read/write access to the Azure AD Connect sync AD connector account -- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> -- Container Device Registration Service DKM under the above container - - ![Device Registration: Container](images/hybridct/device8.png) - -- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - - read/write access to the specified AD connector account name on the new object -- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> -- object of type msDS-DeviceRegistrationService in the above container - -> [!div class="nextstepaction"] -> [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) - -
                                -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. Configure Azure Device Registration (*You are here*) -5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md deleted file mode 100644 index 56e0d50918..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ /dev/null @@ -1,157 +0,0 @@ ---- -title: Hybrid Azure AD joined Windows Hello for Business Prerequisites -description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Hybrid Azure AD joined Windows Hello for Business Prerequisites - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] - -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. - -The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: - -- [Directories](#directories) -- [Public Key Infrastructure](#public-key-infrastructure) -- [Directory Synchronization](#directory-synchronization) -- [Federation](#federation) -- [Multifactor Authentication](#multifactor-authentication) -- [Device Registration](#device-registration) - -## Directories ## - -Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2. - -A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription. - -Windows Hello for Business can be deployed in any environment with Windows Server 2012 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory or later schema. - -Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. - -### Section Review ### - -> [!div class="checklist"] -> * Active Directory Domain Functional Level -> * Active Directory Forest Functional Level -> * Domain Controller version -> * Windows Server 2016 or later Schema -> * Azure Active Directory subscription -> * Correct subscription for desired features and outcomes - -
                                - -## Public Key Infrastructure ## - -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller. - -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority. - -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. - -### Section Review - -> [!div class="checklist"] -> * Windows Server 2012 Issuing Certificate Authority -> * Windows Server 2016 Active Directory Federation Services - -
                                - -## Directory Synchronization ## - -The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. - -Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema). - -> [!NOTE] -> User accounts enrolling for Windows Hello for Business in a Hybrid Certificate Trust scenario must have a UPN matching a verified domain name in Azure AD. For more details, see [Troubleshoot Post-Join issues](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues). - -> [!NOTE] -> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. - -### Section Review - -> [!div class="checklist"] -> * Azure Active Directory Connect directory synchronization -> * [Upgrade from DirSync](/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) -> * [Upgrade from Azure AD Sync](/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) - -
                                - -## Federation ## - -Windows Hello for Business hybrid certificate trust requires Active Directory being federated with Azure Active Directory and needs Windows Server 2016 Active Directory Federation Services or newer. Windows Hello for Business hybrid certificate trust doesn’t support Managed Azure Active Directory using Pass-through authentication or password hash sync. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. - -The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) - -### Section Review ### - -> [!div class="checklist"] -> * Windows Server 2016 Active Directory Federation Services -> * Minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) - -
                                - -## Multifactor Authentication ## - -Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. - -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service, or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. - -### Section Review - -> [!div class="checklist"] -> * Azure MFA Service -> * Windows Server 2016 AD FS and Azure -> * Windows Server 2016 AD FS and third party MFA Adapter - -
                                - -## Device Registration ## - -Organizations wanting to deploy hybrid certificate trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. - -Hybrid certificate trust deployments need the device write back feature. Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature. - -> [!NOTE] -> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object. - -## Provisioning - -You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. - - -### Section Checklist ### - -> [!div class="checklist"] -> * Azure Active Directory Device writeback -> * Azure Active Directory Premium subscription - -
                                - -### Next Steps ### -Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. - -If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. - -If your environment is already federated and supports Azure device registration, choose **Configure Windows Hello for Business settings**. - -> [!div class="op_single_selector"] -> - [New Installation Baseline](hello-hybrid-cert-new-install.md) -> - [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -> - [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. Prerequisites (*You are here*) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md new file mode 100644 index 0000000000..788cd8af15 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md @@ -0,0 +1,82 @@ +--- +title: Configure and validate the Public Key Infrastructure in an hybrid certificate trust model +description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. +ms.date: 01/03/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial +--- +# Configure and validate the Public Key Infrastructure - hybrid certificate trust + +[!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)] + +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. + +Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. + +[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] + +## Configure the enterprise PKI + +[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] + +> [!NOTE] +> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. + +> [!IMPORTANT] +> For Azure AD joined devices to authenticate to on-premises resources, ensure to: +> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune +> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL + +[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] + +[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)] + +[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)] + +[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] + +### Publish the certificate templates to the CA + +A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. + +Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane +1. Select **Certificate Templates** in the navigation pane +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue** +1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps > select **OK** +1. Close the console + +> [!IMPORTANT] +> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md). + +## Configure and deploy certificates to domain controllers + +[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] + +## Validate the configuration + +[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] + +## Section review and next steps + +Before moving to the next section, ensure the following steps are complete: + +> [!div class="checklist"] +> - Configure domain controller certificates +> - Supersede existing domain controller certificates +> - Unpublish superseded certificate templates +> - Configure an enrollment agent certificate template +> - Configure an authentication certificate template +> - Publish the certificate templates to the CA +> - Deploy certificates to the domain controllers +> - Validate the domain controllers configuration + +> [!div class="nextstepaction"] +> [Next: configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) + + +[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index caf8cfe867..b8a7d72fe0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,45 +1,132 @@ --- -title: Hybrid Certificate Trust Deployment (Windows Hello for Business) -description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 09/08/2017 +title: Windows Hello for Business hybrid certificate trust deployment +description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. +ms.date: 12/28/2022 appliesto: - ✅ Windows 10 and later -ms.topic: article +- ✅ Windows Server 2016 and later +ms.topic: how-to --- -# Hybrid Azure AD joined Certificate Trust Deployment -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] +# Hybrid certificate trust deployment -Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. +[!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)] -It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources. -This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -## New Deployment Baseline +> [!IMPORTANT] +> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md). -The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. -This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. +## Prerequisites +The following prerequisites must be met for a hybrid certificate trust deployment: -## Federated Baseline +> [!div class="checklist"] +> * Directories and directory synchronization +> * Federated authentication to Azure AD +> * Device registration +> * Public Key Infrastructure +> * Multi-factor authentication +> * Device management -The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. +### Directories and directory synchronization -Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Hybrid Windows Hello for Business needs two directories: + +- An on-premises Active Directory +- An Azure Active Directory tenant with an Azure AD Premium subscription + +The two directories must be synchronized with [Azure AD Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD. +The hybrid-certificate trust deployment needs an *Azure Active Directory Premium* subscription because it uses the device write-back synchronization feature. + +> [!NOTE] +> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD. + +> [!IMPORTANT] +> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Azure Active Directory and Active Directory. + +### Federated authentication to Azure AD + +Windows Hello for Business hybrid certificate trust doesn't support Azure AD *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\ +Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Azure Active Directory using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. + +If you're new to AD FS and federation services: + +- Review [key AD FS concepts][SER-3] prior to deploying the AD FS farm +- Review the [AD FS design guide][SER-4] to design and plan your federation service + +Once you have your AD FS design ready: + +- Review [deploying a federation server farm][SER-2] to configure AD FS in your environment + +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). + +### Device registration + +Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\ +For *hybrid Azure AD joined* devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page. + +Hybrid certificate trust deployments need the device write back feature. Authentication to AD FS needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back. + +> [!NOTE] +> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object. + +Refer to the [configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about setting up Azure AD Connect Sync to support Azure AD device registration. +For a manual configuration of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide. + +### Public Key Infrastructure + +An enterprise public key infrastructure (PKI) is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them.\ +The enterprise PKI and a certificate registration authority (CRA) are required to issue authentication certificates to users. Hybrid certificate trust deployment uses AD FS as a CRA. + +During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA. + +### Multi-factor authentication + +The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\ +Hybrid deployments can use: + +- [Azure AD Multi-Factor Authentication][AZ-2] +- A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS + +For more information how to configure Azure AD Multi-Factor Authentication, see [Configure Azure AD Multi-Factor Authentication settings][AZ-3].\ +For more information how to configure AD FS to provide multi-factor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1]. + +### Device management + +To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy. + +## Next steps + +Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps: + +> [!div class="checklist"] +> * Configure and validate the PKI +> * Configure AD FS +> * Configure Windows Hello for Business settings +> * Provision Windows Hello for Business on Windows clients +> * Configure single sign-on (SSO) for Azure AD joined devices > [!div class="nextstepaction"] -> [Prerequisites](hello-hybrid-cert-trust-prereqs.md) +> [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-cert-trust-validate-pki.md) -

                                + +[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis +[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication +[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd +[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler +[AZ-6]: /azure/active-directory/hybrid/whatis-phs +[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication +[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan +[AZ-9]: /azure/active-directory/devices/hybrid-azuread-join-federated-domains +[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains +[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide - -1. Overview (*You are here*) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Device Registration](hello-hybrid-cert-trust-devreg.md) -5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa +[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm +[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts +[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2 \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index fa4284edd5..a1a88d6f2e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,43 +1,173 @@ --- -title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) -description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. -ms.date: 4/30/2021 +title: Windows Hello for Business hybrid certificate trust clients configuration and enrollment +description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. +ms.date: 01/03/2023 appliesto: - ✅ Windows 10 and later -ms.topic: article +ms.topic: tutorial --- -# Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] +# Configure and provision Windows Hello for Business - hybrid certificate trust -## Provisioning +[!INCLUDE [hello-hybrid-certificate-trust](./includes/hello-hybrid-cert-trust.md)] -The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. +## Policy Configuration -![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.](images/Event358.png) +After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). -The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is Azure Active Directory-joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. +#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) -Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. +> [!IMPORTANT] +> The information in this section applies to hybrid Azure AD joined devices only. -![Setup a PIN Provisioning.](images/setupapin.png) +For hybrid Azure AD joined devices, you can use group policies to configure Windows Hello for Business. +It is suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign the **Group Policy** and **Certificate template permissions** to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. -The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. - -![MFA prompt during provisioning.](images/mfa.png) +### Enable Windows Hello for Business group policy setting -After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. +The *Enable Windows Hello for Business* group policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\ +You can configure the *Enable Windows Hello for Business* setting for computer or users: -![Create a PIN during provisioning.](images/createPin.png) +- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment +- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment -The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. +If both user and computer policy settings are deployed, the user policy setting has precedence. -- A successful single factor authentication (username and password at sign-in) -- A device that has successfully completed device registration -- A fresh, successful multi-factor authentication -- A validated PIN that meets the PIN complexity requirements +### Use certificate for on-premises authentication group policy setting -The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. Azure Active Directory Connect synchronizes the user's key to the on-premises Active Directory. +The *Use certificate for on-premises authentication* group policy setting determines if the deployment uses the *key-trust* or *certificate trust* authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust authentication. + +### Enable automatic enrollment of certificates group policy setting + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template. + +The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +### Enable and configure Windows Hello for Business + +Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type *Enable Windows Hello for Business* in the name box and select **OK** +1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **User Configuration** +1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business** +1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK** +1. Open **Use certificate for on-premises authentication**. Select **Enable > OK** +1. Expand **Windows Settings > Security Settings > Public Key Policies** +1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** +1. Select **Enabled** from the **Configuration Model** list +1. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check boxes +1. Select the **Update certificates that use certificate templates** check box +1. Select **OK** +1. Close the **Group Policy Management Editor** + +> [!NOTE] +> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*. +> +> For more information about these policies, see [Group Policy settings for Windows Hello for Business](hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business). + +### Configure security for GPO + +The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Open the **Enable Windows Hello for Business** GPO +1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK** +1. Select the **Delegation** tab. Select **Authenticated Users > Advanced** +1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** + +### Deploy the Windows Hello for Business Group Policy object + +The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO** +1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** + +### Add members to the targeted group + +Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business. + +#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) + +## Configure Windows Hello for Business using Microsoft Intune + +> [!IMPORTANT] +> The information in this section applies to Azure AD joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in: +> - [Configure single sign-on for Azure AD joined devices](hello-hybrid-aadj-sso.md) +> - [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md) + +For Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. + +There are different ways to enable and configure Windows Hello for Business in Intune: + +- Using a policy applied at the tenant level. The tenant policy: + - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune + - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group +- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Chose from the following policy types: + - [Settings catalog][MEM-1] + - [Security baselines][MEM-2] + - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] + - [Account protection policy][MEM-5] + - [Identity protection policy template][MEM-6] + +### Verify the tenant-wide policy + +To check the Windows Hello for Business policy applied at enrollment time: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured + +:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png"::: + +If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy. + +### Enable and configure Windows Hello for Business + +To configure Windows Hello for Business using an *account protection* policy: + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Endpoint security** > **Account protection** +1. Select **+ Create Policy** +1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection** +1. Select **Create** +1. Specify a **Name** and, optionally, a **Description** > **Next** +1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available + - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes** + - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) +1. Under *Enable to certificate for on-premises resources*, select **Disabled** and multiple policies become available +1. Select **Next** +1. Optionally, add *scope tags* > **Next** +1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** +1. Review the policy configuration and select **Create** + +:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png"::: + +--- + +## Enroll in Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. + +You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\ +This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. + +### PIN Setup + +This is the process that occurs after a user signs in, to enroll in Windows Hello for Business: + +1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** +1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry +1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device +1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory + +:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: > [!IMPORTANT] > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). @@ -48,25 +178,23 @@ The remainder of the provisioning includes Windows Hello for Business requesting > > [!NOTE] > Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers. - + After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. - + The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. > [!NOTE] > In order for AD FS to verify the key used in the certificate request, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center. +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center. -

                                + +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd +[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision (*You are here*) +[MEM-1]: /mem/intune/configuration/settings-catalog +[MEM-2]: /mem/intune/protect/security-baselines +[MEM-3]: /mem/intune/configuration/custom-settings-configure +[MEM-4]: /windows/client-management/mdm/passportforwork-csp +[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy +[MEM-6]: /mem/intune/protect/identity-protection-configure \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md deleted file mode 100644 index 748cc46a44..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) -description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] - -The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. - -### Creating Security Groups - -Windows Hello for Business uses several security groups to simplify the deployment and management. - -> [!Important] -> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCredentials Admins Security Group**. Domains that include Windows Server 2016 domain controllers use the KeyAdmins group, which is created during the installation of the first Windows Server 2016 domain controller. - -#### Create the KeyCredential Admins Security Group - -Azure Active Directory Connect synchronizes the public key on the user object created during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the Azure AD Connect service can add and remove keys as part of its normal workflow. - -Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advance Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **KeyCredential Admins** in the **Group Name** text box. -6. Click **OK**. - -#### Create the Windows Hello for Business Users Security Group - -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. - -### Section Review - -> [!div class="checklist"] -> * Create the KeyCredential Admins Security group (optional) -> * Create the Windows Hello for Business Users group -> -> [!div class="step-by-step"] -> [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -> [Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: Active Directory (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 83988357c9..9d45b8bed7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,90 +1,80 @@ --- -title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) -description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business -ms.date: 4/30/2021 +title: Configure Active Directory Federation Services in a hybrid certificate trust model +description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model. +ms.date: 01/03/2023 appliesto: - ✅ Windows 10 and later -ms.topic: article +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services +# Configure Active Directory Federation Services - hybrid certificate trust -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust.md)] -## Federation Services - -The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. - -The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. +The Windows Hello for Business certificate-based deployments use AD FS as the certificate registration authority (CRA). +The CRA is responsible for issuing and revoking certificates to users. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.\ +The CRA enrolls for an *enrollment agent certificate*, and the Windows Hello for Business *authentication certificate template* is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. > [!NOTE] -> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint. +> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the `https://enterpriseregistration.windows.net` endpoint. -### Configure the Registration Authority +## Configure the certificate registration authority -Sign-in the AD FS server with *Domain Admin* equivalent credentials. +Sign-in the AD FS server with *domain administrator* equivalent credentials. -1. Open a **Windows PowerShell** prompt. -2. Enter the following command: +Open a **Windows PowerShell** prompt and type the following command: - ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true - ``` +```PowerShell +Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true +``` - >[!NOTE] - > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. -### Group Memberships for the AD FS Service Account +## Enrollment agent certificate enrollment -The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. +AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +### Group Memberships for the AD FS service account + +The AD FS service account must be member of the security group targeted by the authentication certificate template auto-enrollment (e.g. *Window Hello for Business Users*). The security group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. > [!TIP] > The adfssvc account is the AD FS service account. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **Windows Hello for Business Users** group. -4. Click the **Members** tab and click **Add**. -5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Restart the AD FS server. +1. Open **Active Directory Users and Computers** +1. Search for the security group targeted by the authentication certificate template auto-enrollment (e.g. *Window Hello for Business Users*) +1. Select the **Members** tab and select **Add** +1. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment > **OK** +1. Select **OK** to return to **Active Directory Users and Computers** +1. Restart the AD FS server -> [!NOTE] -> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> [!NOTE] +> For AD FS 2019 in a hybrid certificate trust model, a PRT issue exists. You may encounter this error in the AD FS Admin event logs: *Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'*. To remediate this error: > -> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". -> 2. Right click "Scope Descriptions" and select "Add Scope Description". -> 3. Under name type "ugs" and Click Apply > OK. -> 4. Launch PowerShell as an administrator. -> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": +> 1. Launch AD FS management console and browse to **Services > Scope Descriptions** +> 1. Right click **Scope Descriptions** and select **Add Scope Description** +> 1. Under name type `ugs` and select **Apply > OK** +> 1. Launch PowerShell as an administrator +> 1. Obtain the *ObjectIdentifier* of the application permission with the `ClientRoleIdentifier` parameter equal to `38aa3b87-a06d-4817-b275-7a316988d93b`: > ```PowerShell > (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier > ``` -> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. -> 7. Restart the AD FS service. -> 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. +> 1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. +> 1. Restart the AD FS service +> 1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business -### Section Review +## Section review and next steps + +Before moving to the next section, ensure the following steps are complete: > [!div class="checklist"] -> * Configure the registration authority. -> * Update group memberships for the AD FS service account. -> -> -> [!div class="step-by-step"] -> [< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) -> [Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: AD FS (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) +> - Configure the certificate registration authority +> - Update group memberships for the AD FS service account +> [!div class="nextstepaction"] +> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md deleted file mode 100644 index 5002843385..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch -description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- - -# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] - -## Directory Synchronization - -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. - -The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. - -> [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article. - -### Configure Permissions for Key Synchronization - -Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Right-click your domain name from the navigation pane and click **Properties**. -3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). -4. Click **Advanced**. Click **Add**. Click **Select a principal**. -5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. -6. In the **Applies to** list box, select **Descendant User objects**. -7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**. -9. Click **OK** three times to complete the task. - - -### Group Memberships for the Azure AD Connect Service Account - -The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add** -5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. - -> [!NOTE] -> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. - -> [!NOTE] -> Transfer the PDC emulator FSMO role to a domain controller running Windows Server 2016 (or later) to be able to search the Key Admins and Enterprise Key Admins groups (domain controllers running previous versions of Windows Server cannot translate the security identifier to a name for these groups). - -### Section Review - -> [!div class="checklist"] -> * Configure Permissions for Key Synchronization -> * Configure group membership for Azure AD Connect -> -> [!div class="step-by-step"] -> [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -> [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md deleted file mode 100644 index 2b43ffad0a..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ /dev/null @@ -1,289 +0,0 @@ ---- -title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) -description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- - -# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] - -Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. - -All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. - -## Certificate Templates - -This section has you configure certificate templates on your Windows Server 2012 (or later) Active Directory Certificate Services issuing certificate authority. - -### Domain Controller certificate template - -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD-joined devices to your environment in the future. - -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template. - -#### Create a Domain Controller Authentication (Kerberos) Certificate Template - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certification Authority** management console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. - -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certificate Recipient** list. - -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. - - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. - -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. - -8. Close the console. - -#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template - -Many domain controllers may have an existing domain controller certificate. Active Directory Certificate Services provides a default certificate template for domain controllers--the Domain Controller certificate template. Later releases provided a new certificate template--the Domain Controller Authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. - -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers (2008 or later). - -The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate based on the Kerberos Authentication certificate template. - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certification Authority** management console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. - -4. Click the **Superseded Templates** tab. Click **Add**. - -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. - -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. - -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template, and click **OK**. - -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. - -9. Click **OK** and close the **Certificate Templates** console. - -The certificate template is configured to supersede all the certificate templates listed in the superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. - -> [!NOTE] -> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail. -> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. - -### Enrollment Agent certificate template - -Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts. - -Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. - -> [!IMPORTANT] -> Follow the procedures below based on the AD FS service account used in your environment. - -#### Creating an Enrollment Agent certificate for Group Managed Service Accounts - -Sign-in to a certificate authority or management workstation with _Domain Admin_ equivalent credentials. - -1. Open the **Certification Authority Management** console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. - -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list. - -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - - > [!NOTE] - > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the _Build from this Active Directory information_ option, which will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with _Supply in the request_ to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. - -8. On the **Security** tab, click **Add**. - -9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. - -10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. - -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. - -12. Close the console. - -#### Creating an Enrollment Agent certificate for typical Service Accounts - -Sign-in to a certificate authority or management workstation with *Domain Admin* equivalent credentials. - -1. Open the **Certification Authority** management console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**. - -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list. - -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. - -8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. - -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. - -10. Close the console. - -### Creating Windows Hello for Business authentication certificate template - -During Windows Hello for Business provisioning, a Windows client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it. - -Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials. - -1. Open the **Certification Authority** management console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. - -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list. - -5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs. - - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in the relevant portions of the deployment. - -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. - -7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. - -8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box. - - Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. - -9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. - -10. On the **Request Handling** tab, select the **Renew with same key** check box. - -11. On the **Security** tab, click **Add**. Type **Windows Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. - -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. - -13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. - -14. Click on the **Apply** to save changes and close the console. - -#### Mark the template as the Windows Hello Sign-in template - -Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. - -1. Open an elevated command prompt. - -2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` - -If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: - -```console -CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication - -Old Value: -msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) -CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) -CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 -TEMPLATE_SERVER_VER_WINBLUE< [!NOTE] -> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - -## Publish Templates - -### Publish Certificate Templates to a Certificate Authority - -The certificate authority only issues certificates for certificate templates which are published by that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - -#### Publish Certificate Templates to the Certificate Authority - -Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. - -1. Open the **Certification Authority** management console. - -2. Expand the parent node from the navigation pane. - -3. Click **Certificate Templates** in the navigation pane. - -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. - -5. In the **Enable Certificates Templates** window, Ctrl-select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. - -6. Close the console. - -#### Unpublish Superseded Certificate Templates - -The certificate authority only issues certificates based on published certificate templates. For defense-in-depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes any pre-published certificate templates from the role installation and any superseded certificate templates. - -The newly-created Kerberos authentication-based Domain Controller certificate template supersedes any previous domain controller certificate templates. Therefore, you should unpublish these certificate templates from all issuing certificate authorities. - -Sign-in to each certificate authority, or a management workstation with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certification Authority** management console. - -2. Expand the parent node from the navigation pane. - -3. Click **Certificate Templates** in the navigation pane. - -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. - -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - -### Section Review - -> [!div class="checklist"] -> * Domain Controller certificate template -> * Configure superseded domain controller certificate templates -> * Enrollment Agent certificate template -> * Windows Hello for Business Authentication certificate template -> * Mark the certificate template as Windows Hello for Business sign-in template -> * Publish Certificate templates to certificate authorities -> * Unpublish superseded certificate templates -> -> [!div class="step-by-step"] -> [< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) -> [Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: PKI (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md deleted file mode 100644 index ad8ff6984f..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ /dev/null @@ -1,192 +0,0 @@ ---- -title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy -description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] - -## Policy Configuration - -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. - -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. - -Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate. - -Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings: - -- Enable Windows Hello for Business -- Use certificate for on-premises authentication -- Enable automatic enrollment of certificates - -### Configure Domain Controllers for Automatic Certificate Enrollment - -Domain controllers automatically request a certificate from the *Domain Controller* certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. - -To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. - -#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. -9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -11. Select the **Update certificates that use certificate templates** check box. -12. Click **OK**. Close the **Group Policy Management Editor**. - -#### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO** -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. - -### Windows Hello for Business Group Policy - -The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory - -#### Enable Windows Hello for Business - -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -#### Use certificate for on-premises authentication - -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. - -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -#### Enable automatic enrollment of certificates - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. - -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. - -#### Create the Windows Hello for Business Group Policy object - -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -#### Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. - -#### Configure Security in the Windows Hello for Business Group Policy object - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. - -#### Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. - -## Other Related Group Policy settings - -### Windows Hello for Business - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -#### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -#### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. - -### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - -Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters - -Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. - -## Add users to the Windows Hello for Business Users group - -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. - -### Section Review -> [!div class="checklist"] -> * Configure domain controllers for automatic certificate enrollment. -> * Create Windows Hello for Business Group Policy object. -> * Enable the Use Windows Hello for Business policy setting. -> * Enable the Use certificate for on-premises authentication policy setting. -> * Enable user automatic certificate enrollment. -> * Add users or groups to the Windows Hello for Business group -> -> -> [!div class="nextstepaction"] -> [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business policy settings (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md deleted file mode 100644 index 360f679614..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) -description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Hybrid Azure AD joined Windows Hello for Business - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] - -Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. -> [!IMPORTANT] -> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. - -The configuration for Windows Hello for Business is grouped in four categories. These categories are: - -- [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -- [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md) -- [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md) -- [Group Policy](hello-hybrid-cert-whfb-settings-policy.md) - -For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration - -> [!div class="step-by-step"] -> [Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md new file mode 100644 index 0000000000..0f6b8ab112 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -0,0 +1,218 @@ +--- +title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment +description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario. +ms.date: 02/24/2023 +appliesto: +- ✅ Windows 10, version 21H2 and later +ms.topic: tutorial +--- +# Configure and provision Windows Hello for Business - cloud Kerberos trust + +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)] + +## Deployment steps + +Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: + +1. Set up Azure AD Kerberos. +1. Configure a Windows Hello for Business policy and deploy it to the devices. + +### Deploy Azure AD Kerberos + +If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section. + +If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust. + +### Configure Windows Hello for Business policy + +After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). + +#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) + +For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business. + +There are different ways to enable and configure Windows Hello for Business in Intune: + +- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group. +- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: + - [Settings catalog][MEM-7] + - [Security baselines][MEM-2] + - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] + - [Account protection policy][MEM-5] + - [Identity protection policy template][MEM-6] + +### Verify the tenant-wide policy + +To check the Windows Hello for Business policy applied at enrollment time: + +1. Sign in to the Microsoft Intune admin center. +1. Select **Devices** > **Windows** > **Windows Enrollment**. +1. Select **Windows Hello for Business**. +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured. + +:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png"::: + +If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy. + +### Enable Windows Hello for Business + +To configure Windows Hello for Business using an account protection policy: + +1. Sign in to the Microsoft Intune admin center. +1. Select **Endpoint security** > **Account protection**. +1. Select **+ Create Policy**. +1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**. +1. Select **Create**. +1. Specify a **Name** and, optionally, a **Description** > **Next**. +1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available. + - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**. + - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). +1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available. +1. Select **Next**. +1. Optionally, add **scope tags** and select **Next**. +1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**. +1. Review the policy configuration and select **Create**. + +> [!TIP] +> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template. + +:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: + +Assign the policy to a security group that contains as members the devices or users that you want to configure. + +### Configure the cloud Kerberos trust policy + +The cloud Kerberos trust policy can be configured using a custom template, and it's configured separately from enabling Windows Hello for Business. + +To configure the cloud Kerberos trust policy: + +1. Sign in to the Microsoft Intune admin center. +1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. +1. For Profile Type, select **Templates** and select the **Custom** Template. +1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust". +1. In Configuration Settings, add a new configuration with the following settings: + + - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name + - Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO* + - OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`** + - Data type: **Boolean** + - Value: **True** + + > [!IMPORTANT] + > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID. + + :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="./images/hello-cloud-trust-intune.png" lightbox="./images/hello-cloud-trust-intune-large.png"::: + +1. Assign the policy to a security group that contains as members the devices or users that you want to configure. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. + +The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. + +> [!NOTE] +> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources). + +#### Update administrative templates + +You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files. + +You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1]. + +#### Create the Windows Hello for Business group policy object + +You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). + +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory. +1. Edit the Group Policy object from Step 1. +1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. +1. Select **Use Windows Hello for Business** > **Enable** > **OK**. +1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**. +1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**. + +--- + +> [!IMPORTANT] +> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**. + +## Provision Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy. + +You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ +This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. + +:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png" lightbox="./images/cloud-trust-prereq-check.png"::: + +The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined. + +> [!NOTE] +> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory. + +### PIN Setup + +After a user signs in, this is the process that occurs to enroll in Windows Hello for Business: + +1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**. +1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. +1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device. + +:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: + +### Sign-in + +Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. + +## Migrate from key trust deployment model to cloud Kerberos trust + +If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: + +1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos). +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). +1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business. + +> [!NOTE] +> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. +> +> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails. + +## Migrate from certificate trust deployment model to cloud Kerberos trust + +> [!IMPORTANT] +> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. + +If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: + +1. Disable the certificate trust policy. +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). +1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context. +1. Sign out and sign back in. +1. Provision Windows Hello for Business using a method of your choice. + +> [!NOTE] +> For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC. + +## Frequently Asked Questions + +For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust). + + + +[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module +[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd + +[MEM-1]: /mem/intune/protect/identity-protection-windows-settings +[MEM-2]: /mem/intune/protect/security-baselines +[MEM-3]: /mem/intune/configuration/custom-settings-configure +[MEM-4]: /windows/client-management/mdm/passportforwork-csp +[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy +[MEM-6]: /mem/intune/protect/identity-protection-configure +[MEM-7]: /mem/intune/configuration/settings-catalog + +[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index ebcff732f3..d3f07a3668 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,25 +1,25 @@ --- -title: Windows Hello for Business Cloud Kerberos trust deployment +title: Windows Hello for Business cloud Kerberos trust deployment description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 11/1/2022 +ms.date: 02/24/2023 appliesto: - ✅ Windows 10, version 21H2 and later -ms.topic: article +ms.topic: tutorial --- # Cloud Kerberos trust deployment -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)] +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)] -Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a cloud Kerberos trust scenario. +Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario. ## Introduction to cloud Kerberos trust -The goal of **Windows Hello for Business cloud Kerberos trust** is to bring the simplified deployment experience of [*passwordless security key sign-in*][AZ-1] to Windows Hello for Business, and it can be used for new or existing Windows Hello for Business deployments. +The goal of Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [*passwordless security key sign-in*][AZ-1] to Windows Hello for Business, and it can be used for new or existing Windows Hello for Business deployments. -*Windows Hello for Business cloud Kerberos trust* uses **Azure AD Kerberos**, which enables a simpler deployment when compared to the *key trust model*: +Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which enables a simpler deployment when compared to the *key trust model*: - No need to deploy a public key infrastructure (PKI) or to change an existing PKI -- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. This means that there isn't delay between the user's WHFB provisioning and being able to authenticate to Active Directory +- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory - [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup > [!NOTE] @@ -27,14 +27,12 @@ The goal of **Windows Hello for Business cloud Kerberos trust** is to bring the ## Azure AD Kerberos and cloud Kerberos trust authentication -*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\ -For *Azure AD joined devices* to have single sign-on (SSO) to on-premises resources protected by Active Directory, they must trust and validate the DC certificates. For this to happen, a certificate revocation list (CRL) must be published to an endpoint accessible by the Azure AD joined devices. +*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. -*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require any of the above PKI to request TGTs. +Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\ +With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. -With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. - -When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: +When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers - Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object @@ -45,7 +43,7 @@ For more information about how Azure AD Kerberos enables access to on-premises r For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). > [!IMPORTANT] -> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. +> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. ## Prerequisites @@ -71,208 +69,23 @@ The following scenarios aren't supported using Windows Hello for Business cloud > > To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,`. -## Deployment steps +## Next steps -Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps: +Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps: -1. Set up *Azure AD Kerberos* -1. Configure a Windows Hello for Business policy and deploy it to the devices +> [!div class="checklist"] +> * Deploy Azure AD Kerberos +> * Configure Windows Hello for Business settings +> * Provision Windows Hello for Business on Windows clients -### Deploy Azure AD Kerberos +> [!div class="nextstepaction"] +> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md) -If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section. - -If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust. - -### Configure Windows Hello for Business policy - -After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). - -#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) - -Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. - -The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business. - -### Enable Windows Hello for Business - -If you already enabled Windows Hello for Business, you can skip to **configure the cloud Kerberos trust policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy. - -You can also follow these steps to create a device configuration policy instead of using the device enrollment policy: - -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. -1. For Platform, select **Windows 10 and later**. -1. For Profile Type, select **Templates** and select the **Identity Protection** Template. -1. Name the profile with a familiar name. For example, "Windows Hello for Business". -1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**. -1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**. - - [![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox) - -Assign the policy to a security group that contains as members the devices or users that you want to configure. - -Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog). - -### Configure cloud Kerberos trust policy - -To configure the *cloud Kerberos trust* policy, follow the steps below: - -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. -1. For Profile Type, select **Templates** and select the **Custom** Template. -1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust". -1. In Configuration Settings, add a new configuration with the following settings: - - | Setting | - |--------| - |
                                • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
                                • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
                                • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
                                • Data type: **Boolean**
                                • Value: **True**
                                | - - >[!IMPORTANT] - >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID. - - [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) - -Assign the policy to a security group that contains as members the devices or users that you want to configure. - -#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) - -Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. - -The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. - -> [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP][WIN-1]. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources). - -#### Update administrative templates - -You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files. - -You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1]. - -#### Create the Windows Hello for Business group policy object - -You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO). - -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory -1. Edit the Group Policy object from Step 1 -1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business** -1. Select **Use Windows Hello for Business** > **Enable** > **OK** -1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK** -1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK** - ---- - -> [!IMPORTANT] -> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*. - -## Provision Windows Hello for Business - -The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy. - -You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ -This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. - - ![Cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png) - -The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined. - -> [!NOTE] -> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory. - -### PIN Setup - -This is the process that occurs after a user signs in, to enroll in Windows Hello for Business: - -1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** -1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry -1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device - -:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: - -### Sign-in - -Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. - -## Migrate from key trust deployment model to cloud Kerberos trust - -If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps: - -1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) -1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business - -> [!NOTE] -> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. -> -> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails. - -## Migrate from certificate trust deployment model to cloud Kerberos trust - -> [!IMPORTANT] -> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. - -If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps: - -1. Disable the certificate trust policy -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) -1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context -1. Sign out and sign back in -1. Provision Windows Hello for Business using a method of your choice - -> [!NOTE] -> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. - -## Troubleshooting - -If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the *Windows Feedback Hub* app by following these steps: - -1. Open **Feedback Hub**, and make sure that you're signed in -1. Submit feedback by selecting the following categories: - - Category: Security and Privacy - - Subcategory: Windows Hello PIN - -## Frequently Asked Questions - -### Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment? - -This feature doesn't work in a pure on-premises AD domain services environment. - -### Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment? - -Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work. - -### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust? - -Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when: - -- a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning. -- attempting to access on-premises resources secured by Active Directory. - -### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust? - -Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][WIN-2] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. - -### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust? - -No, only the number necessary to handle the load from all cloud Kerberos trust devices. - ---- + [AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises -[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module -[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant -[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services -[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store -[MEM-1]: /mem/intune/protect/identity-protection-windows-settings -[WIN-1]: /windows/client-management/mdm/passportforwork-csp -[WIN-2]: /windows/security/identity-protection/remote-credential-guard [SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e -[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f +[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md deleted file mode 100644 index 32f0d91fc6..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation -description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - -- [Active Directory](#active-directory) -- [Public Key Infrastructure](#public-key-infrastructure) -- [Azure Active Directory](#azure-active-directory) -- [Multifactor Authentication Services](#multifactor-authentication-services) - -New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization. - -The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. - -## Active Directory -This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 or later domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. - -> [!NOTE] ->There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. - -Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. - -### Section Review - -> [!div class="checklist"] -> * An adequate number of Windows Server 2016 domain controllers -> * Minimum Windows Server 2008 R2 domain and forest functional level -> * Functional networking, name resolution, and Active Directory replication - -## Public Key Infrastructure - -Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. - -This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. - -### Lab-based public key infrastructure - -The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. - -Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. - ->[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. - -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - add-windowsfeature adcs-cert-authority -IncludeManagementTools - ``` - -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. - ```PowerShell - Install-AdcsCertificationAuthority - ``` - -## Configure a Production Public Key Infrastructure - -If you do not have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session. - -> [!IMPORTANT] -> For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. -> * Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL. - -### Section Review - -> [!div class="checklist"] -> * Minimum Windows Server 2012 Certificate Authority. -> * Enterprise Certificate Authority. -> * Functioning public key infrastructure. -> * Root certificate authority certificate (Azure AD Joined devices). -> * Highly available certificate revocation list (Azure AD Joined devices). - -## Azure Active Directory -You've prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. - -The next step of the deployment is to follow the [Creating an Azure AD tenant](/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. - -### Section Review - -> [!div class="checklist"] -> * Review the different ways to establish an Azure Active Directory tenant. -> * Create an Azure Active Directory Tenant. -> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. - -## Multifactor Authentication Services -Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter - -Review the [What is Azure AD Multi-Factor Authentication](/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. - -### Azure AD Multi-Factor Authentication (MFA) Cloud - -> [!IMPORTANT] -> As long as your users have licenses that include Azure AD Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: -> * Azure AD Multi-Factor Authentication -> * Azure Active Directory Premium -> * Enterprise Mobility + Security -> -> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. - - -#### Configure Azure MFA Settings -Review the [Configure Azure AD Multi-Factor Authentication settings](/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. - -#### Azure MFA User States -After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. - -### Azure MFA via ADFS -Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. - -### Section Review - -> [!div class="checklist"] -> * Review the overview and uses of Azure AD Multi-Factor Authentication. -> * Review your Azure Active Directory subscription for Azure AD Multi-Factor Authentication. -> * Create an Azure AD Multi-Factor Authentication Provider, if necessary. -> * Configure Azure AD Multi-Factor Authentication features and settings. -> * Understand the different User States and their effect on Azure AD Multi-Factor Authentication. -> * Consider using Azure AD Multi-Factor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. - -> [!div class="nextstepaction"] -> [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. New Installation Baseline (*You are here*) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md deleted file mode 100644 index e6d1d3275c..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business -description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.date: 05/04/2022 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. - -> [!NOTE] -> Before proceeding, you should familiarize yourself with device registration concepts such as: -> * Azure AD registered devices -> * Azure AD-joined devices -> * Hybrid Azure AD-joined devices -> -> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview) - -## Configure Hybrid Azure AD join - -Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. - -Follow the guidance on the [How to configure hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment. - -If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: - -- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. -- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. - -You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join). - -> [!NOTE] -> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD. - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -3. [New installation baseline](hello-hybrid-key-new-install.md) -4. [Configure directory synchronization](hello-hybrid-key-trust-dirsync.md) -5. Configure Azure Device Registration (*you're here*) -6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md deleted file mode 100644 index 18df532ca9..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business -description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. - -## Deploy Azure AD Connect - -Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771). - -> [!NOTE] -> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured. - -
                                - -If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: -- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. -- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. - -> [!NOTE] -> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD. - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. Configure Directory Synchronization (*You are here*) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md deleted file mode 100644 index 17e3fe7e61..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ /dev/null @@ -1,159 +0,0 @@ ---- -title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) -description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. - -The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: - -- [Directories](#directories) -- [Public Key Infrastructure](#public-key-infrastructure) -- [Directory Synchronization](#directory-synchronization) -- [Federation](#federation-with-azure) -- [Multifactor authentication](#multifactor-authentication) -- [Device Registration](#device-registration) - -## Directories - -Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. - -A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. - -You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. -If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. -Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. - -> [!NOTE] ->There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. - -Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. - -### Section Review - -> [!div class="checklist"] -> * Active Directory Domain Functional Level -> * Active Directory Forest Functional Level -> * Domain Controller version -> * Azure Active Directory subscription -> * Correct subscription for desired features and outcomes - -
                                - -## Public Key Infrastructure - -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller. - -Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. - -The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller). - -- The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder. -- Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name). -- The certificate Key Usage section must contain Digital Signature and Key Encipherment. -- Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. -- The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). -- The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. -- The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. -- The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](./hello-hybrid-key-whfb-settings-pki.md) for details. - - -> [!IMPORTANT] -> For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. -> * Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based url. - -### Section Review -> [!div class="checklist"] -> * Windows Server 2012 Issuing Certificate Authority - -
                                - -## Directory Synchronization - -The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. - -Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. - -### Section Review - -> [!div class="checklist"] -> * Azure Active Directory Connect directory synchronization -> * [Upgrade from DirSync](/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) -> * [Upgrade from Azure AD Sync](/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) - -
                                - -## Federation with Azure - -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. - -> [!div class="checklist"] -> * Non-federated environments -> * Federated environments - -
                                - -## Multifactor Authentication - -Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. - -Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS. - -### Section Review - -> [!div class="checklist"] -> * Azure MFA Service -> * Windows Server 2016 AD FS and Azure (optional, if federated) -> * Windows Server 2016 AD FS and third party MFA Adapter (optional, if federated) - -
                                - -## Device Registration - -Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. - -## Provisioning - -You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. - -### Section Checklist - -> [!div class="checklist"] -> * Device Registration with Azure Device Registration - -
                                - -### Next Steps - -Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. - -For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**. - -For federated and non-federated environments, start with **Configure Windows Hello for Business settings**. - -> [!div class="op_single_selector"] -> - [New Installation Baseline](hello-hybrid-key-new-install.md) -> - [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -> - [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-key-trust.md) -2. Prerequisites (*You are here*) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md new file mode 100644 index 0000000000..73c27e5835 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md @@ -0,0 +1,167 @@ +--- +title: Windows Hello for Business hybrid key trust clients configuration and enrollment +description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. +ms.date: 01/03/2023 +appliesto: +- ✅ Windows 10 and later +ms.topic: tutorial +--- + +# Configure and enroll in Windows Hello for Business - hybrid key trust + +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)] + +After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). + +#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) + +## Configure Windows Hello for Business using Microsoft Intune + +For Azure AD joined devices and hybrid Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. + +There are different ways to enable and configure Windows Hello for Business in Intune: + +- Using a policy applied at the tenant level. The tenant policy: + - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune + - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group +- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: + - [Settings catalog][MEM-1] + - [Security baselines][MEM-2] + - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] + - [Account protection policy][MEM-5] + - [Identity protection policy template][MEM-6] + +### Verify the tenant-wide policy + +To check the Windows Hello for Business policy applied at enrollment time: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured + +:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png"::: + +If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy. + +### Enable and configure Windows Hello for Business + +To configure Windows Hello for Business using an *account protection* policy: + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Endpoint security** > **Account protection** +1. Select **+ Create Policy** +1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection** +1. Select **Create** +1. Specify a **Name** and, optionally, a **Description** > **Next** +1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available + - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes** + - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) +1. Select **Next** +1. Optionally, add *scope tags* > **Next** +1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** +1. Review the policy configuration and select **Create** + +:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: + +#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +## Configure Windows Hello for Business using group policies + +For hybrid Azure AD joined devices, you can use group policies to configure Windows Hello for Business. +It's suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users to the group. + +The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory + +> [!NOTE] +> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) + +### Enable Windows Hello for Business group policy setting + +The *Enable Windows Hello for Business* group policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\ +You can configure the *Enable Windows Hello for Business* setting for computer or users: + +- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment +- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment + +If both user and computer policy settings are deployed, the user policy setting has precedence. + +### Enable and configure Windows Hello for Business + +Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type *Enable Windows Hello for Business* in the name box and select **OK** +1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **User Configuration** +1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business** +1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK** +1. Close the **Group Policy Management Editor** + +> [!NOTE] +> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*. +> +> For more information about these policies, see [Group Policy settings for Windows Hello for Business](hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business). + +### Configure security for GPO + +The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Open the **Enable Windows Hello for Business** GPO +1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK** +1. Select the **Delegation** tab. Select **Authenticated Users > Advanced** +1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** + +### Deploy the Windows Hello for Business Group Policy object + +The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO** +1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** + +### Add members to the targeted group + +Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business. + +--- + +## Enroll in Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. + +You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\ +This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. + +:::image type="content" source="images/Event358.png" alt-text="Details about event ID 358 showing that the device is ready to enroll in Windows Hello for Business." border="false" lightbox="images/Event358.png"::: + +### PIN Setup + +The following process occurs after a user signs in, to enroll in Windows Hello for Business: + +1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** +1. The enrollment flow proceeds to the multi-factor authentication phase. The process informs the user that there's an MFA contact attempt, using the configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry +1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device +1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory + +:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: + +> [!IMPORTANT] +> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> Read [Azure AD Connect sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization. + + +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd +[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler + +[MEM-1]: /mem/intune/configuration/settings-catalog +[MEM-2]: /mem/intune/protect/security-baselines +[MEM-3]: /mem/intune/configuration/custom-settings-configure +[MEM-4]: /windows/client-management/mdm/passportforwork-csp +[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy +[MEM-6]: /mem/intune/protect/identity-protection-configure \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md new file mode 100644 index 0000000000..19c9df7d89 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md @@ -0,0 +1,102 @@ +--- +title: Configure and validate the Public Key Infrastructure in an hybrid key trust model +description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in an hybrid key trust model. +ms.date: 01/03/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial +--- +# Configure and validate the Public Key Infrastructure - hybrid key trust + +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)] + +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. + +Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Azure AD Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`). + +A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1]. + +## Deploy an enterprise certification authority + +This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\ +If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session. + +### Lab-based PKI + +The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. + +Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. + +>[!NOTE] +>Never install a certification authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt +1. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools + ``` +1. Use the following command to configure the CA using a basic certification authority configuration + ```PowerShell + Install-AdcsCertificationAuthority + ``` + +## Configure the enterprise PKI + +[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] + +> [!NOTE] +> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. + +> [!IMPORTANT] +> For Azure AD joined devices to authenticate to on-premises resources, ensure to: +> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune +> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL + +[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] + +[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] + +### Publish the certificate template to the CA + +A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. + +Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane +1. Select **Certificate Templates** in the navigation pane +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue** +1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK** +1. Close the console + +> [!IMPORTANT] +> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md). + +## Configure and deploy certificates to domain controllers + +[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] + +## Validate the configuration + +[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] + +## Section review and next steps + +Before moving to the next section, ensure the following steps are complete: + +> [!div class="checklist"] +> - Configure domain controller certificates +> - Supersede existing domain controller certificates +> - Unpublish superseded certificate templates +> - Publish the certificate template to the CA +> - Deploy certificates to the domain controllers +> - Validate the domain controllers configuration + +> [!div class="nextstepaction"] +> [Next: configure and provision Windows Hello for Business >](hello-hybrid-key-trust-provision.md) + + +[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller +[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11) +[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 9ab687ded9..042fe747a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -1,40 +1,102 @@ --- -title: Hybrid Key Trust Deployment (Windows Hello for Business) -description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 08/20/2018 +title: Windows Hello for Business hybrid key trust deployment +description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. +ms.date: 12/28/2022 appliesto: - ✅ Windows 10 and later -ms.topic: article +- ✅ Windows Server 2016 and later +ms.topic: how-to --- -# Hybrid Azure AD joined Key Trust Deployment +# Hybrid key trust deployment -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)] -Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources. -It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). +This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario. -This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. +> [!IMPORTANT] +> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md). -## New Deployment Baseline ## +It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. -The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +## Prerequisites -This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. +The following prerequisites must be met for a hybrid key trust deployment: -Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +> [!div class="checklist"] +> * Directories and directory synchronization +> * Authentication to Azure AD +> * Device registration +> * Public Key Infrastructure +> * Multi-factor authentication +> * Device management + +### Directories and directory synchronization + +Hybrid Windows Hello for Business needs two directories: + +- An on-premises Active Directory +- An Azure Active Directory tenant + +The two directories must be synchronized with [Azure AD Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\ +During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Azure AD. *Azure AD Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory. + +> [!NOTE] +> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD. + +### Authentication to Azure AD + +Authentication to Azure AD can be configured with or without federation: + +- [Password hash synchronization][AZ-6] or [Azure Active Directory pass-through-authentication][AZ-7] is required for non-federated environments +- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments + +### Device registration + +The Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\ +For *hybrid Azure AD joined* devices, review the guidance on the [Plan your hybrid Azure Active Directory join implementation][AZ-8] page. + +### Public Key Infrastructure + +An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them. + +### Multi-factor authentication + +The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\ +Hybrid deployments can use: + +- [Azure AD Multi-Factor Authentication][AZ-2] +- A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS + +For more information how to configure Azure AD Multi-Factor Authentication, see [Configure Azure AD Multi-Factor Authentication settings][AZ-3].\ +For more information how to configure AD FS to provide multi-factor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1]. + +### Device management + +To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy. + +## Next steps + +Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps: + +> [!div class="checklist"] +> * Configure and validate the PKI +> * Configure Windows Hello for Business settings +> * Provision Windows Hello for Business on Windows clients +> * Configure single sign-on (SSO) for Azure AD joined devices > [!div class="nextstepaction"] -> [Prerequisites](hello-hybrid-key-trust-prereqs.md) +> [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-key-trust-validate-pki.md) -

                                + +[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis +[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication +[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd +[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler +[AZ-6]: /azure/active-directory/hybrid/whatis-phs +[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication +[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. Overview (*You are here*) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md deleted file mode 100644 index b5c704fb93..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) -description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -## Provisioning - -The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. - -![Event358.](images/Event358-2.png) - -The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is Azure Active Directory-joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. - -Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. - -![Setup a PIN Provisioning.](images/setupapin.png) - -The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. - -![MFA prompt during provisioning.](images/mfa.png) - -After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. - -![Create a PIN during provisioning.](images/createPin.png) - -The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. - -- A successful single factor authentication (username and password at sign-in) -- A device that has successfully completed device registration -- A fresh, successful multi-factor authentication -- A validated PIN that meets the PIN complexity requirements - -The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory. - -> [!IMPORTANT] -> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. -> Read [Azure AD Connect sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. Sign-in and Provision(*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md deleted file mode 100644 index cb30af909d..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) -description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] - -Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. - -### Creating Security Groups - -Windows Hello for Business uses a security group to simplify the deployment and management. - -#### Create the Windows Hello for Business Users Security Group - -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. - -### Section Review - -> [!div class="checklist"] -> * Create the Windows Hello for Business Users group -> -> [!div class="step-by-step"] -> [< Configure Windows Hello for Business](hello-hybrid-key-whfb-settings.md) -> [Configure Azure AD Connect >](hello-hybrid-key-whfb-settings-dir-sync.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. Configure Windows Hello for Business settings: Active Directory (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md deleted file mode 100644 index f19aab257d..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization -description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -## Directory Synchronization - -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. - -### Group Memberships for the Azure AD Connect Service Account ->[!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. For more detail see [Configure Hybrid Windows Hello for Business: Directory Synchronization](./hello-hybrid-cert-whfb-settings-dir-sync.md). - -The KeyAdmins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **Key Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add** -5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. - -> [!NOTE] -> If your Active Directory forest has multiple domains, your ADConnect accounts need to be members of the **Enterprise Key Admins** group. This membership is needed to write the keys to other domain users. - -### Section Review - -> [!div class="checklist"] -> * Configure group membership for Azure AD Connect - -> [!div class="step-by-step"] -> [< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md) -> [Configure PKI >](hello-hybrid-key-whfb-settings-pki.md) - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md deleted file mode 100644 index 9e36481b2a..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ /dev/null @@ -1,128 +0,0 @@ ---- -title: Configure Hybrid Azure AD joined key trust Windows Hello for Business -description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) -ms.date: 04/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. - -All deployments use enterprise issued certificates for domain controllers as a root of trust. - -## Certificate Templates - -This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. - -### Domain Controller certificate template - -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD-joined devices to your environment in the future. - -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. - -#### Create a Domain Controller Authentication (Kerberos) Certificate Template - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certificate Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -8. Close the console. - ->[!NOTE] ->Don't confuse the **Request hash** algorithm with the hash argorithm of the certificate. - -#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template - -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. - -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). - -The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. -4. Click the **Superseded Templates** tab. Click **Add**. -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. -9. Click **OK** and close the **Certificate Templates** console. - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. - -> [!NOTE] -> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. ->To see all certificates in the NTAuth store, use the following command: -> -> `Certutil -viewstore -enterprise NTAuth` - -### Publish Certificate Templates to a Certificate Authority - -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - -Sign-in to the certificate authority or management workstations with _enterprise administrator_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. If you published the **Domain Controller Authentication (Kerberos)** certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - - To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. -7. Close the console. - -### Unpublish Superseded Certificate Templates - -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - -### Section Review - -> [!div class="checklist"] -> * Domain Controller certificate template -> * Configure superseded domain controller certificate templates -> * Publish Certificate templates to certificate authorities -> * Unpublish superseded certificate templates -> s -> [!div class="step-by-step"] -> [< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) -> [Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. Configure Windows Hello for Business settings: PKI (*You are here*) -7. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md deleted file mode 100644 index 333f505d95..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy -description: Configuring Hybrid key trust Windows Hello for Business - Group Policy -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] - -## Policy Configuration - -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. - -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. - -Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate. - -Hybrid Azure AD-joined devices need one Group Policy setting: -* Enable Windows Hello for Business - -### Configure Domain Controllers for Automatic Certificate Enrollment - -Domain controllers automatically request a certificate from the *Domain Controller* certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. - -To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. - -#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. -9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -11. Select the **Update certificates that use certificate templates** check box. -12. Click **OK**. Close the **Group Policy Management Editor**. - -#### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�** -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. - ->[!IMPORTANT] ->If you don't find options in GPO, you have to load the [PolicyDefinitions folder](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). - -### Windows Hello for Business Group Policy - -The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory - -> [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) - -#### Enable Windows Hello for Business - -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -#### Create the Windows Hello for Business Group Policy object - -The Group Policy object contains the policy setting needed to trigger Windows Hello for Business provisioning. - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -#### Configure Security in the Windows Hello for Business Group Policy object - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. - -#### Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. - -## Other Related Group Policy settings - -### Windows Hello for Business - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -#### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -#### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows doesn't provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition but disallowing fingerprint recognition. - -### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - ->[!IMPORTANT] -> Starting from Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. - -Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters - -## Add users to the Windows Hello for Business Users group - -Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. - -### Section Review -> [!div class="checklist"] -> * Configure domain controllers for automatic certificate enrollment. -> * Create Windows Hello for Business Group Policy object. -> * Enable the Use Windows Hello for Business policy setting. -> * Add users or groups to the Windows Hello for Business group -> -> -> [!div class="nextstepaction"] -> [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) - -

                                - -
                                - -## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. Configure Windows Hello for Business policy settings (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md deleted file mode 100644 index 5e24b6de2c..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings -description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. -ms.date: 4/30/2021 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# Configure Hybrid Azure AD joined Windows Hello for Business key trust settings - -[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] - -You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. - -> [!IMPORTANT] -> Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. - -The configuration for Windows Hello for Business is grouped in four categories. These categories are: -* [Active Directory](hello-hybrid-key-whfb-settings-ad.md) -* [Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) -* [Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) -* [Group Policy](hello-hybrid-key-whfb-settings-policy.md) - -For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration - -> [!div class="step-by-step"] -> [Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md) - -## Follow the Windows Hello for Business hybrid key trust deployment guide - -1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -6. Configure Windows Hello for Business settings (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index e1ed3396b6..518283865d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -3,6 +3,7 @@ title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.collection: - highpri +- tier1 ms.date: 12/13/2022 appliesto: - ✅ Windows 10 and later diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index b08abdb82d..b0cf1c66b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -9,7 +9,7 @@ ms.topic: tutorial --- # Prepare and deploy Active Directory Federation Services - on-premises key trust -[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] +[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)] Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 03e7dbfe38..d9446b6eec 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -9,7 +9,7 @@ ms.topic: tutorial --- # Configure Windows Hello for Business group policy settings - on-premises key trust -[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] +[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)] On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*. The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index e53e1d194f..07673151d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -9,7 +9,7 @@ ms.topic: tutorial --- # Validate Active Directory prerequisites - on-premises key trust -[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] +[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)] Key trust deployments need an adequate number of domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md) and the [Planning an adequate number of Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 6088986d1e..65f12b5274 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -10,7 +10,7 @@ ms.topic: tutorial # Validate and deploy multi-factor authentication - on-premises key trust -[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] +[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)] Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index dac396577a..96505087ec 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -9,161 +9,23 @@ ms.topic: tutorial --- # Configure and validate the Public Key Infrastructure - on-premises key trust -[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] +[!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)] Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. -## Deploy an enterprise certification authority +[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] -This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role. +## Configure the enterprise PKI -### Lab-based PKI +[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] -The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. +[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] -Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. +[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)] ->[!NOTE] ->Never install a certification authority on a domain controller in a production environment. +[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] -1. Open an elevated Windows PowerShell prompt -1. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools - ``` -3. Use the following command to configure the CA using a basic certification authority configuration - ```PowerShell - Install-AdcsCertificationAuthority - ``` - -## Configure a PKI - -If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session. - -Expand the following sections to configure the PKI for Windows Hello for Business. - -
                                -
                                -Configure domain controller certificates - -Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template. - -By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates > Manage** -1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab - - Type *Domain Controller Authentication (Kerberos)* in Template display name - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -1. On the **Subject Name** tab: - - Select the **Build from this Active Directory information** button if it isn't already selected - - Select **None** from the **Subject name format** list - - Select **DNS name** from the **Include this information in alternate subject** list - - Clear all other items -1. On the **Cryptography** tab: - - select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. Select **OK** -1. Close the console - -
                                - - -
                                -
                                -Supersede existing domain controller certificates - -The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. - -The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\ -The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template. - -Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates > Manage** -1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties** -1. Select the **Superseded Templates** tab. Select **Add** -1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add** -1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK** -1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK** -1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab -1. Select **OK** and close the **Certificate Templates** console - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities. - -
                                - -
                                -
                                -Configure an internal web server certificate template - -Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *Internal Web Server* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -1. On the **Request Handling** tab, select **Allow private key to be exported** -1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected -1. On the **Security** tab: - - Select **Add** - - Type **Domain Computers** in the **Enter the object names to select** box - - Select **OK** - - Select the **Allow** check box next to the **Enroll** permission -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list - - Select **OK** -1. Close the console - -
                                - -
                                -
                                -Unpublish Superseded Certificate Templates - -The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane > **Certificate Templates** -1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window -1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates - -
                                - -
                                -
                                -Publish certificate templates to the CA +### Publish certificate templates to the CA A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. @@ -178,71 +40,13 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation 1. Close the console -
                                +## Configure and deploy certificates to domain controllers -### Configure automatic certificate enrollment for the domain controllers - -Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU). - -1. Open the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type *Domain Controller Auto Certificate Enrollment* in the name box and select **OK** -1. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **Computer Configuration** -1. Expand **Windows Settings > Security Settings > Public Key Policies** -1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** -1. Select **Enabled** from the **Configuration Model** list -1. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box -1. Select the **Update certificates that use certificate templates** check box -1. Select **OK** -1. Close the **Group Policy Management Editor** - -### Deploy the domain controller auto certificate enrollment GPO - -Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created -1. Select **OK** +[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] ## Validate the configuration -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. - -### Use the event logs - -Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log -1. Look for an event indicating a new certificate enrollment (autoenrollment): - - The details of the event include the certificate template on which the certificate was issued - - The name of the certificate template used to issue the certificate should match the certificate template name included in the event - - The certificate thumbprint and EKUs for the certificate are also included in the event - - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template - -Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. - -### Certificate Manager - -You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager. - -### Certutil.exe - -You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates. - -To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. - -### Troubleshooting - -Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate.exe /force`. - -Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt. - -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions. +[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] > [!div class="nextstepaction"] > [Next: prepare and deploy AD FS >](hello-key-trust-adfs.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index a548960eab..e666aa4beb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -3,6 +3,7 @@ title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. ms.collection: - highpri + - tier1 ms.date: 2/15/2022 appliesto: - ✅ Windows 10 and later @@ -131,28 +132,4 @@ All PIN complexity policies are grouped separately from feature enablement and a >- MinimumPINLength - 8 >- Digits - 1 >- LowercaseLetters - 1 ->- SpecialCharacters - 1 - - +>- SpecialCharacters - 1 \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 48c16385f3..d6e6de308d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -3,6 +3,7 @@ title: Windows Hello for Business Overview (Windows) description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. ms.collection: - highpri + - tier1 ms.topic: conceptual appliesto: - ✅ Windows 10 and later @@ -110,5 +111,5 @@ Windows Hello for Business with a key, including cloud Kerberos trust, doesn't s - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c3c5912b26..f3e0b27534 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -87,7 +87,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 69e4a380e5..1d36c9e14c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -16,6 +16,8 @@ Although the organization may require users to change their Active Directory or People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + ## On devices owned by the organization When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. @@ -40,9 +42,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. -![sign in to windows, apps, and services using fingerprint or face.](images/hellosettings.png) - - +:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png"::: ## Related topics @@ -52,6 +52,6 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 89fe8f84ce..6b65c109d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -3,6 +3,7 @@ title: Why a PIN is better than an online password (Windows) description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. ms.collection: - highpri + - tier1 ms.date: 10/23/2017 appliesto: - ✅ Windows 10 and later @@ -81,5 +82,5 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png b/windows/security/identity-protection/hello-for-business/images/SetupAPin.png deleted file mode 100644 index 50029cc00e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png deleted file mode 100644 index 2a5658b1a9..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png deleted file mode 100644 index 88aaf424f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png deleted file mode 100644 index 3d547d05fc..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png deleted file mode 100644 index d98d871f21..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png deleted file mode 100644 index cacbcf0737..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png deleted file mode 100644 index caacf8a566..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png deleted file mode 100644 index 226f85eeb0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png deleted file mode 100644 index 067c109808..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png deleted file mode 100644 index f2c38239f3..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png deleted file mode 100644 index 74cea5f0b5..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png deleted file mode 100644 index e95fd1b9ba..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png deleted file mode 100644 index c973e43aec..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png deleted file mode 100644 index 70aaa2db9d..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png deleted file mode 100644 index eadf1eb285..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png deleted file mode 100644 index 56cced034f..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png deleted file mode 100644 index e4e4555942..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png deleted file mode 100644 index 390bfecafd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png deleted file mode 100644 index a136973f04..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png deleted file mode 100644 index c78baecd49..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png deleted file mode 100644 index 96fe45bbcf..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png deleted file mode 100644 index 004d3a3f25..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png deleted file mode 100644 index 9d66d330fd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png deleted file mode 100644 index dea61f116e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png deleted file mode 100644 index 831e12fe59..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png deleted file mode 100644 index 21f4159d80..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png deleted file mode 100644 index 49c4dee983..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png deleted file mode 100644 index c2a4f36704..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png deleted file mode 100644 index 0ec08ecbc0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png deleted file mode 100644 index 46db47b6f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/createPin.png b/windows/security/identity-protection/hello-for-business/images/createPin.png deleted file mode 100644 index 91e079feca..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/createPin.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/dsregcmd.png deleted file mode 100644 index 85bc6491cf..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/event358-2.png b/windows/security/identity-protection/hello-for-business/images/event358-2.png deleted file mode 100644 index 53fd554323..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/event358-2.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/event358.png b/windows/security/identity-protection/hello-for-business/images/event358.png index 70376c35a1..f95e6130e6 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/event358.png and b/windows/security/identity-protection/hello-for-business/images/event358.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png deleted file mode 100644 index 7f0be5249d..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png deleted file mode 100644 index ef99144042..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png deleted file mode 100644 index edcbe0ec34..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png deleted file mode 100644 index 72c94fb321..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png deleted file mode 100644 index 64f85b1f54..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png deleted file mode 100644 index 6894047f98..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png deleted file mode 100644 index 3167588d7b..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_filter.png b/windows/security/identity-protection/hello-for-business/images/hello_filter.png deleted file mode 100644 index 611bbfad70..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_filter.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_gear.png b/windows/security/identity-protection/hello-for-business/images/hello_gear.png deleted file mode 100644 index b74cf682ac..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_gear.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_lock.png b/windows/security/identity-protection/hello-for-business/images/hello_lock.png deleted file mode 100644 index 5643cecec0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_lock.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_users.png b/windows/security/identity-protection/hello-for-business/images/hello_users.png deleted file mode 100644 index c6750396dd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_users.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png deleted file mode 100644 index 8b003013f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png deleted file mode 100644 index 44bbc4a572..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png deleted file mode 100644 index df7973e2ca..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png deleted file mode 100644 index eb3458bf76..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png deleted file mode 100644 index 6011b3c66e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png deleted file mode 100644 index ac1752b75b..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png deleted file mode 100644 index 2835e56049..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png deleted file mode 100644 index 4874ca4516..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png deleted file mode 100644 index c6572cbd5a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png deleted file mode 100644 index 3a72066a31..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png deleted file mode 100644 index c3754b5389..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png deleted file mode 100644 index 97db24c262..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png deleted file mode 100644 index 80f9d53d2c..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png deleted file mode 100644 index 97ad2a1bfb..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/mfa.png b/windows/security/identity-protection/hello-for-business/images/mfa.png deleted file mode 100644 index b7086b9b79..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/mfa.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png deleted file mode 100644 index 174cf0a790..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png deleted file mode 100644 index 028f06544c..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png deleted file mode 100644 index 322a4fcbdc..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-cert-enable.png b/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-cert-enable.png new file mode 100644 index 0000000000..ec2ba07684 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-cert-enable.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-enable.png b/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-enable.png new file mode 100644 index 0000000000..b5ff9bbb58 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/whfb-intune-account-protection-enable.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png b/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png new file mode 100644 index 0000000000..97177965e3 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/whfb-intune-disable.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg deleted file mode 100644 index 0eae3a4546..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png b/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png deleted file mode 100644 index f86101b1e8..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg deleted file mode 100644 index d9acfd8170..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg deleted file mode 100644 index 21d37405a7..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md new file mode 100644 index 0000000000..c3f30f246e --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/auth-certificate-template.md @@ -0,0 +1,83 @@ +--- +ms.date: 12/28/2022 +ms.topic: include +--- + +### Configure a Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. Right-click the **Smartcard Logon** template and choose **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab: + - Type *WHFB Authentication* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. +1. On the **Cryptography** tab + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon** +1. On the **Issuance Requirements** tab, + - Select the **This number of authorized signatures** check box. Type *1* in the text box + - Select **Application policy** from the **Policy type required in signature** + - Select **Certificate Request Agent** from in the **Application policy** list + - Select the **Valid existing certificate** option +1. On the **Subject** tab, + - Select the **Build from this Active Directory information** button + - Select **Fully distinguished name** from the **Subject name format** list + - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** +1. On the **Request Handling** tab, select the **Renew with same key** check box +1. On the **Security** tab, select **Add**. Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called *Window Hello for Business Users*, type it in the **Enter the object names to select** text box and select **OK** +1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section: + - Select the **Allow** check box for the **Enroll** permission + - Excluding the group above (for example, *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared + - Select **OK** +1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they'll be superseded by this template for the users that have Enroll permission for this template +1. Select on the **Apply** to save changes and close the console + +#### Mark the template as the Windows Hello Sign-in template + +Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials + +Open an elevated command prompt end execute the following command + +```cmd +certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY +``` + +If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example: + +```cmd +CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication + +Old Value: +msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) +CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +TEMPLATE_SERVER_VER_WINBLUE<[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority. + + \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md new file mode 100644 index 0000000000..6059c8bb03 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md @@ -0,0 +1,32 @@ +--- +ms.date: 12/28/2022 +ms.topic: include +--- + +### Configure automatic certificate enrollment for the domain controllers + +Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the *Domain Controllers* OU. + +1. Open the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type *Domain Controller Auto Certificate Enrollment* in the name box and select **OK** +1. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **Computer Configuration** +1. Expand **Windows Settings > Security Settings > Public Key Policies** +1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** +1. Select **Enabled** from the **Configuration Model** list +1. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box +1. Select the **Update certificates that use certificate templates** check box +1. Select **OK** +1. Close the **Group Policy Management Editor** + +### Deploy the domain controller auto certificate enrollment GPO + +Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created +1. Select **OK** + diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md new file mode 100644 index 0000000000..20f8012d88 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-supersede.md @@ -0,0 +1,33 @@ +--- +ms.date: 12/28/2022 +ms.topic: include +--- + +### Supersede existing domain controller certificates + +The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. + +The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\ +The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template. + +Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates > Manage** +1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties** +1. Select the **Superseded Templates** tab. Select **Add** +1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add** +1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK** +1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK** +1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab +1. Select **OK** and close the **Certificate Templates** console + +The certificate template is configured to supersede all the certificate templates provided in the *superseded templates* list.\ +However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities. + +> [!NOTE] +> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. +>To see all certificates in the NTAuth store, use the following command: +> +> `Certutil -viewstore -enterprise NTAuth` + diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md new file mode 100644 index 0000000000..1fff52b89c --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-template.md @@ -0,0 +1,51 @@ +--- +ms.date: 12/28/2022 +ms.topic: include +--- + +### Configure domain controller certificates + +Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*. + +Domain controllers automatically request a *domain controller certificate* (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template. + +By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template. + +> [!IMPORTANT] +> The certificates issued to the domain controllers must meet the following requirements: +> - The *Certificate Revocation List (CRL) distribution point* extension must point to a valid CRL, or an *Authority Information Access (AIA)* extension that points to an Online Certificate Status Protocol (OCSP) responder +> - Optionally, the certificate *Subject* section could contain the directory path of the server object (the distinguished name) +> - The certificate *Key Usage* section must contain *Digital Signature* and *Key Encipherment* +> - Optionally, the certificate *Basic Constraints* section should contain: `[Subject Type=End Entity, Path Length Constraint=None]` +> - The certificate *extended key usage* section must contain Client Authentication (`1.3.6.1.5.5.7.3.2`), Server Authentication (`1.3.6.1.5.5.7.3.1`), and KDC Authentication (`1.3.6.1.5.2.3.5`) +> - The certificate *Subject Alternative Name* section must contain the Domain Name System (DNS) name +> - The certificate template must have an extension that has the value `DomainController`, encoded as a [BMPstring](/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template +> - The domain controller certificate must be installed in the local computer's certificate store + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates > Manage** +1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab + - Type *Domain Controller Authentication (Kerberos)* in Template display name + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +1. On the **Subject Name** tab: + - Select the **Build from this Active Directory information** button if it isn't already selected + - Select **None** from the **Subject name format** list + - Select **DNS name** from the **Include this information in alternate subject** list + - Clear all other items +1. On the **Cryptography** tab: + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. Select **OK** +1. Close the console + diff --git a/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md new file mode 100644 index 0000000000..5f8e4a5a88 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/dc-certificate-validate.md @@ -0,0 +1,39 @@ +--- +ms.date: 12/28/2022 +ms.topic: include +--- + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful deployment is to validate phases of work prior to moving to the next phase. + +Confirm your domain controllers enroll the correct certificates and not any superseded certificate templates. Check that each domain controller completed the certificate autoenrollment. + +### Use the event logs + +Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. + +1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log +1. Look for an event indicating a new certificate enrollment (autoenrollment): + - The details of the event include the certificate template on which the certificate was issued + - The name of the certificate template used to issue the certificate should match the certificate template name included in the event + - The certificate thumbprint and EKUs for the certificate are also included in the event + - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template + +Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. + +### Certificate Manager + +You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager. + +### Certutil.exe + +You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates. + +To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. + +### Troubleshooting + +Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate.exe /force`. + +Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt. + +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md new file mode 100644 index 0000000000..0304c108d2 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/enrollment-agent-certificate-template.md @@ -0,0 +1,79 @@ +--- +ms.date: 01/03/2022 +ms.topic: include +--- + +### Configure an enrollment agent certificate template + +A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA. + +The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request. + +> [!IMPORTANT] +> Follow the procedures below based on the AD FS service account used in your environment. + +#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA) + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list. + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab: + - Type *WHFB Enrollment Agent* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs +1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected + + > [!NOTE] + > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +1. On the **Cryptography** tab: + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. On the **Security** tab, select **Add** +1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** +1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** +1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: + - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission + - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list + - Select **OK** +1. Close the console + +#### Create an enrollment agent certificate for a standard service account + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list. + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab: + - Type *WHFB Enrollment Agent* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs +1. On the **Subject** tab: + - Select the **Build from this Active Directory information** button + - Select **Fully distinguished name** from the **Subject name format** + - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** +1. On the **Cryptography** tab: + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. On the **Security** tab, select **Add** +1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** +1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** +1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: + - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission + - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list + - Select **OK** +1. Close the console + diff --git a/windows/security/includes/hello-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md similarity index 84% rename from windows/security/includes/hello-cloud.md rename to windows/security/identity-protection/hello-for-business/includes/hello-cloud.md index 1c41485f11..4724b9d6da 100644 --- a/windows/security/includes/hello-cloud.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-cloud.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md new file mode 100644 index 0000000000..a9b2685f07 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Azure AD-only identities. Device management is usually done via Intune/MDM") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md new file mode 100644 index 0000000000..b6ba025722 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Azure AD. Device management is usually done via Group Policy or Intune/MDM") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md new file mode 100644 index 0000000000..5426da4561 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy") \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md similarity index 87% rename from windows/security/includes/hello-hybrid-cert-trust-aad.md rename to windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md index 57c03e95a3..955f819fbf 100644 --- a/windows/security/includes/hello-hybrid-cert-trust-aad.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-aad.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md similarity index 89% rename from windows/security/includes/hello-hybrid-cert-trust.md rename to windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md index d6ca6e8f5d..81e14489f5 100644 --- a/windows/security/includes/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md similarity index 89% rename from windows/security/includes/hello-hybrid-cloudkerb-trust.md rename to windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md index 61346cd80e..302cbee601 100644 --- a/windows/security/includes/hello-hybrid-cloudkerb-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cloudkerb-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md similarity index 88% rename from windows/security/includes/hello-hybrid-key-trust.md rename to windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md index d9feebc213..72a7d5634b 100644 --- a/windows/security/includes/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md similarity index 89% rename from windows/security/includes/hello-hybrid-keycert-trust-aad.md rename to windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md index 4c073f0897..40496f1006 100644 --- a/windows/security/includes/hello-hybrid-keycert-trust-aad.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-keycert-trust-aad.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/includes/hello-intro.md b/windows/security/identity-protection/hello-for-business/includes/hello-intro.md similarity index 60% rename from windows/security/includes/hello-intro.md rename to windows/security/identity-protection/hello-for-business/includes/hello-intro.md index 46d97c93e6..b89d23afb8 100644 --- a/windows/security/includes/hello-intro.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-intro.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md new file mode 100644 index 0000000000..82f5f99a23 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[Azure AD join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Azure AD joined do not have any dependencies on Active Directory. Only local users accounts and Azure AD users can sign in to these devices") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md new file mode 100644 index 0000000000..d7cd002e30 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-domain.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[domain join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md new file mode 100644 index 0000000000..ba8b5df65a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[hybrid Azure AD join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources") \ No newline at end of file diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md similarity index 88% rename from windows/security/includes/hello-on-premises-cert-trust.md rename to windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md index b106b5b8c8..06ab63397f 100644 --- a/windows/security/includes/hello-on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-cert-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md similarity index 87% rename from windows/security/includes/hello-on-premises-key-trust.md rename to windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md index f290b0d975..ef66939cb2 100644 --- a/windows/security/includes/hello-on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/includes/hello-on-premises-key-trust.md @@ -1,6 +1,4 @@ --- -author: paolomatarazzo -ms.author: paoloma ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-certificate.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-certificate.md new file mode 100644 index 0000000000..3b89d756cf --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-trust-certificate.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[certificate trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md new file mode 100644 index 0000000000..fa465e241c --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-trust-cloud-kerberos.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[cloud Kerberos trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md b/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md new file mode 100644 index 0000000000..3e4bdecccc --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/hello-trust-key.md @@ -0,0 +1,6 @@ +--- +ms.date: 12/08/2022 +ms.topic: include +--- + +[key trust :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md b/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md new file mode 100644 index 0000000000..5cc0341b05 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/lab-based-pki-deploy.md @@ -0,0 +1,32 @@ +--- +ms.date: 01/03/2023 +ms.topic: include +--- + +## Deploy an enterprise certification authority + +This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\ +If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session. + +### Lab-based PKI + +The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. + +Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. + +>[!NOTE] +>Never install a certification authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt +1. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools + ``` +3. Use the following command to configure the CA using a basic certification authority configuration + ```PowerShell + Install-AdcsCertificationAuthority + ``` + + +[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11) +[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md b/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md new file mode 100644 index 0000000000..5d8b4c3d0a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/unpublish-superseded-templates.md @@ -0,0 +1,18 @@ +--- +ms.date: 12/28/2022 +ms.topic: include +--- + +### Unpublish Superseded Certificate Templates + +The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates. + +The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane > **Certificate Templates** +1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window +1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates + diff --git a/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md new file mode 100644 index 0000000000..601e29153a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/web-server-certificate-template.md @@ -0,0 +1,38 @@ +--- +ms.date: 01/23/2023 +ms.topic: include +--- + +### Configure an internal web server certificate template + +Windows clients communicate with AD FS via HTTPS. To meet this need, a *server authentication* certificate must be issued to all the nodes in the AD FS farm. On-premises deployments can use a *server authentication* certificate issued by the enterprise PKI. A *server authentication* certificate template must be configured, so the AD FS nodes can request a certificate. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab: + - Type *Internal Web Server* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +1. On the **Request Handling** tab, select **Allow private key to be exported** +1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected +1. On the **Security** tab: + - Select **Add** + - Type **Domain Computers** in the **Enter the object names to select** box + - Select **OK** + - Select the **Allow** check box next to the **Enroll** permission +1. On the **Cryptography** tab: + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list + - Select **OK** +1. Close the console + diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 0c6b760604..75e29c597a 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -16,6 +16,7 @@ metadata: ms.date: 01/22/2021 ms.collection: - highpri + - tier1 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md deleted file mode 100644 index 1987c05d33..0000000000 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -title: How Windows Hello for Business works (Windows) -description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. -ms.date: 10/16/2017 -appliesto: -- ✅ Windows 10 and later -ms.topic: article ---- -# How Windows Hello for Business works in Windows devices - -Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. - -## Register a new user or device - -A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration. - -> [!NOTE] ->This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](../hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register. - - The registration process works like this: - -1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 or Windows 11 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. -2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. -3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately - -The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are: - -- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN. -- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 or Windows 11 device the user has not previously signed in to. -- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 and Windows 11 device the user has not previously signed in to. - -When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. - -At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures. - -## What’s a container? - -You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. - -The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. - -It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. - -The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. - -![Each logical container holds one or more sets of keys.](../images/passport-fig3-logicalcontainer.png) - -Containers can contain several types of key material: - -- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. -- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked. -- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: - - - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. - - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI. - -## How keys are protected - -Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. - -Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. - - -## Authentication - -When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. - -These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication anytime a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. - -For example, the authentication process for Azure Active Directory works like this: - -1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.) -2. The IDP returns a challenge, known as a nonce. -3. The device signs the nonce with the appropriate private key. -4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce. -5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original. -6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key. -7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token. -8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication. - -When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices. - - -## The infrastructure - -Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: - -- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. -- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. -- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. - - -## Related topics - -- [Windows Hello for Business](../hello-identity-verification.md) -- [Manage Windows Hello for Business in your organization](../hello-manage-in-organization.md) -- [Why a PIN is better than a password](../hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](../hello-prepare-people-to-use.md) -- [Windows Hello and password changes](../hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](../hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](../hello-event-300.md) -- [Windows Hello biometrics in the enterprise](../hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index fb4c92826f..77c3a38b65 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -26,71 +26,47 @@ - name: Hybrid deployments items: - name: Cloud Kerberos trust deployment - href: hello-hybrid-cloud-kerberos-trust.md + items: + - name: Overview + href: hello-hybrid-cloud-kerberos-trust.md + displayName: cloud Kerberos trust + - name: Configure and provision Windows Hello for Business + href: hello-hybrid-cloud-kerberos-trust-provision.md + displayName: cloud Kerberos trust - name: Key trust deployment items: - name: Overview href: hello-hybrid-key-trust.md - - name: Prerequisites - href: hello-hybrid-key-trust-prereqs.md - - name: New installation baseline - href: hello-hybrid-key-new-install.md - - name: Configure directory synchronization - href: hello-hybrid-key-trust-dirsync.md - - name: Configure Azure AD device registration - href: hello-hybrid-key-trust-devreg.md - - name: Configure Windows Hello for Business settings - items: - - name: Overview - href: hello-hybrid-key-whfb-settings.md - - name: Configure Active Directory - href: hello-hybrid-key-whfb-settings-ad.md - - name: Configure Azure AD Connect Sync - href: hello-hybrid-key-whfb-settings-dir-sync.md - - name: Configure PKI - href: hello-hybrid-key-whfb-settings-pki.md - - name: Configure Group Policy settings - href: hello-hybrid-key-whfb-settings-policy.md - - name: Sign-in and provision Windows Hello for Business - href: hello-hybrid-key-whfb-provision.md - - name: On-premises SSO for Azure AD joined devices + displayName: key trust + - name: Configure and validate the PKI + href: hello-hybrid-key-trust-validate-pki.md + displayName: key trust + - name: Configure and provision Windows Hello for Business + href: hello-hybrid-key-trust-provision.md + displayName: key trust + - name: Configure SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md - - name: Configure Azure AD joined devices for on-premises SSO - href: hello-hybrid-aadj-sso-base.md + displayName: key trust - name: Certificate trust deployment items: - name: Overview href: hello-hybrid-cert-trust.md - - name: Prerequisites - href: hello-hybrid-cert-trust-prereqs.md - - name: New installation baseline - href: hello-hybrid-cert-new-install.md - - name: Configure Azure AD device registration - href: hello-hybrid-cert-trust-devreg.md - - name: Configure Windows Hello for Business settings - items: - - name: Overview - href: hello-hybrid-cert-whfb-settings.md - - name: Configure Active Directory - href: hello-hybrid-cert-whfb-settings-ad.md - - name: Configure Azure AD Connect Sync - href: hello-hybrid-cert-whfb-settings-dir-sync.md - - name: Configure PKI - href: hello-hybrid-cert-whfb-settings-pki.md - - name: Configure AD FS - href: hello-hybrid-cert-whfb-settings-adfs.md - - name: Configure Group Policy settings - href: hello-hybrid-cert-whfb-settings-policy.md - - name: Sign-in and provision Windows Hello for Business + displayName: certificate trust + - name: Configure and validate the PKI + href: hello-hybrid-cert-trust-validate-pki.md + displayName: certificate trust + - name: Configure AD FS + href: hello-hybrid-cert-whfb-settings-adfs.md + displayName: certificate trust + - name: Configure and provision Windows Hello for Business href: hello-hybrid-cert-whfb-provision.md - - name: On-premises SSO for Azure AD joined devices + displayName: certificate trust + - name: Configure SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md - - name: Configure Azure AD joined devices for on-premises SSO - href: hello-hybrid-aadj-sso-base.md - - name: Using certificates for on-premises SSO + displayName: certificate trust + - name: Deploy certificates to Azure AD joined devices href: hello-hybrid-aadj-sso-cert.md - - name: Planning for Domain Controller load - href: hello-adequate-domain-controllers.md + displayName: certificate trust - name: On-premises deployments items: - name: Key trust deployment @@ -99,7 +75,7 @@ href: hello-deployment-key-trust.md - name: Validate Active Directory prerequisites href: hello-key-trust-validate-ad-prereq.md - - name: Configure and validate Public Key Infrastructure (PKI) + - name: Configure and validate the PKI href: hello-key-trust-validate-pki.md - name: Prepare and deploy Active Directory Federation Services (AD FS) href: hello-key-trust-adfs.md @@ -121,8 +97,8 @@ href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - - name: Planning for Domain Controller load - href: hello-adequate-domain-controllers.md + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md - name: Deploy certificates for remote desktop (RDP) sign-in href: hello-deployment-rdp-certs.md - name: How-to Guides @@ -131,10 +107,10 @@ href: hello-prepare-people-to-use.md - name: Manage Windows Hello for Business in your organization href: hello-manage-in-organization.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md - name: Windows Hello for Business features items: - - name: Conditional access - href: hello-feature-conditional-access.md - name: PIN Reset href: hello-feature-pin-reset.md - name: Dual Enrollment @@ -151,10 +127,6 @@ href: hello-deployment-issues.md - name: Errors during PIN creation href: hello-errors-during-pin-creation.md - - name: Event ID 300 - Windows Hello successfully created - href: hello-event-300.md - - name: Windows Hello and password changes - href: hello-and-password-changes.md - name: Reference items: - name: How Windows Hello for Business provisioning works diff --git a/windows/security/identity-protection/images/application-guard-and-system-guard.png b/windows/security/identity-protection/images/application-guard-and-system-guard.png deleted file mode 100644 index b4b883db90..0000000000 Binary files a/windows/security/identity-protection/images/application-guard-and-system-guard.png and /dev/null differ diff --git a/windows/security/identity-protection/images/remote-credential-guard.png b/windows/security/identity-protection/images/remote-credential-guard.png deleted file mode 100644 index d8e3598dc9..0000000000 Binary files a/windows/security/identity-protection/images/remote-credential-guard.png and /dev/null differ diff --git a/windows/security/identity-protection/images/traditional-windows-software-stack.png b/windows/security/identity-protection/images/traditional-windows-software-stack.png deleted file mode 100644 index 0da610c368..0000000000 Binary files a/windows/security/identity-protection/images/traditional-windows-software-stack.png and /dev/null differ diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index c42735cfe2..dc71f52903 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -16,7 +16,9 @@ ms.technology: itpro-security # Identity and access management -Learn more about identity and access management technologies in Windows 10 and Windows 11. +Learn more about identity and access management technologies in Windows. + +[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)] | Section | Description | |-|-| diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index e094da893b..63c2e03d67 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -7,6 +7,7 @@ ms.author: paoloma manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.localizationpriority: medium ms.date: 01/12/2018 @@ -51,12 +52,12 @@ Use the following table to compare different Remote Desktop connection security | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | |--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server | +| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server | | **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

                                For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). | | **Helps prevent**                    |      N/A          |
                                • Pass-the-Hash
                                • Use of a credential after disconnection
                                |
                                • Pass-the-Hash
                                • Use of domain identity during connection
                                | | **Credentials supported from the remote desktop client device** |
                                • Signed on credentials
                                • Supplied credentials
                                • Saved credentials
                                |
                                • Signed on credentials only |
                                  • Signed on credentials
                                  • Supplied credentials
                                  • Saved credentials
                                  | | **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. | -| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. | +| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. | | **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account | | **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol | @@ -71,7 +72,7 @@ and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/c ## Remote Desktop connections and helpdesk support scenarios -For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects. +For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects. Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf). @@ -90,7 +91,7 @@ The Remote Desktop client device: - Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. -- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. +- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. @@ -100,7 +101,7 @@ The Remote Desktop remote host: - Must be running at least Windows 10, version 1607 or Windows Server 2016. - Must allow Restricted Admin connections. -- Must allow the client’s domain user to access Remote Desktop connections. +- Must allow the client's domain user to access Remote Desktop connections. - Must allow delegation of non-exportable credentials. There are no hardware requirements for Windows Defender Remote Credential Guard. @@ -128,7 +129,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on - Add a new DWORD value named **DisableRestrictedAdmin**. - - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard. + - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0. 3. Close Registry Editor. @@ -156,6 +157,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. @@ -181,7 +183,7 @@ mstsc.exe /remoteGuard ## Considerations when using Windows Defender Remote Credential Guard -- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied. +- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied. - Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory. @@ -189,4 +191,4 @@ mstsc.exe /remoteGuard - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own. -- The server and client must authenticate using Kerberos. \ No newline at end of file +- The server and client must authenticate using Kerberos. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index dfcc5f5c94..4d2926242d 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -66,7 +66,7 @@ When a smart card is inserted, the following steps are performed. Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are: -- Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the enhanced key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional. +- Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the extended key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional. - Each certificate must be stored in the AT\_KEYEXCHANGE portion of the default CryptoAPI container, and non-default CryptoAPI containers are not supported. @@ -190,7 +190,7 @@ The smart card certificate has specific format requirements when it is used with | CRL distribution point location | Not required | The location must be specified, online, and available, for example:
                                  \[1\]CRL Distribution Point
                                  Distribution Point Name:
                                  Full Name:
                                  URL=`` | | Key usage | Digital signature | Digital signature | | Basic constraints | Not required | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional) | -| Enhanced key usage (EKU) | The smart card sign-in object identifier is not required.

                                  **Note**  If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2)
                                  The client authentication object identifier is required only if a certificate is used for SSL authentication.

                                  - Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) | +| extended key usage (EKU) | The smart card sign-in object identifier is not required.

                                  **Note**  If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2)
                                  The client authentication object identifier is required only if a certificate is used for SSL authentication.

                                  - Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) | | Subject alternative name | E-mail ID is not required for smart card sign-in. | Other Name: Principal Name=(UPN), for example:
                                  UPN=user1@contoso.com
                                  The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3.
                                  The UPN OtherName value must be an ASN1-encoded UTF8 string. | | Subject | Not required | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. | | Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) | Not required | diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index 3c1b301625..10b6bda518 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -8,6 +8,7 @@ ms.reviewer: ardenw manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index a14fa3345b..26f06f48c2 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -93,10 +93,10 @@ The following table lists the default values for these GPO settings. Variations ### Allow certificates with no extended key usage certificate attribute -You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign-in. +You can use this policy setting to allow certificates without an extended key usage (EKU) set to be used for sign-in. > [!NOTE] -> Enhanced key usage certificate attribute is also known as extended key usage. +> extended key usage certificate attribute is also known as extended key usage. > > In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 9ba3ee5da6..d5912c3e8d 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -1,20 +1,12 @@ --- title: Smart Card Technical Reference (Windows) description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma ms.reviewer: ardenw -manager: aaroncz ms.topic: article -ms.localizationpriority: medium ms.date: 09/24/2021 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- @@ -44,7 +36,9 @@ Smart cards provide: Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. -**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](../virtual-smart-cards/virtual-smart-card-overview.md). +**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. + +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] ## In this technical reference diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index a968914652..8037f68045 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -3,6 +3,7 @@ title: How User Account Control works (Windows) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ms.collection: - highpri + - tier2 ms.topic: article ms.localizationpriority: medium ms.date: 09/23/2021 diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index f3c8c14d4e..979a7ae1f1 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -3,6 +3,7 @@ title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.collection: - highpri + - tier2 ms.topic: article ms.date: 04/19/2017 appliesto: diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index 35851d61af..93502be3e3 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -3,6 +3,7 @@ title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.collection: - highpri + - tier2 ms.topic: article ms.date: 09/24/2011 appliesto: diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index a29f378683..63ac28b3e9 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -1,30 +1,24 @@ --- -title: Deploy Virtual Smart Cards (Windows 10) -description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +title: Deploy Virtual Smart Cards +description: Learn about what to consider when deploying a virtual smart card authentication solution +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Deploy Virtual Smart Cards -Applies To: Windows 10, Windows Server 2016 +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. +This article discusses the factors to consider when you deploy a virtual smart card authentication solution. Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram. ![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png) -Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company. +A device manufacturer creates physical devices, and then an organization purchase and deploy them. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the *administrator key*, *Personal Identification Number (PIN)*, *PIN Unlock Key (PUK)*, and its physical appearance. During the device provisioning phase, the required certificates are installed, such as a sign-in certificate. After you provision the device, it's ready for use. You'll maintain the device, for example you may replace cards when they're lost or stolen, or reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company. This topic contains information about the following phases in a virtual smart card lifecycle: @@ -44,94 +38,90 @@ The TPM Provisioning Wizard, which is launched from the **TPM Management Console When you create virtual smart cards, consider the following actions in the TPM: -- **Enable and Activate**: TPMs are built in to many industry ready computers, but they often are not enabled and activated by default. In some cases, the TPM must be enabled and activated through the BIOS. For more information, see Initialize and Configure Ownership of the TPM. +- **Enable and Activate**: TPMs are built into many devices. In some cases, the TPM must be enabled and activated through the BIOS +- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the *storage root key*. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. For corporate use of TPM virtual smart cards, the domain administrator should restrict access to the TPM owner password by storing it in Active Directory, and not in the local registry. When TPM ownership is set, you must clear and reinitialize the TPM +- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time -- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the storage root key. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. - For corporate use of TPM virtual smart cards, we recommend that the corporate domain administrator restrict access to the TPM owner password by storing it in Active Directory, not in the local registry. When TPM ownership is set in Windows Vista, the TPM needs to be cleared and reinitialized. For more information, see Trusted Platform Module Technology Overview. - -- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time. For more information, see Manage TPM Lockout. - -A TPM might operate in reduced functionality mode. This could occur, for example, if the operating system cannot determine if the owner password is available to the user. In those cases, the TPM can be used to create a virtual smart card, but it is strongly recommended to bring the TPM to a fully ready state so that any unexpected circumstances will not leave the user blocked from using the computer. +A TPM might operate in reduced functionality mode, which may occur if the operating system can't determine if the owner password is available to the user. During reduce functionality mode, you can use the TPM to create a virtual smart card, but it's preferable to bring the TPM to a fully ready state so that any unexpected circumstances won't leave the user blocked from using the device. Those smart card deployment management tools that require a status check of a TPM before attempting to create a TPM virtual smart card can do so using the TPM WMI interface. -Depending on the setup of the computer that is designated for installing TPM virtual smart cards, it might be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md). +Depending on the setup of the device designated for installing TPM virtual smart cards, it may be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md). For more information about managing TPMs by using built-in tools, see Trusted Platform Module Services Group Policy Settings. ### Creation -A TPM virtual smart card simulates a physical smart card, and it uses the TPM to provide the same functionality as physical smart card hardware. A virtual smart card appears within the operating system as a physical smart card that is always inserted. Supported versions of the Windows operating system present a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated to TPM commands. This process ensures the integrity of the virtual smart card through the three properties of smart card security: +A TPM virtual smart card simulates a physical smart card, using the TPM to provide the same functionality as physical smart card hardware.\ +A virtual smart card appears within the operating system as a physical smart card that is always inserted. Windows presents a *virtual smart card reader* and a *virtual smart card* to applications using the same interface as physical smart cards. The messages to and from the virtual smart card are translated to TPM commands, ensuring the integrity of the virtual smart card through the three properties of smart card security: -- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer. +- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). -- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. +- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. -- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout. - For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). +- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout. + For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). -There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer. +There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using `tpmvscmgr.exe` to create cards individually on users' computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee's possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer. For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md). ### Personalization -During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If a PUK is set, the administrator key can no longer be used to reset the PIN.) +During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If you set a PUK, you can't use the administrator key to reset the PIN.) -Because the administrator key is critical to the security of the card, it is important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include: +Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include: -- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued. +- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued. -- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary. +- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary. -- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card’s security is independent of the others. This is secure on a large scale unless the administrator key database is compromised. +- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised. -- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used. +- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used. -Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is simply entered on the computer to enable a user PIN reset. +Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset. -The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it cannot be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process. +The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it can't be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process. -TPM virtual smart cards can be personalized on an individual basis when they are created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An additional advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards. +TPM virtual smart cards can be personalized on an individual basis when they're created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. Another advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards. ## Provision virtual smart cards -Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security. +Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign-in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security. -A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver’s license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an “enroll-on-behalf-of” strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station. +A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver's license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an "enroll-on-behalf-of" strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station. -For deployments in which a high-assurance level is not a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost. +For deployments in which a high-assurance level isn't a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost. For information about using Certificate Manager to configure virtual smart cards, see [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md). -High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user’s computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer. +High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user's computer has been issued prior to the virtual smart card deployment, but this isn't always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer. In this situation, provisioning becomes relatively simple, but identity checks must be put in place to ensure that the recipient of the computer is the individual who was expected during provisioning. This can be accomplished by requiring the employee to set the initial PIN under the supervision of the deployment administrator or manager. -When you are provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they are also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack. +When you're provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they're also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack. -If a virtual smart card is compromised, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. This requires a record of which credentials match which user and computer, which is functionality that does not exist natively in Windows. Deployment administrators might want to consider add-on solutions to maintain such a record. +For compromised virtual smart cards, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. Revoking credentials requires a record of which credentials match which user and device, but the functionality doesn't natively exist in Windows. Deployment administrators might want to consider add-on solutions to maintain a record. ### Virtual smart cards on consumer devices used for corporate access -There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that are not joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Windows Store (for example, devices running Windows RT). +There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that aren't joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Microsoft Store. -You can use APIs that were introduced in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically). +You can use APIs to build Microsoft Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically). #### TPM ownerAuth in the registry -When a device or computer is not joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that are not protected include: +When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include: - A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets. - A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised. -The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. Policies for automatic lockout can be set while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device. +The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device. -For configuration information about the TPM ownerAuth registry key, see the Group Policy setting Configure the level of TPM owner authorization information available to the operating system. - - +For configuration information about the TPM ownerAuth registry key, see the Group Policy setting **Configure the level of TPM owner authorization information** available to the operating system. For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -139,12 +129,10 @@ For information about EAS policies, see [Exchange ActiveSync Policy Engine Overv The following table describes the important differences between managed and unmanaged virtual smart cards that exist on consumer devices: - - -| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) | -|-----------------------------------------|--------------|----| -| Reset PIN when the user forgets the PIN | Yes | No, the card has to be deleted and created again. | -| Allow user to change the PIN | Yes | No, the card has to be deleted and created again. | +| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) | +|---|---|---| +| Reset PIN when the user forgets the PIN | Yes | No. Delete and recreate the card. | +| Allow user to change the PIN | Yes | No. Delete and recreate the card. | ## Managed cards @@ -152,7 +140,7 @@ A managed virtual smart card can be serviced by the IT administrator or another ### Managed card creation -A user can create blank virtual smart card by using the Tpmvscmgr command-line tool, which is a built-in tool that is run with administrative credentials through an elevated command prompt. This virtual smart card needs to be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option should not be specified). +A user can create blank virtual smart card by using the *Tpmvscmgr* command-line tool, which is a built-in tool executed with administrative credentials through an elevated command prompt. The virtual smart card must be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option shouldn't be specified). The following command creates a virtual smart card that can later be managed by a smart card management tool launched from another computer (as explained in the next section): @@ -162,7 +150,7 @@ Alternatively, instead of using a default administrator key, a user can enter an `tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT` -In either case, the card management system needs to be aware of the initial administrator key that is used so that it can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when the default value is used, the administrator key is set to: +In either case, the card management system needs to be aware of the initial administrator key. The requirement is so that the card management system can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when you use the default, the administrator key is set to: `10203040506070801020304050607080102030405060708` @@ -180,7 +168,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm #### Certificate issuance -Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card does not need to be installed on the client computer if it is installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session. +Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session. Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES). @@ -188,11 +176,11 @@ Alternatively, without establishing a remote desktop connection, users can enrol You can renew certificates through remote desktop connections, certificate enrollment policies, or certificate enrollment services. Renewal requirements could be different from the initial issuance requirements, based on the renewal policy. -Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available. +Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available. ## Unmanaged cards -Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user’s credentials and he or she must re-enroll. +Unmanaged virtual smart cards aren't serviceable by an IT administrator. Unmanaged cards might be suitable if an organization doesn't have an elaborate smart card deployment management tool and using remote desktop connections to manage the card isn't desirable. Because unmanaged cards aren't serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user's credentials and he or she must re-enroll. ### Unmanaged card creation @@ -220,9 +208,9 @@ Another option is to have the user access an enrollment portal that is available #### Signing the request with another certificate -You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be enforced on the .pfx file to assert the identity of the user. +You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. You can enforce other policy constraints on the .pfx file to assert the identity of the user. -The user can import the certificate into the **MY** store (which is the user’s certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card. +The user can import the certificate into the **MY** store (which is the user's certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card. For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure: @@ -234,50 +222,38 @@ For deployments that require users to use a physical smart card to sign the cert #### Using one-time password for enrollment -Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools. +Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools. #### Certificate lifecycle management Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal. -Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available. +Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available. ## Maintain virtual smart cards Maintenance is a significant portion of the virtual smart card lifecycle and one of the most important considerations from a management perspective. After virtual smart cards are created, personalized, and provisioned, they can be used for convenient two-factor authentication. Deployment administrators must be aware of several common administrative scenarios, which can be approached by using a purchased virtual smart card solution or on a case-by-case basis with in-house methods. -**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user’s choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair. +**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user's choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair. When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards. -**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user’s identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued. +**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued. **Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific. -**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they are no longer needed. When an employee leaves the company, it is desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal. +**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal. -The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it is only necessary to revoke the certificates that are stored on the virtual smart card. +The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it's only necessary to revoke the certificates that are stored on the virtual smart card. ### Emergency preparedness #### Card reissuance -The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card’s privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled. +The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card's privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled. #### Blocked virtual smart card -The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire. +The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card doesn't reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire. For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](../smart-cards/smart-card-group-policy-and-registry-settings.md#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon). - -## See also - -[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md) - -[Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md) - -[Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) - -[Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md) - -[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) \ No newline at end of file diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index c2913cb244..b2afb7673e 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -1,65 +1,55 @@ --- -title: Evaluate Virtual Smart Card Security (Windows 10) -description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +title: Evaluate Virtual Smart Card Security +description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards. +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Evaluate Virtual Smart Card Security -This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + +In this article, you'll learn about security characteristics and considerations when deploying TPM virtual smart cards. ## Virtual smart card non-exportability details -A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data. +A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data. Specifically, that the secured data is non-exportable.\ +Data can be accessed and used within the virtual smart card system, but it's meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. The chain originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN so that changing the PIN doesn't require re-encryption of the data. The following diagram illustrates the secure key hierarchy and the process of accessing the user key. -![Diagram of the process of accessing the user key.](images/vsc-process-of-accessing-user-key.png) +:::image type="content" alt-text="Diagram of the process of accessing the user key." source="images/vsc-process-of-accessing-user-key.png" lightbox="images/vsc-process-of-accessing-user-key.png"::: The following keys are stored on the hard disk: -- User key +- User key +- Smart card key, which is encrypted by the storage root key +- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key -- Smart card key, which is encrypted by the storage root key +When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user's key that is stored on the virtual smart card. -- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key - -When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user’s key that is stored on the virtual smart card. - -The auth key is the only sensitive data that is used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it is encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is completely isolated from external access. +The auth key is the only sensitive data used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it's encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is isolated from external access. ## Virtual smart card anti-hammering details -The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide very flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism. +The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism. -The Trusted Computing Group also specifies that if the response to attacks involves suspending proper function of the TPM for some period of time or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. Whatever methodology is chosen by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include: +The Trusted Computing Group specifies that if the response to attacks involves suspending proper function of the TPM for some period of time, or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. The methodology used by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include: -1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM. +1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM. - > **Note**  Introduced in Windows Server 2012 R2 and Windows 8.1, if the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it has to be unblocked by using the administrative key or the PUK. + > [!NOTE] + > + > If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK. -1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands. +1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands. +1. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN. -2. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN. +For example, it will take 14 years to guess an eight character PIN for a TPM that implements the following protection: -As an example, it will take 14 years to guess an 8-character PIN for a TPM that implements the following protection: - -1. Number of wrong PINs allowed before entering lockout (threshold): 9 - -2. Time the TPM is in lockout after the threshold is reached: 10 seconds - -3. Timed delay doubles for each wrong PIN after the threshold is reached - -## See also - -[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md) +1. Number of wrong PINs allowed before entering lockout (threshold): 9 +1. Time the TPM is in lockout after the threshold is reached: 10 seconds +1. Timed delay doubles for each wrong PIN after the threshold is reached \ No newline at end of file diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index d29782a291..ab3569f8ab 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -1,24 +1,20 @@ --- title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10) description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Get Started with Virtual Smart Cards: Walkthrough Guide +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. -Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. +Virtual smart cards are a technology from Microsoft that offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index 22c293e635..05598bf6ee 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -1,130 +1,66 @@ --- -title: Virtual Smart Card Overview (Windows 10) -description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz +title: Virtual Smart Card Overview +description: Learn about virtual smart card technology for Windows. ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 10/13/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Virtual Smart Card Overview -This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -**Did you mean…** - -- [Smart Cards](../smart-cards/smart-card-windows-smart-card-technical-reference.md) - -> [!NOTE] -> [Windows Hello for Business](../hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date has been set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8. +This article provides an overview of the virtual smart card technology. ## Feature description -Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware. +Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices. Virtual smart cards don't require the use of a separate physical smart card and reader. You create virtual smart cards in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware. By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. ## Practical applications -Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They are easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale. +Virtual smart cards are functionally similar to physical smart cards, appearing in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by encryption, and integrity through signing. You can deploy virtual smart cards by using in-house methods or a purchased solution, and they can be a replacement for other methods of strong authentication in a corporate setting of any scale. ### Authentication use cases **Two-factor authentication‒based remote access** -After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain. +After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain. -In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user’s access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established. +In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established. **Client authentication** -Virtual smart cards can also be used for client authentication by using Secure Socket Layer (SSL) or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card. +Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card. **Virtual smart card redirection for remote desktop connections** -The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer’s TPM. This extends a user’s privileges to the remote computer, while maintaining the principles of two-factor authentication. - -**Windows To Go and virtual smart cards** - -Virtual smart cards work well with Windows To Go, where a user can boot into a supported version of Windows from a compatible removable storage device. A virtual smart card can be created for the user, and it is tied to the TPM on the physical host computer to which the removable storage device is connected. When the user boots the operating system from a different physical computer, the virtual smart card will not be available. This can be used for scenarios when a single physical computer is shared by many users. Each user can be given a removable storage device for Windows To Go, which has a virtual smart card provisioned for the user. This way, users are only able to access their personal virtual smart card. +The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication. ### Confidentiality use cases **S/MIME email encryption** -Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user’s public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption. +Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption. **BitLocker for data volumes** -sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user’s hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult. +BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult. -BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this computer. However, this method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive. +You can use BitLocker to encrypt portable drives, storing keys in virtual smart cards. In this scenario, unlike using BitLocker with a physical smart card, the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from the device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too. ### Data integrity use case **Signing data** -To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner’s identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage. +To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. -## New and changed functionality as of Windows 8.1 - -Enhancements in Windows 8.1 enabled developers to build Microsoft Store apps to create and manage virtual smart cards. - -The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards. - -**What value does this change add?** - -Starting with Windows 8.1, application developers can build into their apps the following virtual smart card maintenance capabilities to relieve some of your administrative burdens. - -- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with. - -- Personalize the virtual smart card. - -- Change the admin key. - -- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario. - -- Change the PIN. - -- Reset or Unblock the PIN. - -- Destroy the virtual smart card. - -**What works differently?** - -Starting with Windows 8.1, Microsoft Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization. - -For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](/openspecs/windows_protocols/ms-tpmvsc/10bd67d7-4580-4e38-a6e9-ec3be00033b6). - -For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md). +- Storing the key in an operating system that is accessible, malicious users could access it and use it to modify already signed data or to spoof the key owner's identity +- Storing the key in a virtual smart card, means that you can only use it to sign data on the host device. You can't export the key to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage ## Hardware requirements -To use the virtual smart card technology, TPM 1.2 is the minimum required for computers running Windows 10 or Windows Server 2016. - -## Software requirements - -To use the virtual smart card technology, computers must be running one of the following operating systems: - -- Windows Server 2016 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows 10 -- Windows 8.1 -- Windows 8 - -## See also - -- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md) -- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md) -- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) -- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md) -- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md) -- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) \ No newline at end of file +To use the virtual smart card technology, TPM 1.2 is the minimum required for devices running a supported operating system. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index 521d0afec7..5f39e38b48 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -1,21 +1,17 @@ --- -title: Tpmvscmgr (Windows 10) -description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +title: Tpmvscmgr +description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Tpmvscmgr +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples). ## Syntax @@ -26,7 +22,7 @@ The Tpmvscmgr command-line tool allows users with Administrative credentials to ### Parameters for Create command -The Create command sets up new virtual smart cards on the user’s system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card. +The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format `ROOT\SMARTCARDREADER\000n` where n starts from 0 and is increased by 1 each time you create a new virtual smart card. | Parameter | Description | |-----------|-------------| @@ -34,10 +30,10 @@ The Create command sets up new virtual smart cards on the user’s system. It re | /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
                                  **DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
                                  **PROMPT**  Prompts the user to enter a value for the administrator key.
                                  **RANDOM**  Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. | | /PIN | Indicates desired user PIN value.
                                  **DEFAULT**  Specifies the default PIN of 12345678.
                                  **PROMPT**  Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. | | /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.
                                  **DEFAULT**  Specifies the default PUK of 12345678.
                                  **PROMPT**  Prompts the user to enter a PUK at the command line. | -| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. | +| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it's equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. | | /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. | | /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:
                                  **minlen** <minimum PIN length>
                                     If not specified, defaults to 8. The lower bound is 4.
                                  **maxlen** <maximum PIN length>
                                     If not specified, defaults to 127. The upper bound is 127.
                                  **uppercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
                                  **lowercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
                                  **digits**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
                                  **specialchars**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**

                                  When using **/pinpolicy**, PIN characters must be printable ASCII characters. | -| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
                                  **AIK_AND_CERT**  Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.
                                  **AIK_ONLY**  Creates an AIK but does not obtain an AIK certificate. | +| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
                                  **AIK_AND_CERT**  Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there's no network connectivity, it's possible that creation of the virtual smart card will fail.
                                  **AIK_ONLY**  Creates an AIK but doesn't obtain an AIK certificate. | | /? | Displays Help for this command. | ### Parameters for Destroy command @@ -91,8 +87,4 @@ The following command will create a TPM virtual smart card with the default valu ```console tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate -``` - -## Additional references - -- [Virtual Smart Card Overview](virtual-smart-card-overview.md) +``` \ No newline at end of file diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 0475663ff5..dfde051a1a 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -1,22 +1,19 @@ --- -title: Understanding and Evaluating Virtual Smart Cards (Windows 10) -description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards. +title: Understanding and Evaluating Virtual Smart Cards +description: Learn how smart card technology can fit into your authentication design. ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- -# Understanding and Evaluating Virtual Smart Cards +# Understand and Evaluate Virtual Smart Cards -This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + +This article describes the virtual smart card technology and how it can fit into your authentication design. Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. @@ -30,20 +27,17 @@ This topic contains the following sections: - [Authentication design options](#authentication-design-options): Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization. -- [See also](#see-also): - Links to other topics that can help you design, deploy, and troubleshoot virtual smart cards. - ## Comparing virtual smart cards with physical smart cards Virtual smart cards function much like physical smart cards, but they differ in that they protect private keys by using the TPM of the computer instead of smart card media. A virtual smart card appears to applications as a conventional smart card. Private keys in the virtual smart card are protected, not by isolation of physical memory, but by the cryptographic capabilities of the TPM. All sensitive information is encrypted by using the TPM and then stored on the hard drive in its encrypted form. -All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user will not be able to access keys that are stored in the virtual smart card because they are securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption. +All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user won't be able to access keys that are stored in the virtual smart card because they're securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption. Virtual smart cards maintain the three key properties of physical smart cards: -- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer. +- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). - **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. @@ -55,7 +49,7 @@ The following subsections compare the functionality, security, and cost of virtu **Functionality** -The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user’s virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users. +The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users. The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card. @@ -65,7 +59,7 @@ Additionally, although the anti-hammering functionality of the virtual smart car Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft. -TPM virtual smart cards, however, reside on a user’s computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user. +TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user. However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised. @@ -73,7 +67,7 @@ However, there are several advantages provided by virtual smart cards to mitigat If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market. -Additionally, the maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently. +The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently. **Comparison summary** @@ -82,16 +76,16 @@ Additionally, the maintenance cost of virtual smart cards is less than that for | Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. | | Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. | | Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. | -| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user’s computer or device. | +| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. | | Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. | -| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment. | +| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. | | Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. | | Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. | -| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user’s computer, which may be left unattended and allow a greater risk window for hammering attempts. | +| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. | | Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. | -| Alerts users that their card is lost or stolen only when they need to sign in and notice it is missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. | +| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. | | Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. | -| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user’s sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. | +| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. | ## Authentication design options @@ -99,42 +93,30 @@ The following section presents several commonly used options and their respectiv **Passwords** -A password is a secret string of characters that is tied to the identification credentials for a user’s account. This establishes the user’s identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users. +A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users. -Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user’s password and impersonate that person’s identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained. +Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained. **One-time passwords** -A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user’s OTP, the interceptor will have limited access to the system (only one session). +A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session). **Smart cards** Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security: -- **Non-exportability**: Information stored on the card, such as the user’s private keys, cannot be extracted from one device and used in another medium. +- **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium +- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions +- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken -- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer cannot observe the transactions. - -- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken. - -Smart cards provide greatly enhanced security over passwords alone, because it is much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN. +Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It's difficult for a thief to acquire the card and the PIN. Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone. -Unfortunately, this additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and they also can be easily misplaced or stolen. +The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them. **Virtual smart cards** -To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers. +Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices. -Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user’s possession of a computer or device is equivalent to the possession of a smart card, and a user’s identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. - -## See also - -- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md) - -- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) - -- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md) - -- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md) +Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: non-exportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index beb70ccddd..eb4d234c61 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -1,22 +1,18 @@ --- -title: Use Virtual Smart Cards (Windows 10) -description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 10/13/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +title: Use Virtual Smart Cards +description: Learn about the requirements for virtual smart cards, how to use and manage them. +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Use Virtual Smart Cards -This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + +Learn about the requirements for virtual smart cards, how to use and manage them. ## Requirements, restrictions, and limitations @@ -24,9 +20,9 @@ This topic for the IT professional describes requirements for virtual smart card |-------------|---------------------------| | Supported operating systems | Windows Server 2016
                                  Windows Server 2012 R2
                                  Windows Server 2012
                                  Windows 10
                                  Windows 8.1
                                  Windows 8 | | Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). | -| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.

                                  **Note**
                                  You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they are always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
                                  | -| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key is not generated. | -| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
                                  The Administrative key must be entered as 48 hexadecimal characters. It is a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. | +| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.

                                  **Note**
                                  You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
                                  | +| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. | +| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
                                  The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. | ## Using Tpmvscmgr.exe @@ -68,7 +64,7 @@ For more information about these Windows APIs, see: ## Distinguishing TPM-based virtual smart cards from physical smart cards -To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card. +To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card. ![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png) @@ -86,17 +82,17 @@ The PIN for a virtual smart card can be changed by following these steps: ### TPM not provisioned -For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail. +For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail. If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created. -If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards. +If the TPM ownership was established on a Windows Vista installation, the TPM won't be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards. If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system. ### TPM in lockout state -Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner’s password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool. +Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it's necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN doesn't reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it's blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool. ## See also diff --git a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png b/windows/security/identity-protection/vpn/images/custom-vpn-profile.png deleted file mode 100644 index b229c96b68..0000000000 Binary files a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png b/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png deleted file mode 100644 index 9f4efabc3f..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png b/windows/security/identity-protection/vpn/images/vpn-intune-policy.png deleted file mode 100644 index 4224979bbd..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png b/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png deleted file mode 100644 index 7277b7a598..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index a44aa1b079..f14e959f6b 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -34,7 +34,7 @@ Windows supports a number of EAP authentication methods. - Certificate filtering: - Certificate filtering can be enabled to search for a particular certificate to use to authenticate with - - Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based + - Filtering can be Issuer-based or extended key usage (EKU)-based - Server validation - with TLS, server validation can be toggled on or off: - Server name - specify the server to validate @@ -88,7 +88,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP). -![EAP XML configuration in Intune profile.](images/vpn-eap-xml.png) +:::image type="content" source="images/vpn-eap-xml.png" alt-text="EAP XML configuration in Intune profile."::: ## Related topics diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 5da2a635a4..e9af1d83a5 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -68,7 +68,7 @@ Two client-side configuration service providers are leveraged for VPN device com - **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication. - **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication. - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication. - - **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication. + - **Sso/Eku**: comma-separated list of extended key usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication. - HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include: diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index d5725508e4..a6330f4ad8 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -295,9 +295,9 @@ The following sample is a sample plug-in VPN profile. This blob would fall under ## Apply ProfileXML using Intune -After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices. +After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. 3. Enter the following properties: diff --git a/windows/security/images/fall-creators-update-next-gen-security.png b/windows/security/images/fall-creators-update-next-gen-security.png deleted file mode 100644 index 62aaa46f8d..0000000000 Binary files a/windows/security/images/fall-creators-update-next-gen-security.png and /dev/null differ diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg deleted file mode 100644 index 21a6b4f235..0000000000 --- a/windows/security/images/icons/accessibility.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg deleted file mode 100644 index ab2d5152ca..0000000000 --- a/windows/security/images/icons/powershell.svg +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - MsPortalFx.base.images-10 - - - - - - - - - - \ No newline at end of file diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg deleted file mode 100644 index dbbad7d780..0000000000 --- a/windows/security/images/icons/provisioning-package.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg deleted file mode 100644 index 06ab4c09d7..0000000000 --- a/windows/security/images/icons/registry.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - - - - - - - - - - - - - - Icon-general-18 - - - \ No newline at end of file diff --git a/windows/security/images/next-generation-windows-security-vision.png b/windows/security/images/next-generation-windows-security-vision.png deleted file mode 100644 index a598365cb7..0000000000 Binary files a/windows/security/images/next-generation-windows-security-vision.png and /dev/null differ diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png deleted file mode 100644 index e062b0d292..0000000000 Binary files a/windows/security/images/windows-security-app-w11.png and /dev/null differ diff --git a/windows/security/includes/hello-deployment-cloud.md b/windows/security/includes/hello-deployment-cloud.md deleted file mode 100644 index 8152da9722..0000000000 --- a/windows/security/includes/hello-deployment-cloud.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[cloud :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment "For organizations using Azure AD-only identities. Device management is usually done via Intune/MDM") \ No newline at end of file diff --git a/windows/security/includes/hello-deployment-hybrid.md b/windows/security/includes/hello-deployment-hybrid.md deleted file mode 100644 index b35d4b548e..0000000000 --- a/windows/security/includes/hello-deployment-hybrid.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[hybrid :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Azure AD. Device management is usually done via Group Policy or Intune/MDM") \ No newline at end of file diff --git a/windows/security/includes/hello-deployment-onpremises.md b/windows/security/includes/hello-deployment-onpremises.md deleted file mode 100644 index 8746a5e9c7..0000000000 --- a/windows/security/includes/hello-deployment-onpremises.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[on-premises :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy") \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md deleted file mode 100644 index 4691d86bc0..0000000000 --- a/windows/security/includes/hello-hybrid-cert-trust-ad.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[!INCLUDE [hello-intro](hello-intro.md)] -- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] -- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)] -- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] ---- \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md deleted file mode 100644 index a5074f5bd4..0000000000 --- a/windows/security/includes/hello-hybrid-key-trust-ad.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[!INCLUDE [hello-intro](hello-intro.md)] -- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] -- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)] -- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] ---- \ No newline at end of file diff --git a/windows/security/includes/hello-join-aad.md b/windows/security/includes/hello-join-aad.md deleted file mode 100644 index 5709970576..0000000000 --- a/windows/security/includes/hello-join-aad.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Azure AD joined do not have any dependencies on Active Directory. Only local users accounts and Azure AD users can sign in to these devices") \ No newline at end of file diff --git a/windows/security/includes/hello-join-domain.md b/windows/security/includes/hello-join-domain.md deleted file mode 100644 index 0385e2089a..0000000000 --- a/windows/security/includes/hello-join-domain.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[domain join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices") \ No newline at end of file diff --git a/windows/security/includes/hello-join-hybrid.md b/windows/security/includes/hello-join-hybrid.md deleted file mode 100644 index 3d3e75c6b6..0000000000 --- a/windows/security/includes/hello-join-hybrid.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[hybrid Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources") \ No newline at end of file diff --git a/windows/security/includes/hello-trust-certificate.md b/windows/security/includes/hello-trust-certificate.md deleted file mode 100644 index ffc705fde0..0000000000 --- a/windows/security/includes/hello-trust-certificate.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[certificate trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers") \ No newline at end of file diff --git a/windows/security/includes/hello-trust-cloud-kerberos.md b/windows/security/includes/hello-trust-cloud-kerberos.md deleted file mode 100644 index 5ddac53ba9..0000000000 --- a/windows/security/includes/hello-trust-cloud-kerberos.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[cloud Kerberos trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication") \ No newline at end of file diff --git a/windows/security/includes/hello-trust-key.md b/windows/security/includes/hello-trust-key.md deleted file mode 100644 index 133f7f5204..0000000000 --- a/windows/security/includes/hello-trust-key.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -[key trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers") \ No newline at end of file diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md deleted file mode 100644 index f928705138..0000000000 --- a/windows/security/includes/improve-request-performance.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!TIP] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.microsoft.com -> - api-eu.securitycenter.microsoft.com -> - api-uk.securitycenter.microsoft.com diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md deleted file mode 100644 index d4b4560d8f..0000000000 --- a/windows/security/includes/machineactionsnote.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) for more information about response actions functionality via Microsoft Defender for Endpoint. \ No newline at end of file diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md deleted file mode 100644 index 0b0b2be701..0000000000 --- a/windows/security/includes/microsoft-defender-api-usgov.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!NOTE] ->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov#api). \ No newline at end of file diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md deleted file mode 100644 index bd9a8d2c0d..0000000000 --- a/windows/security/includes/microsoft-defender.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -> [!IMPORTANT] -> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. [Learn what's new](/microsoft-365/security/mtp/overview-security-center). diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md deleted file mode 100644 index c0212561bd..0000000000 --- a/windows/security/includes/prerelease.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/includes/virtual-smart-card-deprecation-notice.md b/windows/security/includes/virtual-smart-card-deprecation-notice.md new file mode 100644 index 0000000000..dea207534a --- /dev/null +++ b/windows/security/includes/virtual-smart-card-deprecation-notice.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/22/2023 +ms.topic: include +--- + +> [!WARNING] +> [Windows Hello for Business](../identity-protection/hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business. \ No newline at end of file diff --git a/windows/security/index.yml b/windows/security/index.yml index 2aa8f670fe..ce7aece4b4 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,6 +11,7 @@ metadata: ms.technology: itpro-security ms.collection: - highpri + - tier1 author: paolomatarazzo ms.author: paoloma ms.date: 12/19/2022 diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml index b917a468f8..daa9cba013 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -10,6 +10,7 @@ metadata: audience: ITPro ms.collection: - highpri + - tier1 ms.topic: faq ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 32a6c0816b..bc4ad1b106 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -90,17 +90,17 @@ To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-ne ### Protecting Thunderbolt and other DMA ports -There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. +There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled: ![Kernel DMA protection.](images/kernel-dma-protection.png) -If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: +If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: 1. Require a password for BIOS changes -2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) +2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): @@ -141,7 +141,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo ### Tricking BitLocker to pass the key to a rogue operating system -An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. +An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key. diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index bb9df0cf68..e922e90f32 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -34,7 +34,7 @@ This article depicts the BitLocker deployment comparison chart. |*Cloud or on premises* | Cloud | On premises | On premises | |Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |*Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client | -|*Administrative plane* | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|*Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | |*Administrative portal installation required* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |*Compliance reporting capabilities* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |*Force encryption* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 811287a4d3..c0f495b8a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -8,6 +8,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 24016c5ca6..4f7256eadb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -10,6 +10,7 @@ metadata: audience: ITPro ms.collection: - highpri + - tier1 ms.topic: faq ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 948d296fa0..8b776366c3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -9,6 +9,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker @@ -471,7 +472,7 @@ This policy setting is used to determine what certificate to use with BitLocker. This policy setting is applied when BitLocker is turned on. -The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. +The object identifier is specified in the extended key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. The default object identifier is 1.3.6.1.4.1.311.67.1.1. diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index b86eb930d8..93dc998a8a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -36,7 +36,7 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. > [!NOTE] -> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users: +> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users: > - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). > - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5). diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 8398ff5cb5..3243fdb178 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -10,6 +10,7 @@ metadata: audience: ITPro ms.collection: - highpri + - tier1 ms.topic: faq ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 5cc2a4ae6c..a3b7a72ca1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -8,6 +8,7 @@ author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 495549c66c..39eb80e0aa 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -10,6 +10,7 @@ ms.reviewer: rafals manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md deleted file mode 100644 index 11ce21de12..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Breaking out of a BitLocker recovery loop -description: This article for IT professionals describes how to break out of a BitLocker recovery loop. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz -ms.collection: - - highpri -ms.topic: conceptual -ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security ---- - -# Breaking out of a BitLocker recovery loop - -Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating. - -If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop: - -> [!NOTE] -> Try these steps only after the device has been restarted at least once. - -1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**. - -2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**. - -3. From the WinRE command prompt, manually unlock the drive with the following command: - -```cmd -manage-bde.exe -unlock C: -rp -``` - -4. Suspend the protection on the operating system with the following command: - -```cmd -manage-bde.exe -protectors -disable C: -``` - -5. Once the command is run, exit the command prompt and continue to boot into the operating system. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index ea25cc99da..ba44582914 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -9,6 +9,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 315672e456..1592e527a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -9,6 +9,7 @@ ms.author: frankroj manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 11/08/2022 ms.custom: bitlocker @@ -63,7 +64,7 @@ The following procedures describe the most common tasks performed by using the B By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password. -## Replated articles +## Related articles - [BitLocker Overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) diff --git a/windows/security/information-protection/bitlocker/images/4509186-en-1.png b/windows/security/information-protection/bitlocker/images/4509186-en-1.png deleted file mode 100644 index 11f986fb68..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509186-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509188-en-1.png b/windows/security/information-protection/bitlocker/images/4509188-en-1.png deleted file mode 100644 index 5b5b7b1b4a..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509188-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509189-en-1.png b/windows/security/information-protection/bitlocker/images/4509189-en-1.png deleted file mode 100644 index 8d243a1899..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509189-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509190-en-1.png b/windows/security/information-protection/bitlocker/images/4509190-en-1.png deleted file mode 100644 index bd37969b5d..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509190-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509191-en-1.png b/windows/security/information-protection/bitlocker/images/4509191-en-1.png deleted file mode 100644 index 00ef607ab3..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509191-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509193-en-1.png b/windows/security/information-protection/bitlocker/images/4509193-en-1.png deleted file mode 100644 index 2085613b3d..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509193-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509194-en-1.png b/windows/security/information-protection/bitlocker/images/4509194-en-1.png deleted file mode 100644 index f4506c399b..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509194-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509195-en-1.png b/windows/security/information-protection/bitlocker/images/4509195-en-1.png deleted file mode 100644 index cbecb03c4e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509195-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509196-en-1.png b/windows/security/information-protection/bitlocker/images/4509196-en-1.png deleted file mode 100644 index 01e94b1243..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509196-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509198-en-1.png b/windows/security/information-protection/bitlocker/images/4509198-en-1.png deleted file mode 100644 index 9056658662..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509198-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509199-en-1.png b/windows/security/information-protection/bitlocker/images/4509199-en-1.png deleted file mode 100644 index d68a22eef7..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509199-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509200-en-1.png b/windows/security/information-protection/bitlocker/images/4509200-en-1.png deleted file mode 100644 index 689bb19299..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509200-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509201-en-1.png b/windows/security/information-protection/bitlocker/images/4509201-en-1.png deleted file mode 100644 index d521e86eed..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509201-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509202-en-1.png b/windows/security/information-protection/bitlocker/images/4509202-en-1.png deleted file mode 100644 index bfcd2326b6..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509202-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509203-en-1.png b/windows/security/information-protection/bitlocker/images/4509203-en-1.png deleted file mode 100644 index 05acc571fe..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509203-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509204-en-1.png b/windows/security/information-protection/bitlocker/images/4509204-en-1.png deleted file mode 100644 index fa13f38ba9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509204-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509205-en-1.png b/windows/security/information-protection/bitlocker/images/4509205-en-1.png deleted file mode 100644 index a4f5cc15d2..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509205-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509206-en-1.png b/windows/security/information-protection/bitlocker/images/4509206-en-1.png deleted file mode 100644 index 7b7e449443..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509206-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg deleted file mode 100644 index 95afbf2ccc..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg deleted file mode 100644 index d2caa05b03..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg deleted file mode 100644 index 14a30db7c4..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg deleted file mode 100644 index e691dcbc53..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg deleted file mode 100644 index 40ddf183f6..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png b/windows/security/information-protection/bitlocker/images/feedback-app-icon.png deleted file mode 100644 index c600883c0e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg deleted file mode 100644 index 91d10e6c66..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png deleted file mode 100644 index 21adc928de..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png deleted file mode 100644 index 2941452109..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png deleted file mode 100644 index 53b374d26e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png deleted file mode 100644 index bc299cc0e9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png deleted file mode 100644 index 1bef01d587..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png deleted file mode 100644 index d4d825029c..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png deleted file mode 100644 index 2acac0f3ea..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png deleted file mode 100644 index cb5b84d6b9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png deleted file mode 100644 index 3b3cd2b961..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png deleted file mode 100644 index 4e82b9b76e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png deleted file mode 100644 index 8fb9446d93..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png and /dev/null differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg deleted file mode 100644 index f1c25c116c..0000000000 Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg and /dev/null differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png deleted file mode 100644 index dfd30ba2a2..0000000000 Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.png and /dev/null differ diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 234c8a6eba..49d276838c 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -1,12 +1,13 @@ --- title: Kernel DMA Protection (Windows) -description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. +description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 01/05/2023 ms.technology: itpro-security @@ -18,7 +19,7 @@ ms.technology: itpro-security - Windows 10 - Windows 11 -In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots) +In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots) Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. @@ -32,9 +33,9 @@ The DMA capability is what makes PCI devices the highest performing devices avai These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. Access to these devices required the user to turn off power to the system and disassemble the chassis. -Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). +Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). -Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. +Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks. @@ -102,15 +103,15 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. - For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. + For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ## Frequently asked questions -### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. +### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? +In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? -No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. +No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. ### How can I check if a certain driver supports DMA-remapping? DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping). @@ -122,7 +123,7 @@ Check the driver instance for the device you are testing. Some drivers may have ![Experience of a user about Kernel DMA protection](images/device-details-tab.png) -### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? +### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers). diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 0aed4ad1d1..e42dd1f9c9 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -21,7 +21,7 @@ ms.date: 12/13/2022 ### Enable Personal Data Encryption (PDE) -1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Configuration Profiles** @@ -65,7 +65,7 @@ ms.date: 12/13/2022 ### Disable Winlogon automatic restart sign-on (ARSO) -1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Configuration Profiles** @@ -107,7 +107,7 @@ ms.date: 12/13/2022 ### Disable kernel-mode crash dumps and live dumps -1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Configuration Profiles** @@ -145,7 +145,7 @@ ms.date: 12/13/2022 ### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps -1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Configuration Profiles** @@ -183,7 +183,7 @@ ms.date: 12/13/2022 ### Disable hibernation -1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Configuration Profiles** @@ -221,7 +221,7 @@ ms.date: 12/13/2022 ### Disable allowing users to select when a password is required when resuming from connected standby -1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Configuration Profiles** diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index edec923f61..80d41fa3fb 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -5,8 +5,9 @@ ms.prod: windows-client ms.localizationpriority: medium author: dansimp manager: aaroncz -ms.collection: +ms.collection: - highpri + - tier1 ms.topic: conceptual ms.date: 05/12/2022 ms.author: dansimp @@ -91,13 +92,13 @@ To trust and boot operating systems, like Linux, and components signed by the UE 1. Open the firmware menu, either: - - Boot the PC, and press the manufacturer’s key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there’s often a screen that mentions the key. If there’s not one, or if the screen goes by too fast to see it, check your manufacturer’s site. + - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site. - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings. -2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the “3rd Party CA”. +2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA". -3. Save changes and exit. +3. Save changes and exit. Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust. @@ -132,6 +133,8 @@ Depending on the implementation and configuration, the server can now determine Figure 2 illustrates the Measured Boot and remote attestation process. + + ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png) *Figure 2. Measured Boot proves the PC's health to a remote server* diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 5545248585..2779296ea9 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -1,30 +1,20 @@ --- -title: Back up the TPM recovery information to AD DS (Windows) -description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information. -ms.reviewer: +title: Back up TPM recovery information to Active Directory +description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory. ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/03/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 11 +- ✅ Windows Server 2016 and later --- # Back up the TPM recovery information to AD DS -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +In Windows 11, you can back up a device's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS), enabling remote management of the TPM. -**Does not apply to** - -- Windows 10, version 1607 or later - -With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) \ No newline at end of file +For more information, see [Back up the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md deleted file mode 100644 index 5fabd8a69f..0000000000 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Change the TPM owner password (Windows) -description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -ms.reviewer: -ms.prod: windows-client -author: dansimp -ms.author: dansimp -manager: aaroncz -ms.topic: conceptual -ms.date: 01/18/2022 -ms.technology: itpro-security ---- - -# Change the TPM owner password - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. - -## About the TPM owner password - -Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. - -> [!IMPORTANT] -> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. For Windows 10 versions newer than 1703 the default value for this key is 5. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. Unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. - -Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. - -Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI. - -### Other TPM management options - -Instead of changing your owner password, you can also use the following options to manage your TPM: - -- **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). - -- **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, or Windows 11, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm). - -## Change the TPM owner password - -With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. - -To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout. - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index df275cf0b3..be0cadec4a 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -1,48 +1,39 @@ --- title: How Windows uses the TPM -description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security. -ms.reviewer: +description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security. ms.prod: windows-client -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/03/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # How Windows uses the Trusted Platform Module -The Windows operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a PC that contains a TPM. - - -**See also:** -- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications) - -- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) - -- [TPM Fundamentals](tpm-fundamentals.md) - -- [TPM Recommendations](tpm-recommendations.md)  +The Windows operating system places hardware-based security deeper inside many features, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a device with a TPM. ## TPM Overview The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more. -Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. +Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the operating system is reinstalled, the TPM may be required to be explicitly reprovisioned before it can use all the TPM's features. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). -OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*. +OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*. -The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not. +The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't. -Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability. +Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability. -## TPM in Windows +## TPM in Windows The security features of Windows combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows and go on to describe how key technologies use the TPM to enable or increase security. @@ -52,25 +43,27 @@ Windows includes a cryptography framework called *Cryptographic API: Next Genera Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG. -The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively: +The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively: -- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. +- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. -- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. +- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they can't provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. -These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. +These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and can't be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically. ## Virtual Smart Card -Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses. +Smart cards are physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). However, smart cards can be expensive because they require purchase and deployment of both smart cards and smart card readers. -For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. +In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses. + +For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. ## Windows Hello for Business -Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices. +Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they are compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices. The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889). @@ -87,21 +80,21 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA. ## BitLocker Drive Encryption -BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data. +BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data. -In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: +In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: -- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. +- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. -- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). +- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process can't proceed normally because the data on the operating system can't be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). -Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. +Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. -Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. +Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the "TPM-only" configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. ## Device Encryption -Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. +Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the "TPM-only" configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data. @@ -111,7 +104,7 @@ Windows 8 introduced Measured Boot as a way for the operating system to record t The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off). -Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted. +Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted. TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware. @@ -124,7 +117,6 @@ When new security features are added to Windows, Measured Boot adds security-rel :::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png"::: *Figure 2: Process used to create evidence of boot software and configuration using a TPM* - ## Health Attestation Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health. @@ -133,25 +125,25 @@ Mobile device management (MDM) solutions can receive simple security assertions ## Credential Guard -Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization. +Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization. -Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. +Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel can't access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment can't tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. -The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows. +The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it can't access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows. ## Conclusion -The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features. +The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM's major features.
                                  |Feature | Benefits when used on a system with a TPM| |---|---| -| Platform Crypto Provider |
                                  • If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
                                  • The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
                                  | +| Platform Crypto Provider |
                                  • If the machine is compromised, the private key associated with the certificate can't be copied off the device.
                                  • The TPM's dictionary attack mechanism protects PIN values to use a certificate.
                                  | | Virtual Smart Card |
                                  • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
                                  | -| Windows Hello for Business |
                                  • Credentials provisioned on a device cannot be copied elsewhere.
                                  • Confirm a device’s TPM before credentials are provisioned.
                                  | +| Windows Hello for Business |
                                  • Credentials provisioned on a device can't be copied elsewhere.
                                  • Confirm a device's TPM before credentials are provisioned.
                                  | | BitLocker Drive Encryption |
                                  • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
                                  | -|Device Encryption |
                                  • With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
                                  | +|Device Encryption |
                                  • With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.
                                  | | Measured Boot |
                                  • A hardware root of trust contains boot measurements that help detect malware during remote attestation.
                                  | | Health Attestation |
                                  • MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
                                  | | Credential Guard |
                                  • Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
                                  | diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index dc54432a56..530666774a 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -1,66 +1,58 @@ --- -title: Troubleshoot the TPM (Windows) -description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM). -ms.reviewer: +title: Troubleshoot the TPM +description: Learn how to view and troubleshoot the Trusted Platform Module (TPM). ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz -ms.collection: - - highpri ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.collection: +- highpri +- tier1 --- # Troubleshoot the TPM -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +This article provides information how to troubleshoot the Trusted Platform Module (TPM): -This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM): +- [Troubleshoot TPM initialization](#tpm-initialization) +- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) -- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization) - -- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) - -With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also take the following actions: - -- [Turn on or turn off the TPM](#turn-on-or-turn-off) +With TPM 1.2 and Windows 11, you can also take the following actions: +- [Turn on or turn off the TPM](#turn-on-or-turn-off) For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). ## About TPM initialization and ownership -Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password. +Windows automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you had to initialize the TPM and create an owner password. -## Troubleshoot TPM initialization +### TPM initialization If you find that Windows isn't able to initialize the TPM automatically, review the following information: -- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. +- You can try clearing the TPM to the factory default values, allowing Windows to reinitialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) +- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system +- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will reinitialize it +- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it, and then allow the operating system to initialize the TPM -- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system. +### Network connection issues for domain-joined Windows 11 devices -- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it. +If you have Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist: -- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM. +- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through group policy +- A domain controller can't be reached. This scenario may occur on a device that is currently disconnected from the internal network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter) -### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11 +If these issues occur, an error message appears, and you can't complete the initialization process. To avoid the issue, allow Windows to initialize the TPM while you're connected to the corporate network, and you can contact a domain controller. -If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist: +### Systems with multiple TPMs -- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy. - -- A domain controller can't be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter). - -If these issues occur, an error message appears, and you can't complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you're connected to the corporate network and you can contact a domain controller. - -### Troubleshoot systems with multiple TPMs - -Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. +Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows doesn't support this configuration. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs, you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm). For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed. @@ -68,83 +60,58 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM isn't cleared before a new operating system is installed, most TPM functionality will probably work correctly. -Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again. +Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically reinitialize it and take ownership again. > [!WARNING] -> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.” +> Clearing the TPM can result in data loss. For more information, see the next section, "Precautions to take before clearing the TPM." ### Precautions to take before clearing the TPM Clearing the TPM can result in data loss. To protect against such loss, review the following precautions: -- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM. - -- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator. - -- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article. - -- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI. - -- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website. +- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM +- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator +- If you want to temporarily suspend TPM operations on Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm) +- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI +- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. **To clear the TPM** 1. Open the Windows Defender Security Center app. +1. Select **Device security**. +1. Select **Security processor details**. +1. Select **Security processor troubleshooting**. +1. Select **Clear TPM**. + - You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. + - After the device restarts, your TPM will be automatically prepared for use by Windows. -2. Select **Device security**. - -3. Select **Security processor details**. - -4. Select **Security processor troubleshooting**. - -5. Select **Clear TPM**. - -6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. - -7. After the PC restarts, your TPM will be automatically prepared for use by Windows. - -## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher) +## Turn on or turn off the TPM Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. ### Turn on the TPM -If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. +If you want to use the TPM after you've turned it off, you can use the following procedure to turn on the TPM. -**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 and higher)** +1. Open the TPM MMC (tpm.msc). +1. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. +1. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts. -1. Open the TPM MMC (tpm.msc). - -2. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. - -3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts. - - After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM. +After the device restarts, but before you sign in to Windows, you'll be prompted to accept the reconfiguration of the TPM. The acceptance ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM. ### Turn off the TPM If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. -**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 and higher)** - -1. Open the TPM MMC (tpm.msc). - -2. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page. - -3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: - - - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**. - - - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**. - - - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. +1. Open the TPM MMC (`tpm.msc`). +1. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page. +1. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: + - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**. + - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**. + - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. ## Use the TPM cmdlets You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). - -## Related articles - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of articles) diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md deleted file mode 100644 index 1ec4c72de8..0000000000 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: Manage TPM commands (Windows) -description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -ms.author: dansimp -ms.prod: windows-client -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security ---- - -# Manage TPM commands - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. - -After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. - -The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. - -**To block TPM commands by using the Local Group Policy Editor** - -1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - - > [!NOTE] - > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS). - -2. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**. - -3. Under **System**, click **Trusted Platform Module Services**. - -4. In the details pane, double-click **Configure the list of blocked TPM commands**. - -5. Click **Enabled**, and then click **Show**. - -6. For each command that you want to block, click **Add**, enter the command number, and then click **OK**. - - > [!NOTE] - > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/). - -7. After you have added numbers for each command that you want to block, click **OK** twice. - -8. Close the Local Group Policy Editor. - -**To block or allow TPM commands by using the TPM MMC** - -1. Open the TPM MMC (tpm.msc) - -2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - -3. In the console tree, click **Command Management**. A list of TPM commands is displayed. - -4. In the list, select a command that you want to block or allow. - -5. Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy. - -**To block new commands** - -1. Open the TPM MMC (tpm.msc). - - If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - -2. In the console tree, click **Command Management**. A list of TPM commands is displayed. - -3. In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed. - -4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list. - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md deleted file mode 100644 index b348034a8d..0000000000 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Manage TPM lockout (Windows) -description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -ms.reviewer: -ms.author: dansimp -ms.prod: windows-client -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security ---- -# Manage TPM lockout - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. - -## About TPM lockout - -The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. - -TPM ownership is taken upon first boot by Windows. By default, Windows does not retain the TPM owner password. - -In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. - -**TPM 1.2** - -The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time. - -**TPM 2.0** - -TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1. - -If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher. - -## Reset the TPM lockout by using the TPM MMC - -> [!NOTE] -> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher. - -The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. - -**To reset the TPM lockout** - -1. Open the TPM MMC (tpm.msc). - -2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. - -3. Choose one of the following methods to enter the TPM owner password: - - - If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location. - - - If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided. - - > [!NOTE] - > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. - -## Use Group Policy to manage TPM lockout settings - -The TPM Group Policy settings in the following list are located at: - -**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** - -- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration) - - This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. - -- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold) - - This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. - -- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold) - - This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. - -For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering). - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 34b14b5105..de49d856c6 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,70 +1,63 @@ --- -title: Understanding PCR banks on TPM 2.0 devices (Windows) -description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices. -ms.reviewer: +title: UnderstandPCR banks on TPM 2.0 devices +description: Learn about what happens when you switch PCR banks on TPM 2.0 devices. ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- -# Understanding PCR banks on TPM 2.0 devices +# PCR banks on TPM 2.0 devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This article provides background about what happens when you switch PCR banks on TPM 2.0 devices. -For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices. +A *Platform Configuration Register (PCR)* is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*. -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank. +To store a new value in a PCR, the existing value is extended with a new value as follows: `PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend)` -To store a new value in a PCR, the existing value is extended with a new value as follows: -PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend ) +The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. The computed digest becomes the new value of the PCR. -The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR. +The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps to ensure that the value of those PCRs can only be modified via the TPM Extend operation. -The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation. - -Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log. +Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs can't be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log. ## How does Windows use PCRs? -To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. +To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values.\ +For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. -It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match. +It's important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the `SHA-1 PCR[12]`, if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values won't match. ## What happens when PCR banks are switched? When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs. -As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. +As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled. ## What can I do to switch PCRs when BitLocker is already active? -Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor. +Before switching PCR banks, you should suspend or disable BitLocker or have the recovery key ready. For steps on how to switch PCR banks on your PC, contact your OEM or UEFI vendor. ## How can I identify which PCR bank is being used? -A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. +You can configure a TPM to have multiple PCR banks active. When BIOS performs measurements, it does so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it doesn't support or *cap* PCR banks that it doesn't support by extending a separator. The following registry value identifies which PCR banks are active: -- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
                                  -- DWORD: TPMActivePCRBanks
                                  -- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
                                  +- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices` +- DWORD: `TPMActivePCRBanks` +- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.) -Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. +Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met. -You can identify which PCR bank is currently used by Windows by looking at the registry. +You can identify which PCR bank is currently used by Windows by looking at the registry: -- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
                                  -- DWORD: TPMDigestAlgID
                                  -- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
                                  +- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices` +- DWORD: `TPMDigestAlgID` +- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.) -Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) +Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted. diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 60e31fc6af..78c253cc6c 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -1,71 +1,63 @@ --- -title: Trusted Platform Module (TPM) fundamentals (Windows) -description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks. +title: Trusted Platform Module (TPM) fundamentals +description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks. ms.reviewer: ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz ms.topic: conceptual -ms.date: 12/27/2021 +ms.date: 02/22/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # TPM fundamentals -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and later +This article provides a description of the *Trusted Platform Module* (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks. -This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. +A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus. -A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus. +Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called *wrapping* or *binding a key*, can help protect the key from disclosure. Each TPM has a *master wrapping key*, called the *storage root key*, which is stored within the TPM itself. The private portion of a storage root key, or *endorsement key*, that is created in a TPM is never exposed to any other component, software, process, or user. -Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user. +You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM. -You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM. - -Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. +Devices that incorporate a TPM can also create a key wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as *sealing the key to the TPM*. Decrypting the key is called *unsealing*. The TPM can also seal and unseal data that is generated outside the TPM. With sealed key and software, such as BitLocker Drive Encryption, data can be locked until specific hardware or software conditions are met. With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software. -For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module). +For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module). The following sections provide an overview of the technologies that support the TPM: -- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation) +- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation) +- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card) +- [TPM-based certificate storage](#tpm-based-certificate-storage) +- [TPM Cmdlets](#tpm-cmdlets) +- [Physical presence interface](#physical-presence-interface) +- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization) +- [Endorsement keys](#endorsement-keys) +- [TPM Key Attestation](#key-attestation) +- [Anti-hammering](#anti-hammering) -- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card) - -- [TPM-based certificate storage](#tpm-based-certificate-storage) - -- [TPM Cmdlets](#tpm-cmdlets) - -- [Physical presence interface](#physical-presence-interface) - -- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization) - -- [Endorsement keys](#endorsement-keys) - -- [TPM Key Attestation](#key-attestation) - -- [Anti-hammering](#anti-hammering) - -The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings: +The following article describes the TPM services that can be controlled centrally by using Group Policy settings: [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). ## Measured Boot with support for attestation -The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. +The *Measured Boot* feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. ## TPM-based Virtual Smart Card -The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + +The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the device. If a user needs to use more than one device, a Virtual Smart Card must be issued to the user for each device. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. ## TPM-based certificate storage -The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The KSP is managed by templates in the UI. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal). +The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal). ## TPM Cmdlets @@ -73,7 +65,7 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i ## Physical presence interface -For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. +For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically can't be automated with scripts or other automation tools unless the individual OEM supplies them. ## TPM 1.2 states and initialization @@ -81,59 +73,53 @@ TPM 1.2 has multiple possible states. Windows automatically initializes the TPM, ## Endorsement keys -A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it is never revealed or accessible outside the TPM. +A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it's never revealed or accessible outside the TPM. ## Key attestation -TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM. +*TPM key attestation* allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by non-exportability, anti-hammering, and isolation of keys provided by a TPM. ## Anti-hammering -When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that is not disclosed outside the TPM. It is used in the TPM after the correct authorization value is provided. +When a TPM processes a command, it does so in a protected environment. For example a dedicated micro controller on a discrete chip, or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that isn't disclosed outside the TPM. It's used in the TPM after the correct authorization value is provided. -TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur. +TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys isn't technically practical, so TPMs have a global lockout when too many authorization failures occur. -Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic. +Because many entities can use the TPM, a single authorization success can't reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM doesn't enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic. -### TPM 2.0 anti-hammering +### TPM 2.0 anti-hammering -TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. +TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. -For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. +For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. -Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. +Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked.\ +After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation.\ +With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again. -Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes. +Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated.\ +Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes. -The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. +The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM, and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. -In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours. +In some implementations, the TPM owner authorization value is stored centrally in Active Directory, and not on the local system. An administrator can execute `tpm.msc` and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it's used to reset the lockout time. If the TPM owner password isn't available on the local system, the administrator must provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM doesn't allow another attempt to reset the lockout state for 24 hours. -TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked. +TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked. ### Rationale behind the defaults Originally, BitLocker allowed from 4 to 20 characters for a PIN. -Windows Hello has its own PIN for logon, which can be 4 to 127 characters. +Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. -Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. +Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. -Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). +Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). ### TPM-based smart cards The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards: - -- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors. - -- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. - -- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and password. - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/) -- [TPM WMI providers](/windows/win32/secprov/security-wmi-providers-reference) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations) +- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. + With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors +- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements +- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password \ No newline at end of file diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index aab2d0711e..49ae107749 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -1,36 +1,32 @@ --- title: TPM recommendations (Windows) description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. -ms.reviewer: ms.prod: windows-client -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz +ms.topic: conceptual +ms.date: 02/02/2023 +ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.collection: - highpri -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security + - tier1 --- # TPM recommendations -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md). ## TPM design and implementation -Traditionally, TPMs are discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. +Traditionally, TPMs are discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index f768669a7c..2c2f23d5cb 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -1,46 +1,38 @@ --- -title: Trusted Platform Module Technology Overview (Windows) -description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. -ms.reviewer: +title: Trusted Platform Module Technology Overview +description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ms.prod: windows-client -ms.localizationpriority: high -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz +ms.topic: conceptual +ms.date: 02/22/2023 +ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.collection: - highpri -ms.topic: conceptual -adobe-target: true -ms.technology: itpro-security -ms.date: 12/31/2017 + - tier1 --- # Trusted Platform Module Technology Overview -**Applies to** -- Windows 11 -- Windows 10 -- Windows Server 2022 -- Windows Server 2019 -- Windows Server 2016 - -This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. +This article describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ## Feature description -[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: +The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are: -- Generate, store, and limit the use of cryptographic keys. - -- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it. - -- Help ensure platform integrity by taking and storing security measurements. +- Generate, store, and limit the use of cryptographic keys +- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip +- Help ensure platform integrity by taking and storing security measurements of the boot process The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses. -Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/). +Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/). ### Automatic initialization of the TPM with Windows @@ -50,11 +42,11 @@ In certain specific enterprise scenarios limited to Windows 10, versions 1507 an ## Practical applications -Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards. +Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and can't be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards. Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. -Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. +Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). @@ -66,16 +58,14 @@ For more info on new and changed functionality for Trusted Platform Module in Wi Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: +Some security issues that you can check on the device include the following: -- Is Data Execution Prevention supported and enabled? - -- Is BitLocker Drive Encryption supported and enabled? - -- Is SecureBoot supported and enabled? +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? > [!NOTE] -> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows supports Device Health Attestation with TPM 2.0. TPM 2.0 requires UEFI firmware. A device with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation @@ -83,16 +73,3 @@ Some things that you can check on the device are: |-------------|-------------|-------------|---------------------|---------------------|---------------------| | TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 | | TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [Details on the TPM standard](https://www.microsoft.com/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) -- [TPM Base Services Portal](/windows/desktop/TBS/tpm-base-services-portal) -- [TPM Base Services API](/windows/desktop/api/_tbs/) -- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) -- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/) -- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) -- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) -- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index b6ff1df198..beefbdf4be 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,22 +1,20 @@ --- title: TPM Group Policy settings (Windows) description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -ms.reviewer: ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # TPM Group Policy settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index 300fe10913..fb8113bcd3 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -2,24 +2,22 @@ title: Trusted Platform Module (Windows) description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ms.prod: windows-client -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz +ms.topic: conceptual +ms.date: 02/02/2023 +ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.collection: - highpri -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security + - tier1 --- # Trusted Platform Module -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details. @@ -29,7 +27,7 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based, | [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. | | [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. | | [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. | -| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. | +| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. | | [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. | | [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. | | [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. | diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 12fd396283..2145eb7a1a 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -24,7 +24,7 @@ After you've created and deployed your Windows Information Protection (WIP) poli To associate your WIP policy with your organization's existing VPN policy, use the following steps: -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. 3. Enter the following properties: diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index d60c78b01f..7b9a855583 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -1,6 +1,6 @@ --- title: Create a WIP policy in Intune -description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. +description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. ms.prod: windows-client author: aczechowski ms.author: aaroncz @@ -53,7 +53,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or ## Create a WIP policy -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**. diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md index 8356183a84..cef1666430 100644 --- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md +++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md @@ -34,7 +34,7 @@ When you unassign an existing policy, it removes the intent to deploy WIP from t If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Open Microsoft Intune and select **Apps** > **App protection policies**. 1. Select the existing policy to turn off, and then select the **Properties**. 1. Edit **Required settings**. diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png deleted file mode 100644 index 5ce10dd81f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png deleted file mode 100644 index 6bc8237f7f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png deleted file mode 100644 index 7d67692ff3..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png deleted file mode 100644 index 3ffbcce88c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png deleted file mode 100644 index 0148a800b2..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png b/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png deleted file mode 100644 index 3ceabfd15a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png deleted file mode 100644 index 09bbda3a06..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png deleted file mode 100644 index 17a97b8d3a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png deleted file mode 100644 index 7b226b7edd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-addapps.png deleted file mode 100644 index 52e3983adf..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png b/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png deleted file mode 100644 index 808de2db0e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png deleted file mode 100644 index 3f7b7af6b6..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png b/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png deleted file mode 100644 index f889dbca48..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png b/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png deleted file mode 100644 index de066d3a8b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png deleted file mode 100644 index 7987e91454..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png b/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png deleted file mode 100644 index 70e726d379..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png deleted file mode 100644 index e48b59aa4b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png deleted file mode 100644 index 6aa8f89355..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png b/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png deleted file mode 100644 index 6786a93416..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png b/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png deleted file mode 100644 index bc801a8521..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png b/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png deleted file mode 100644 index 64d9ebda26..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png b/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png deleted file mode 100644 index 3ec8bec32d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png deleted file mode 100644 index b3340d6e4f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png deleted file mode 100644 index 49c41b313d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png deleted file mode 100644 index 51abff3771..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png deleted file mode 100644 index cf9f85181a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png deleted file mode 100644 index 66415d57fd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png deleted file mode 100644 index a1d9bc70d9..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png deleted file mode 100644 index b09cb58508..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png deleted file mode 100644 index 19892b3a7c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png deleted file mode 100644 index cfeee8a45f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png deleted file mode 100644 index 57c40a85d0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png deleted file mode 100644 index 58f675399a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png deleted file mode 100644 index dd6450af37..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png deleted file mode 100644 index 3dbbb4e09b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png deleted file mode 100644 index 89a133bcbe..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png deleted file mode 100644 index f069f140dd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png deleted file mode 100644 index e02310282d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png deleted file mode 100644 index ae14d18238..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png deleted file mode 100644 index 91109c29c9..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png deleted file mode 100644 index 0aeb04bf0a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png deleted file mode 100644 index 7090e29ff1..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png deleted file mode 100644 index 313b0e4b73..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png deleted file mode 100644 index e759e45f28..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png deleted file mode 100644 index 8b81622c1a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png deleted file mode 100644 index 8bc8a4d845..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png deleted file mode 100644 index b31efa417c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png deleted file mode 100644 index d12500349a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png deleted file mode 100644 index e2b9b2ccae..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png deleted file mode 100644 index b549db5548..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png deleted file mode 100644 index 5c0dd50bb0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png deleted file mode 100644 index eef6b1efd0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png deleted file mode 100644 index 5ed595983a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png deleted file mode 100644 index 59291bf62e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png deleted file mode 100644 index 3142b31f51..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png deleted file mode 100644 index aa0184a2c6..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png deleted file mode 100644 index f282ff5e6b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png deleted file mode 100644 index 2ecd78f1ca..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png deleted file mode 100644 index f397cd6797..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png deleted file mode 100644 index 30dde125e1..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png deleted file mode 100644 index 0fff54b6d2..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png deleted file mode 100644 index fdbc950c9e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png deleted file mode 100644 index af36a7cc4e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 6b8c5f1841..4bcc628d6a 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -25,7 +25,7 @@ In the **Website learning report**, you can view a summary of the devices that h ## Access the WIP Learning reports -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Apps** > **Monitor** > **App protection status** > **Reports**. diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index af39d39146..1ab3f3f08e 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security @@ -65,7 +66,7 @@ To complete this procedure, you must be signed in as a member of the built-in Ad   ## More considerations -- After you turn on object access auditing, view the security login Event Viewer to review the results of your changes. +- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes. - You can set up file and folder auditing only on NTFS drives. - Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.   diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index c5cdf8c616..74134a5bd9 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -49,13 +49,13 @@ Changes to audit policy that are audited include: The following events will be enabled with Success auditing in this subcategory: -- 4902(S): The Per-user audit policy table was created. +- [4902](event-4902.md)(S): The Per-user audit policy table was created. -- 4907(S): Auditing settings on object were changed. +- [4907](event-4907.md)(S): Auditing settings on object were changed. -- 4904(S): An attempt was made to register a security event source. +- [4904](event-4904.md)(S): An attempt was made to register a security event source. -- 4905(S): An attempt was made to unregister a security event source. +- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting. @@ -79,4 +79,4 @@ All other events in this subcategory will be logged regardless of the "Audit Pol - [4904](event-4904.md)(S): An attempt was made to register a security event source. -- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. \ No newline at end of file +- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index b7fd89b268..caa5d33848 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -20,6 +20,8 @@ ms.topic: reference Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects. +**Event volume**: Medium to High. + | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
                                  However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
                                  If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
                                  This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | @@ -40,5 +42,3 @@ Audit Authorization Policy Change allows you to audit assignment and removal of - [4913](event-4913.md)(S): Central Access Policy on the object was changed. -**Event volume**: Medium to High. - diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 319301f86f..45ec095169 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index d505b5d9ef..aab983edfc 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -127,7 +128,7 @@ This event generates when a logon session is created (on destination machine). I - **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon. -- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following: - Domain NETBIOS name example: CONTOSO @@ -191,7 +192,7 @@ This event generates when a logon session is created (on destination machine). I - **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed. -- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following: - Domain NETBIOS name example: CONTOSO @@ -289,7 +290,7 @@ For 4624(S): An account was successfully logged on. | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don’t comply with naming conventions. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. | - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** is not SYSTEM. diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 81657a6361..425447b217 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -28,7 +29,7 @@ ms.topic: reference This event is logged for any logon failure. -It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation. +It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation. This event generates on domain controllers, member servers, and workstations. @@ -107,11 +108,11 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. + - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". -- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. +- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field. **Table 11: Windows Logon Types** @@ -146,17 +147,17 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. + - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” +- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on." **Failure Information:** -- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value. +- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value. -- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes. +- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value. The most common status codes are listed in Table 12. Windows logon status codes. **Table 12: Windows logon status codes.** @@ -189,7 +190,7 @@ This event generates on domain controllers, member servers, and workstations. More information: -- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”. +- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the "Table 12. Windows logon status codes.". **Process Information:** @@ -199,7 +200,7 @@ More information: If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. - You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**. + You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**. - **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process. @@ -219,9 +220,9 @@ More information: **Detailed Authentication Information:** -- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information. +- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information. -- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: +- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: - **NTLM** – NTLM-family Authentication @@ -233,15 +234,15 @@ More information: - **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during the logon attempt. Possible values are: - - “NTLM V1” + - "NTLM V1" - - “NTLM V2” + - "NTLM V2" - - “LM” + - "LM" - Only populated if “**Authentication Package” = “NTLM”**. + Only populated if "**Authentication Package" = "NTLM"**. -- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package. +- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package. ## Security Monitoring Recommendations @@ -250,19 +251,19 @@ For 4625(F): An account failed to log on. > [!IMPORTANT] > For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. +- If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value. -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if "**Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” +- If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**." - If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**. - To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event. -- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account. +- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **"Subject\\Security ID"** that corresponds to the account. - We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets. @@ -270,7 +271,7 @@ For 4625(F): An account failed to log on. - If your organization restricts logons in the following ways, you can use this event to monitor accordingly: - - If the **“Account For Which Logon Failed \\Security ID”** should never be used to log on from the specific **Network Information\\Workstation Name**. + - If the **"Account For Which Logon Failed \\Security ID"** should never be used to log on from the specific **Network Information\\Workstation Name**. - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses. @@ -286,14 +287,14 @@ For 4625(F): An account failed to log on. | Field | Value to monitor for | |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
                                  This issue is typically not a security issue, but it can be an infrastructure or availability issue. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
                                  Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
                                  Especially watch for a number of such events in a row. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
                                  Especially watch for a number of such events in a row. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
                                  This issue is typically not a security issue but it can be an infrastructure or availability issue. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | - | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC000005E – "There are currently no logon servers available to service the logon request."
                                  This issue is typically not a security issue, but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000064 – "User logon with misspelled or bad user account".
                                  Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts.
                                  Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts.
                                  Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC000006F – "User logon outside authorized hours". | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000070 – "User logon from unauthorized workstation". | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000072 – "User logon to account disabled by administrator". | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC000015B – "The user has not been granted the requested logon type (aka logon right) at this machine". | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC0000192 – "An attempt was made to logon, but the Netlogon service was not started".
                                  This issue is typically not a security issue but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0xC0000193 – "User logon with expired account". | + | **Failure Information\\Status** or
                                  **Failure Information\\Sub Status** | 0XC0000413 – "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine". | diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 9509f490e5..f20653ded7 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -235,14 +235,14 @@ Example: D:(A;;FA;;;WD) | "GR" | GENERIC READ | "SD" | Delete | | "GW" | GENERIC WRITE | "WD" | Modify Permissions | | "GX" | GENERIC EXECUTE | "WO" | Modify Owner | -| File access rights | "RP" | Read All Properties | +| File access rights | | "RP" | Read All Properties | | "FA" | FILE ALL ACCESS | "WP" | Write All Properties | | "FR" | FILE GENERIC READ | "CC" | Create All Child Objects | | "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects | | "FX" | FILE GENERIC EXECUTE | "LC" | List Contents | -| Registry key access rights | "SW" | All Validated Writes | -| "KA" | "LO" | "LO" | List Object | -| "K" | KEY READ | "DT" | Delete Subtree | +| Registry key access rights | | "SW" | Self Write | +| "KA" | KEY ALL ACCESS | "LO" | List Object | +| "KR" | KEY READ | "DT" | Delete Subtree | | "KW" | KEY WRITE | "CR" | All Extended Rights | | "KX" | KEY EXECUTE | | | @@ -272,4 +272,4 @@ For file system and registry objects, the following recommendations apply. - If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.** -- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers. \ No newline at end of file +- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers. diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 3ca1095e98..2cefaaced0 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -26,11 +27,11 @@ ms.topic: reference ***Event Description:*** -This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided. +This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided. This event generates only on domain controllers. -This event is not generated if “Do not require Kerberos preauthentication” option is set for the account. +This event is not generated if "Do not require Kerberos preauthentication" option is set for the account. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -127,7 +128,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o - Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok. -> **Note**  In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
                                  MSB illustration +> **Note**  In the table below **"MSB 0"** bit numbering is used, because RFC documents use this style. In "MSB 0" style bit numbering begins from left.
                                  MSB illustration The most common values: @@ -185,14 +186,14 @@ The most common values: | 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | | 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | | 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | -| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
                                  It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
                                  It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | | 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | | 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | | 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | | 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later | | 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user's password has expired. | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | | 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | @@ -260,9 +261,9 @@ The most common values: - **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events. -- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate's serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. -- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate's thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. ## Security Monitoring Recommendations @@ -270,11 +271,11 @@ For 4771(F): Kerberos pre-authentication failed. | **Type of monitoring required** | **Recommendation** | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                                  Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                                  Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Security ID"** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Security ID"** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"Security ID"** that corresponds to the accounts that should never be used. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Security ID"** for accounts that are outside the allow list. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. | - You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index e411b647ce..ad57e347c4 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri + - tier3 ms.topic: reference --- @@ -34,11 +35,11 @@ It shows successful and unsuccessful credential validation attempts. It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you'll see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) isn't presented in this event. -If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to “**0x0**”. +If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to "**0x0**". The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used. -For monitoring local account logon attempts, it's better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative. +For monitoring local account logon attempts, it's better to use event "[4624](event-4624.md): An account was successfully logged on" because it contains more details and is more informative. This event also generates when a workstation unlock event occurs. @@ -85,7 +86,7 @@ This event does *not* generate when a domain account logs on locally to a domain ***Field Descriptions:*** -- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event. +- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always "**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**" for [4776](event-4776.md) event. > **Note**  **Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt. @@ -101,7 +102,7 @@ This event does *not* generate when a domain account logs on locally to a domain - **Source Workstation** \[Type = UnicodeString\]: the name of the computer from which the logon attempt originated. -- **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has “**0x0**” value. The table below contains most common error codes for this event: +- **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has "**0x0**" value. The table below contains most common error codes for this event: | Error Code | Description | |------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -126,16 +127,16 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **Type of monitoring required** | **Recommendation** | |-----------------|---------| -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                                  Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
                                  To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | -| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you're concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
                                  Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Logon Account"** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Logon Account"** value (with other information) to monitor how or when a particular account is being used.
                                  To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"Logon Account"** that should never be used. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Logon Account"** for accounts that are outside the allow list. | +| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on. | Monitor the target **Source Workstation** for credential validation requests from the **"Logon Account"** that you're concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Logon Account"** for names that don't comply with naming conventions. | -- If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. +- If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don't forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. -- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored. +- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don't forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored. - If a local account should be used only locally (for example, network logon or terminal services logon isn't allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values. diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index 97c0977a60..e935d656d9 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -212,9 +212,9 @@ For a change operation, you'll typically see two 5136 events for one action, wit - **Type** \[Type = UnicodeString\]**:** type of performed operation. - - **Value Added** – new value added. + - **Value Added** – new value added ('%%14674') - - **Value Deleted** – value deleted (typically “Value Deleted” is a part of change operation). + - **Value Deleted** – value deleted ('%%14675', typically “Value Deleted” is a part of change operation). @@ -236,4 +236,5 @@ For 5136(S): A directory service object was modified. - If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name. -- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. \ No newline at end of file +- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. + diff --git a/windows/security/threat-protection/auditing/images/netsh-command.png b/windows/security/threat-protection/auditing/images/netsh-command.png deleted file mode 100644 index 56d7caa0c4..0000000000 Binary files a/windows/security/threat-protection/auditing/images/netsh-command.png and /dev/null differ diff --git a/windows/security/threat-protection/auditing/images/synaptics.png b/windows/security/threat-protection/auditing/images/synaptics.png deleted file mode 100644 index 2ffc025437..0000000000 Binary files a/windows/security/threat-protection/auditing/images/synaptics.png and /dev/null differ diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index ebf21e1e50..3985c12068 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png deleted file mode 100644 index 043da38016..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png deleted file mode 100644 index 1943ec1fab..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png deleted file mode 100644 index 6913ecfcc6..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png deleted file mode 100644 index d35b3507f8..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png b/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png deleted file mode 100644 index c2cec3aca1..0000000000 Binary files a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/admintemplates.png b/windows/security/threat-protection/device-control/images/admintemplates.png deleted file mode 100644 index 4bf90b2b8a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/admintemplates.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/baselines.png b/windows/security/threat-protection/device-control/images/baselines.png deleted file mode 100644 index d08380470f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/baselines.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png deleted file mode 100644 index 3080e0d1f0..0000000000 Binary files a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/bluetooth.png b/windows/security/threat-protection/device-control/images/bluetooth.png deleted file mode 100644 index f4f5e4804b..0000000000 Binary files a/windows/security/threat-protection/device-control/images/bluetooth.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png deleted file mode 100644 index 6951e4ed5a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/class-guids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png deleted file mode 100644 index 9d295dfa6b..0000000000 Binary files a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png deleted file mode 100644 index 4b8c80fdd7..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png deleted file mode 100644 index eaba30b27f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png deleted file mode 100644 index b0b7eb7237..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png deleted file mode 100644 index 95ac48ec54..0000000000 Binary files a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png deleted file mode 100644 index 44be977537..0000000000 Binary files a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolcard.png b/windows/security/threat-protection/device-control/images/devicecontrolcard.png deleted file mode 100644 index 829014859f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicecontrolcard.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png deleted file mode 100644 index a7cd33c892..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg deleted file mode 100644 index cd814377be..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png deleted file mode 100644 index 4743358c57..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicesbyconnection.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg deleted file mode 100644 index 10b636fc0d..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicevendorid.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png deleted file mode 100644 index cf8399acf4..0000000000 Binary files a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png deleted file mode 100644 index 152822dc29..0000000000 Binary files a/windows/security/threat-protection/device-control/images/general-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png deleted file mode 100644 index 9017f289f6..0000000000 Binary files a/windows/security/threat-protection/device-control/images/hardware-ids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png b/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png deleted file mode 100644 index 55be4d714a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg deleted file mode 100644 index c86eab1470..0000000000 Binary files a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 003104ce73..9c1feb7d06 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -10,6 +10,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier2 ms.topic: conceptual ms.date: 12/16/2021 ms.reviewer: @@ -77,7 +78,7 @@ Set the following registry keys to enable HVCI. These keys provide exactly the s > [!IMPORTANT] > -> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. +> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. > > - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled. > diff --git a/windows/security/threat-protection/device-guard/images/device-guard-gp.png b/windows/security/threat-protection/device-guard/images/device-guard-gp.png deleted file mode 100644 index 6d265509ea..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/device-guard-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png b/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png deleted file mode 100644 index cefb124344..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png deleted file mode 100644 index 938e397751..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png b/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png deleted file mode 100644 index fa2c162cc0..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png b/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png b/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png deleted file mode 100644 index 4439bd2764..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png b/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png deleted file mode 100644 index db0ddb80db..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png deleted file mode 100644 index 55344d70d1..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png deleted file mode 100644 index d79ca2c2af..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png b/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png deleted file mode 100644 index 08492ef73b..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png b/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png deleted file mode 100644 index 2c5c7236eb..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png b/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png b/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png deleted file mode 100644 index 2c838be648..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png deleted file mode 100644 index 9499946283..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png b/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png b/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png deleted file mode 100644 index c6b33e6139..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png b/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png b/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png deleted file mode 100644 index e3729e8214..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png b/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png b/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png deleted file mode 100644 index 9f0ed93274..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png b/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png deleted file mode 100644 index bad5fe7cdd..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png deleted file mode 100644 index 782c2017ae..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png b/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png deleted file mode 100644 index 11687d092c..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png deleted file mode 100644 index 7661cb4eb9..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png b/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png deleted file mode 100644 index b9a4b1881f..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png deleted file mode 100644 index 25f73eb190..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png deleted file mode 100644 index 3a33c13350..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png b/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png deleted file mode 100644 index 9b423ea8ab..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md deleted file mode 100644 index 1bee48b996..0000000000 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Hypervisor-Protected Code Integrity (also known as Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. -keywords: virtualization, security, malware -ms.prod: windows-client -ms.mktglfcycl: deploy -ms.localizationpriority: medium -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: conceptual -ms.date: 10/20/2017 -ms.reviewer: -ms.author: vinpa -ms.technology: itpro-security ---- - -# Baseline protections and other qualifications for virtualization-based protection of code integrity - -**Applies to** -- Windows 10 - -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers won't be as hardened against certain threats. - -For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. - -> [!WARNING] -> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). - -The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. - -> [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. - -## Baseline protections - -|Baseline Protections | Description | Security benefits | -|--------------------------------|----------------------------------------------------|-------------------| -| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | -| Hardware: **CPU virtualization extensions**,
                                  plus **extended page tables** | These hardware features are required for VBS:
                                  One of the following virtualization extensions:
                                  • VT-x (Intel) or
                                  • AMD-V
                                  And:
                                  • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system can't be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This guarantee can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware can't run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

                                  Important:
                                  Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

                                  | Support for VBS and for management features. | - -> **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. - -## Other qualifications for improved security - -The following tables describe other hardware and firmware qualifications, and the improved security that is available when these qualifications are met. - - -### More security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|------| -| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.
                                  • In the BIOS configuration, BIOS authentication must be set.
                                  • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
                                  • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This guarantee helps protect against a physically present user with BIOS access.
                                  • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | - -
                                  - -### More security qualifications starting with Windows 10, version 1607, and Windows Server 2016 - - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
                                  • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
                                  • HSTI 1.1.a provides extra security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
                                  • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
                                  • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
                                  - -### More security qualifications starting with Windows 10, version 1703 - - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                                  • UEFI runtime service must meet these requirements:
                                      • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                                      • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                                      • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                                          • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                                          • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                                  Notes:
                                  • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                                  • This protection is applied by VBS on OS page tables.


                                  Also note the following guidelines:
                                  • Don't use sections that are both writeable and executable
                                  • Don't attempt to directly modify executable system memory
                                  • Don't use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                                  • Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                                  • Reduces the attack surface to VBS from system firmware.
                                  • Blocks other security attacks against SMM. | diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 7b0d87f42e..4f3fd11f90 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -8,6 +8,7 @@ ms.author: paoloma author: paolomatarazzo ms.collection: - highpri + - tier3 ms.topic: article ms.localizationpriority: medium ms.reviewer: @@ -133,7 +134,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile |Boot Manager|[10.0.15063][sp-3089]|[#3089][certificate-3089]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); CKG (vendor affirmed); HMAC (Cert. [#3061][hmac-3061]); PBKDF (vendor affirmed); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                                  Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)| |Windows OS Loader|[10.0.15063][sp-3090]|[#3090][certificate-3090]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                                  [Other algorithms: NDRNG][certificate-3090]| |Windows Resume [1]|[10.0.15063][sp-3091]|[#3091][certificate-3091]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790])| -|BitLocker® Dump Filter [2]|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])| +|BitLocker® Dump Filter [2]|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])| |Code Integrity (ci.dll)|[10.0.15063][sp-3093]|[#3093][certificate-3093]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])| |Secure Kernel Code Integrity (skci.dll)[3]|[10.0.15063][sp-3096]|[#3096][certificate-3096]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])| @@ -156,9 +157,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[#2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                                  Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#886][component-886])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[#2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                                  Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887])| |Boot Manager|[10.0.14393][sp-2931]|[#2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: MD5; PBKDF (non-compliant); VMK KDF| -|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: NDRNG; MD5| -|BitLocker® Windows Resume (winresume)[1]|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[2]|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| +|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: NDRNG; MD5| +|BitLocker® Windows Resume (winresume)[1]|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[2]|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[#2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: AES (non-compliant); MD5

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])| |Secure Kernel Code Integrity (skci.dll)[3]|[10.0.14393][sp-2938]|[#2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])

                                  Other algorithms: MD5

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])| @@ -180,9 +181,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10586][sp-2605]|[#2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs. [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])

                                  Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#664][component-664])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10586][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs. [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])

                                  Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663])| |Boot Manager [4]|[10.0.10586][sp-2700]|[#2700][certificate-2700]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); HMAC (Cert. [#2381][hmac-2381]); PBKDF (vendor affirmed); RSA (Cert. [#1871][rsa-1871]); SHS (Certs. [#3047][shs-3047] and [#3048][shs-3048])

                                  Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)[5]|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                                  Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[6]|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[7]|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])| +|BitLocker® Windows OS Loader (winload)[5]|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                                  Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[6]|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[7]|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])| |Code Integrity (ci.dll)|[10.0.10586][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])

                                  Other algorithms: AES (non-compliant); MD5

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])| |Secure Kernel Code Integrity (skci.dll)[8]|[10.0.10586][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])

                                  Other algorithms: MD5

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])| @@ -208,9 +209,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10240][sp-2605]|#[2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])

                                  Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#575][component-575])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10240][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])

                                  Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576])| |Boot Manager[9]|[10.0.10240][sp-2600]|[#2600][certificate-2600]|FIPS approved algorithms: AES (Cert. [#3497][aes-3497]); HMAC (Cert. [#2233][hmac-2233]); KTS (AES Cert. [#3498][aes-3498]); PBKDF (vendor affirmed); RSA (Cert. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871] and [#2886][shs-2886])

                                  Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)[10]|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                                  Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[11]|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[12]|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])| +|BitLocker® Windows OS Loader (winload)[10]|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                                  Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[11]|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[12]|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])| |Code Integrity (ci.dll)|[10.0.10240][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])

                                  Other algorithms: AES (non-compliant); MD5

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])| |Secure Kernel Code Integrity (skci.dll)[13]|[10.0.10240][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])

                                  Other algorithms: MD5

                                  Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])| @@ -237,9 +238,9 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[#2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                                  Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#323][component-323])| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[#2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                                  Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

                                  Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])| |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[#2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                                  Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                                  Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[14]|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                                  Other algorithms: N/A| +|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                                  Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[14]|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                                  Other algorithms: N/A| |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[#2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])

                                  Other algorithms: MD5

                                  Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])| \[14\] Applies only to Pro, Enterprise, and Embedded 8. @@ -256,9 +257,9 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[#1892][sp-1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                                  Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[#1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                                  Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)

                                  Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[6.2.9200][sp-1895]|[#1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| -|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| -|BitLocker® Windows Resume (WINRESUME)[15]|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                                  Other algorithms: N/A| +|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| +|BitLocker® Windows Resume (WINRESUME)[15]|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                                  Other algorithms: N/A| |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[#1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[#1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)

                                  Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)

                                  Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[#1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. #1346); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])

                                  Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| @@ -278,7 +279,7 @@ Validated Editions: Windows 7, Windows 7 SP1 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385][sp-1328]

                                  [6.1.7600.16915][sp-1328]

                                  [6.1.7600.21092][sp-1328]

                                  [6.1.7601.17514][sp-1328]

                                  [6.1.7601.17725][sp-1328]

                                  [6.1.7601.17919][sp-1328]

                                  [6.1.7601.21861][sp-1328]

                                  [6.1.7601.22076][sp-1328]|[1328][certificate-1328]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1178][aes-1178]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#24][drbg-24]); ECDSA (Cert. [#141][ecdsa-141]); HMAC (Cert. [#677][hmac-677]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#560][rsa-560]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])

                                  Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4| |Boot Manager|[6.1.7600.16385][sp-1319]

                                  [6.1.7601.17514][sp-1319]|[1319][certificate-1319]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])

                                  Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)

                                  Other algorithms: MD5| |Winload OS Loader (winload.exe)|[6.1.7600.16385][sp-1326]

                                  [6.1.7600.16757][sp-1326]

                                  [6.1.7600.20897][sp-1326]

                                  [6.1.7600.20916][sp-1326]

                                  [6.1.7601.17514][sp-1326]

                                  [6.1.7601.17556][sp-1326]

                                  [6.1.7601.21655][sp-1326]

                                  [6.1.7601.21675][sp-1326]|[1326][certificate-1326]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])

                                  Other algorithms: MD5| -|BitLocker™ Drive Encryption|[6.1.7600.16385][sp-1332]

                                  [6.1.7600.16429][sp-1332]

                                  [6.1.7600.16757][sp-1332]

                                  [6.1.7600.20536][sp-1332]

                                  [6.1.7600.20873][sp-1332]

                                  [6.1.7600.20897][sp-1332]

                                  [6.1.7600.20916][sp-1332]

                                  [6.1.7601.17514][sp-1332]

                                  [6.1.7601.17556][sp-1332]

                                  [6.1.7601.21634][sp-1332]

                                  [6.1.7601.21655][sp-1332]

                                  [6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                                  Other algorithms: Elephant Diffuser| +|BitLocker™ Drive Encryption|[6.1.7600.16385][sp-1332]

                                  [6.1.7600.16429][sp-1332]

                                  [6.1.7600.16757][sp-1332]

                                  [6.1.7600.20536][sp-1332]

                                  [6.1.7600.20873][sp-1332]

                                  [6.1.7600.20897][sp-1332]

                                  [6.1.7600.20916][sp-1332]

                                  [6.1.7601.17514][sp-1332]

                                  [6.1.7601.17556][sp-1332]

                                  [6.1.7601.21634][sp-1332]

                                  [6.1.7601.21655][sp-1332]

                                  [6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                                  Other algorithms: Elephant Diffuser| |Code Integrity (CI.DLL)|[6.1.7600.16385][sp-1327]

                                  [6.1.7600.17122][sp-1327]v[6.1.7600.21320][sp-1327]

                                  [6.1.7601.17514][sp-1327]

                                  [6.1.7601.17950][sp-1327]v[6.1.7601.22108][sp-1327]|[1327][certificate-1327]|FIPS approved algorithms: RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])

                                  Other algorithms: MD5| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.1.7600.16385][sp-1331]

                                  (no change in SP1)|[1331][certificate-1331]|FIPS approved algorithms: DSA (Cert. [#385][dsa-385]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)

                                  Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4| |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.1.7600.16385][sp-1330]

                                  (no change in SP1)|[1330][certificate-1330]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#673][hmac-673]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#557][rsa-557] and [#559][rsa-559]); Triple-DES (Cert. [#846][tdes-846])

                                  Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| @@ -312,7 +313,7 @@ Validated Editions: Ultimate Edition |--- |--- |--- |--- | |Enhanced Cryptographic Provider (RSAENH) | [6.0.6000.16386][sp-893] | [893][certificate-893] | FIPS approved algorithms: AES (Cert. [#553][aes-553]); HMAC (Cert. [#297][hmac-297]); RNG (Cert. [#321][rng-321]); RSA (Certs. [#255][rsa-255] and [#258][rsa-258]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549])

                                  Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6000.16386][sp-894]|[894][certificate-894]|FIPS approved algorithms: DSA (Cert. [#226][dsa-226]); RNG (Cert. [#321][rng-321]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549]); Triple-DES MAC (Triple-DES Cert. [#549][tdes-549], vendor affirmed)

                                  Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4| -|BitLocker™ Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])

                                  Other algorithms: Elephant Diffuser| +|BitLocker™ Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])

                                  Other algorithms: Elephant Diffuser| |Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067][sp-891]|[891][certificate-891]|FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)

                                  Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5| @@ -481,9 +482,9 @@ Validated Editions: Standard, Datacenter, Storage Server |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                                  Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])

                                  Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[10.0.14393][sp-2931]|[2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: MD5; PBKDF (non-compliant); VMK KDF| -|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: NDRNG; MD5| -|BitLocker® Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| +|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: NDRNG; MD5| +|BitLocker® Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])| |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])

                                  Other algorithms: AES (non-compliant); MD5| |Secure Kernel Code Integrity (skci.dll)|[10.0.14393][sp-2938]|[2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])

                                  Other algorithms: MD5| @@ -501,9 +502,9 @@ Validated Editions: Server, Storage Server, |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                                  Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])

                                  Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                                  Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)| -|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                                  Other algorithms: MD5; NDRNG| -|BitLocker® Windows Resume (winresume)[16]|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (dumpfve.sys)[17]|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                                  Other algorithms: N/A| +|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])

                                  Other algorithms: MD5; NDRNG| +|BitLocker® Windows Resume (winresume)[16]|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (dumpfve.sys)[17]|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])

                                  Other algorithms: N/A| |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])

                                  Other algorithms: MD5| \[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** @@ -522,9 +523,9 @@ Validated Editions: Server, Storage Server |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. #[1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                                  Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)

                                  Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)| |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])

                                  Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)

                                  Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)| |Boot Manager|[6.2.9200][sp-1895]|[1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| -|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| -|BitLocker® Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| -|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                                  Other algorithms: N/A| +|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG| +|BitLocker® Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| +|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])

                                  Other algorithms: N/A| |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])

                                  Other algorithms: MD5| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)

                                  Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. [#1346][hmac-1346]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])

                                  Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| @@ -542,7 +543,7 @@ Validated Editions: Server, Storage Server |Cryptographic Primitives Library (bcryptprimitives.dll)|[66.1.7600.16385 or 6.1.7601.17514][sp-1336]|[1336][certificate-1336]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#27][drbg-27]); DSA (Cert. [#391][dsa-391]); ECDSA (Cert. [#142][ecdsa-142]); HMAC (Cert. [#686][hmac-686]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#567][rsa-567]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])

                                  Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4| |Enhanced Cryptographic Provider (RSAENH)|[6.1.7600.16385][sp-1337]|[1337][certificate-1337]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#687][hmac-687]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#559][rsa-559] and [#568][rsa-568]); Triple-DES (Cert. [#846][tdes-846])

                                  Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)| |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.1.7600.16385][sp-1338]|[1338][certificate-1338]|FIPS approved algorithms: DSA (Cert. [#390][dsa-390]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)

                                  Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4| -|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                                  Other algorithms: Elephant Diffuser| +|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])

                                  Other algorithms: Elephant Diffuser| @@ -661,20 +662,20 @@ For more details, expand each algorithm section. |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);

                                  **CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)

                                  **CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                                  **CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                                  **GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                                  (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

                                  **IV Generated:** (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported

                                  GMAC supported

                                  **XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#4064][aes-4064]

                                  Version 10.0.14393| |**ECB** (e/d; 128, 192, 256);

                                  **CBC** (e/d; 128, 192, 256);

                                  **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#4063][aes-4063]

                                  Version 10.0.14393| |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)

                                  AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#4062][aes-4062]

                                  Version 10.0.14393| -|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                                  AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061][aes-4061]

                                  Version 10.0.14393| +|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                                  AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061][aes-4061]

                                  Version 10.0.14393| |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

                                  AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" Cryptography Next Generation (CNG) Implementations [#3652][aes-3652]

                                  Version 10.0.10586| -|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                                  AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker® Cryptographic Implementations [#3653][aes-3653]

                                  Version 10.0.10586| +|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                                  AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker® Cryptographic Implementations [#3653][aes-3653]

                                  Version 10.0.10586| |**ECB** (e/d; 128, 192, 256);

                                  **CBC** (e/d; 128, 192, 256);

                                  **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" RSA32 Algorithm Implementations [#3630][aes-3630]

                                  Version 10.0.10586| |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);

                                  **CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)

                                  **CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                                  **CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                                  **GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                                  (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)v**IV Generated:** (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported

                                  GMAC supported

                                  **XTS((KS: XTS_128**((e/d) (f)) **KS: XTS_256**((e/d) (f))|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" SymCrypt Cryptographic Implementations [#3629][aes-3629]

                                  Version 10.0.10586| |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

                                  AES [validation number 3497][aes-3497]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#3507][aes-3507]

                                  Version 10.0.10240| -|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                                  AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498][aes-3498]

                                  Version 10.0.10240| +|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                                  AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498][aes-3498]

                                  Version 10.0.10240| |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);

                                  **CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)

                                  **CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                                  **CMAC(Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                                  **GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                                  (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

                                  **IV Generated:** (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported

                                  GMAC supported

                                  **XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#3497][aes-3497]

                                  Version 10.0.10240| |**ECB** (e/d; 128, 192, 256);

                                  **CBC** (e/d; 128, 192, 256);

                                  **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#3476][aes-3476]

                                  Version 10.0.10240| |**ECB** (e/d; 128, 192, 256);

                                  **CBC** (e/d; 128, 192, 256);

                                  **CFB8** (e/d; 128, 192, 256);|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2853][aes-2853]

                                  Version 6.3.9600| |**CCM (KS: 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

                                  AES [validation number 2832][aes-2832]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations [#2848][aes-2848]

                                  Version 6.3.9600| |**CCM (KS: 128, 192, 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

                                  **CMAC (Generation/Verification) (KS: 128**; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

                                  **GCM (KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

                                  **(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)

                                  **IV Generated:** (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported;

                                  **OtherIVLen_Supported

                                  GMAC supported**|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #[2832][aes-2832]

                                  Version 6.3.9600| |**CCM (KS: 128, 192, 256**) **(Assoc. Data Len Range**: 0-0, 2^16) **(Payload Length Range**: 0 - 32 (**Nonce Length(s)**: 7 8 9 10 11 12 13 **(Tag Length(s)**: 4 6 8 10 12 14 16)

                                  AES [validation number 2197][aes-2197]

                                  **CMAC** (Generation/Verification) **(KS: 128;** Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 192**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 256**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16)

                                  AES [validation number 2197][aes-2197]

                                  **GCM(KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) **(KS: AES_192**(e/d) Tag Length(s): 128 120 112 104 96)

                                  **(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)

                                  **IV Generated:** (Externally); **PT Lengths Tested:** (0, 128, 1024, 8, 1016); **Additional authenticated data lengths tested:** (0, 128, 1024, 8, 1016); **IV Lengths Tested:** (8, 1024); **96 bit IV supported

                                  GMAC supported**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#2216][aes-2216]| -|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)

                                  AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198][aes-2198]| +|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)

                                  AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198][aes-2198]| |**ECB** (e/d; 128, 192, 256);

                                  **CBC** (e/d; 128, 192, 256);

                                  **CFB8** (e/d; 128, 192, 256);

                                  **CFB128** (e/d; 128, 192, 256);

                                  **CTR** (int only; 128, 192, 256)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#2197][aes-2197]| |**ECB** (e/d; 128, 192, 256);

                                  **CBC** (e/d; 128, 192, 256);

                                  **CFB8** (e/d; 128, 192, 256);|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#2196][aes-2196]| |**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s): **4 6 8 10 12 14 16**)**

                                  AES [validation number 1168][aes-1168]|Windows Server 2008 R2 and SP1 CNG algorithms [#1187][aes-1187]

                                  Windows 7 Ultimate and SP1 CNG algorithms [#1178][aes-1178]| @@ -842,7 +843,7 @@ For more details, expand each algorithm section. |

                                  **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS)
                                  SHS[validation number 2886][shs-2886]

                                  **HMAC-SHA256** (Key Size Ranges Tested: KSBS)
                                  SHS[validation number 2886][shs-2886]

                                  **HMAC-SHA384** (Key Size Ranges Tested: KSBS)
                                  [ SHSvalidation number 2886][shs-2886]

                                  **HMAC-SHA512** (Key Size Ranges Tested: KSBS)
                                  SHS[validation number 2886][shs-2886]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2233][hmac-2233]

                                  Version 10.0.10240| |

                                  **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS)
                                  SHS [validation number 2373][shs-2373]

                                  **HMAC-SHA256** (Key Size Ranges Tested: KSBS)
                                  SHS [validation number 2373][shs-2373]

                                  **HMAC-SHA384** (Key Size Ranges Tested: KSBS)
                                  SHS [validation number 2373][shs-2373]

                                  **HMAC-SHA512** (Key Size Ranges Tested: KSBS)
                                  SHS [validation number 2373][shs-2373]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1773][hmac-1773]

                                  Version 6.3.9600| |

                                  **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]

                                  **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]

                                  **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]

                                  **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]|Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) [#2122][hmac-2122]

                                  Version 5.2.29344| -|

                                  **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]

                                  **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347][hmac-1347]| +|

                                  **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]

                                  **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347][hmac-1347]| |

                                  **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS**[#1902][shs-1902]

                                  **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]

                                  **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]

                                  **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #[1346][hmac-1346]| |

                                  **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)**
                                  **SHS**[#1903][shs-1903]

                                  **HMAC-SHA256 (Key Size Ranges Tested: KSBS)**
                                  **SHS**[#1903][shs-1903]

                                  **HMAC-SHA384 (Key Size Ranges Tested: KSBS)**
                                  **SHS**[#1903][shs-1903]

                                  **HMAC-SHA512 (Key Size Ranges Tested: KSBS)**
                                  **SHS**[#1903][shs-1903]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #[1345][hmac-1345]| |

                                  **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]

                                  **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]
                                  **Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]

                                  **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll), [#1364][hmac-1364]| diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md deleted file mode 100644 index 6fb73d0cd6..0000000000 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Get support -description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT). -ms.prod: windows-client -ms.localizationpriority: medium -ms.author: dansimp -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 06/25/2018 -ms.reviewer: -ms.technology: itpro-security ---- - -# Get Support for Windows baselines - -## Frequently asked questions - -### What is the Microsoft Security Compliance Manager (SCM)? - -The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. - -For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). - -### Where can I get an older version of a Windows baseline? - -Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix). - -- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353) -- [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) -- [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) -- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) - -### What file formats are supported by the new SCT? - -The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported. - -### Does SCT support the Desired State Configuration (DSC) file format? - -Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features. - -### Does SCT support the creation of Microsoft Configuration Manager DCM packs? - -No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement). - -### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies? - -No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support. - -## Version matrix - -### Client versions - -| Name | Build | Baseline release date | Security tools | -|---|---|---|---| -| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft)

                                  [Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final)

                                  [Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)

                                  [1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final)

                                  [1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017

                                  August 2017

                                  October 2016

                                  January 2016

                                  January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -### Server versions - -| Name | Build | Baseline release date | Security tools | -|---|---|---|---| -|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)| -|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -### Microsoft products - -| Name | Details | Security tools | -|--|--|--| -| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -> [!NOTE] -> Browser baselines are built-in to new OS versions starting with Windows 10. - -## See also - -[Windows security baselines](windows-security-baselines.md) diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png deleted file mode 100644 index 3fae6eba9a..0000000000 Binary files a/windows/security/threat-protection/images/AH_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png deleted file mode 100644 index e69ea2a796..0000000000 Binary files a/windows/security/threat-protection/images/SS_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/TVM_icon.png b/windows/security/threat-protection/images/TVM_icon.png deleted file mode 100644 index 63f8c75929..0000000000 Binary files a/windows/security/threat-protection/images/TVM_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png deleted file mode 100644 index 7e4e011d4f..0000000000 Binary files a/windows/security/threat-protection/images/Untitled-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/air-icon.png b/windows/security/threat-protection/images/air-icon.png deleted file mode 100644 index 985e3e4429..0000000000 Binary files a/windows/security/threat-protection/images/air-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-icon.png b/windows/security/threat-protection/images/asr-icon.png deleted file mode 100644 index bf649e87ec..0000000000 Binary files a/windows/security/threat-protection/images/asr-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png deleted file mode 100644 index 2f8eb02556..0000000000 Binary files a/windows/security/threat-protection/images/asr-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png deleted file mode 100644 index fa6285cb56..0000000000 Binary files a/windows/security/threat-protection/images/asr-rules-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png deleted file mode 100644 index 569ee7a256..0000000000 Binary files a/windows/security/threat-protection/images/asr-test-tool.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png deleted file mode 100644 index f93dbe34e3..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-app-ps.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png deleted file mode 100644 index afb220f764..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-app.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png deleted file mode 100644 index 88cd35c6ce..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-folder-ps.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png deleted file mode 100644 index 89abf15424..0000000000 Binary files a/windows/security/threat-protection/images/cfa-audit-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png deleted file mode 100644 index 96e6874361..0000000000 Binary files a/windows/security/threat-protection/images/cfa-filecreator.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png deleted file mode 100644 index f8d3056d80..0000000000 Binary files a/windows/security/threat-protection/images/cfa-gp-enable.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png deleted file mode 100644 index 62ca8c3021..0000000000 Binary files a/windows/security/threat-protection/images/cfa-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png deleted file mode 100644 index 7441a54834..0000000000 Binary files a/windows/security/threat-protection/images/cfa-on.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png deleted file mode 100644 index a61b54a696..0000000000 Binary files a/windows/security/threat-protection/images/cfa-prot-folders.png and /dev/null differ diff --git a/windows/security/threat-protection/images/check-no.png b/windows/security/threat-protection/images/check-no.png deleted file mode 100644 index 040c7d2f63..0000000000 Binary files a/windows/security/threat-protection/images/check-no.png and /dev/null differ diff --git a/windows/security/threat-protection/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png deleted file mode 100644 index f9a64efbd7..0000000000 Binary files a/windows/security/threat-protection/images/create-endpoint-protection-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png deleted file mode 100644 index 1253d68613..0000000000 Binary files a/windows/security/threat-protection/images/create-exploit-guard-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/images/edr-icon.png b/windows/security/threat-protection/images/edr-icon.png deleted file mode 100644 index 8c750dee42..0000000000 Binary files a/windows/security/threat-protection/images/edr-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png deleted file mode 100644 index ddf0ca23e9..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app-allow.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png deleted file mode 100644 index 7401e1e87f..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app-folder.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png deleted file mode 100644 index f8e4dc98d1..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png deleted file mode 100644 index 620d786868..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png deleted file mode 100644 index e89118fd47..0000000000 Binary files a/windows/security/threat-protection/images/enable-ep-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png deleted file mode 100644 index 604dceff4c..0000000000 Binary files a/windows/security/threat-protection/images/enable-np-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png deleted file mode 100644 index eafac1db7a..0000000000 Binary files a/windows/security/threat-protection/images/ep-default.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png deleted file mode 100644 index d36cdd8498..0000000000 Binary files a/windows/security/threat-protection/images/ep-prog.png and /dev/null differ diff --git a/windows/security/threat-protection/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png deleted file mode 100644 index 96d12d3af1..0000000000 Binary files a/windows/security/threat-protection/images/event-viewer-import.png and /dev/null differ diff --git a/windows/security/threat-protection/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif deleted file mode 100644 index 7909bfe728..0000000000 Binary files a/windows/security/threat-protection/images/event-viewer.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif deleted file mode 100644 index 68f057de3a..0000000000 Binary files a/windows/security/threat-protection/images/events-create.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif deleted file mode 100644 index 55e77c546f..0000000000 Binary files a/windows/security/threat-protection/images/events-import.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png deleted file mode 100644 index d7b921aa69..0000000000 Binary files a/windows/security/threat-protection/images/exp-prot-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/get-support.png b/windows/security/threat-protection/images/get-support.png deleted file mode 100644 index 427ba670de..0000000000 Binary files a/windows/security/threat-protection/images/get-support.png and /dev/null differ diff --git a/windows/security/threat-protection/images/lab-creation-page.png b/windows/security/threat-protection/images/lab-creation-page.png deleted file mode 100644 index 75540493da..0000000000 Binary files a/windows/security/threat-protection/images/lab-creation-page.png and /dev/null differ diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png deleted file mode 100644 index f8c9c07b16..0000000000 Binary files a/windows/security/threat-protection/images/linux-mdatp-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png deleted file mode 100644 index f8c9c07b16..0000000000 Binary files a/windows/security/threat-protection/images/linux-mdatp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig1.png b/windows/security/threat-protection/images/mobile-security-guide-fig1.png deleted file mode 100644 index 4bdc6c0c9c..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig2.png b/windows/security/threat-protection/images/mobile-security-guide-fig2.png deleted file mode 100644 index becb48f0ed..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure3.png b/windows/security/threat-protection/images/mobile-security-guide-figure3.png deleted file mode 100644 index f78d187b04..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure3.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure4.png b/windows/security/threat-protection/images/mobile-security-guide-figure4.png deleted file mode 100644 index 6f9b3725f8..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure4.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mte-icon.png b/windows/security/threat-protection/images/mte-icon.png deleted file mode 100644 index 1d5693a399..0000000000 Binary files a/windows/security/threat-protection/images/mte-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ngp-icon.png b/windows/security/threat-protection/images/ngp-icon.png deleted file mode 100644 index 9aca3db517..0000000000 Binary files a/windows/security/threat-protection/images/ngp-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png deleted file mode 100644 index 69eb1bbeee..0000000000 Binary files a/windows/security/threat-protection/images/np-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png deleted file mode 100644 index 4ec2be97af..0000000000 Binary files a/windows/security/threat-protection/images/powershell-example.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png deleted file mode 100644 index 00225ec18c..0000000000 Binary files a/windows/security/threat-protection/images/sccm-asr-blocks.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png deleted file mode 100644 index dfb1cb201b..0000000000 Binary files a/windows/security/threat-protection/images/sccm-asr-rules.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png deleted file mode 100644 index 2868712541..0000000000 Binary files a/windows/security/threat-protection/images/sccm-cfa-block.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png deleted file mode 100644 index bd2e57d73f..0000000000 Binary files a/windows/security/threat-protection/images/sccm-cfa.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png deleted file mode 100644 index d7a896332a..0000000000 Binary files a/windows/security/threat-protection/images/sccm-ep-xml.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png deleted file mode 100644 index 1d16250401..0000000000 Binary files a/windows/security/threat-protection/images/sccm-ep.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png deleted file mode 100644 index 0655fdad69..0000000000 Binary files a/windows/security/threat-protection/images/sccm-np-block.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png deleted file mode 100644 index a9f11a2e95..0000000000 Binary files a/windows/security/threat-protection/images/sccm-np.png and /dev/null differ diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png deleted file mode 100644 index 06f66acf99..0000000000 Binary files a/windows/security/threat-protection/images/seccon-framework.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-compliance-toolkit-1.png b/windows/security/threat-protection/images/security-compliance-toolkit-1.png deleted file mode 100644 index 270480af39..0000000000 Binary files a/windows/security/threat-protection/images/security-compliance-toolkit-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png deleted file mode 100644 index 75467f2098..0000000000 Binary files a/windows/security/threat-protection/images/security-control-classification.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png deleted file mode 100644 index 4f869474e2..0000000000 Binary files a/windows/security/threat-protection/images/security-control-deployment-methodologies.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-update.png b/windows/security/threat-protection/images/security-update.png deleted file mode 100644 index f7ca20f34e..0000000000 Binary files a/windows/security/threat-protection/images/security-update.png and /dev/null differ diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg deleted file mode 100644 index e79d2b057d..0000000000 Binary files a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg and /dev/null differ diff --git a/windows/security/threat-protection/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg deleted file mode 100644 index 89a87afa8b..0000000000 --- a/windows/security/threat-protection/images/svg/check-no.svg +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark no - - \ No newline at end of file diff --git a/windows/security/threat-protection/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg deleted file mode 100644 index 483ff5fefc..0000000000 --- a/windows/security/threat-protection/images/svg/check-yes.svg +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark yes - - \ No newline at end of file diff --git a/windows/security/threat-protection/images/tpm-capabilities.png b/windows/security/threat-protection/images/tpm-capabilities.png deleted file mode 100644 index aecbb68522..0000000000 Binary files a/windows/security/threat-protection/images/tpm-capabilities.png and /dev/null differ diff --git a/windows/security/threat-protection/images/tpm-remote-attestation.png b/windows/security/threat-protection/images/tpm-remote-attestation.png deleted file mode 100644 index fa092591a1..0000000000 Binary files a/windows/security/threat-protection/images/tpm-remote-attestation.png and /dev/null differ diff --git a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/images/turn-windows-features-on-or-off.png deleted file mode 100644 index 8d47a53b51..0000000000 Binary files a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png and /dev/null differ diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png deleted file mode 100644 index 6a1cc80fd4..0000000000 Binary files a/windows/security/threat-protection/images/vbs-example.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna1.png b/windows/security/threat-protection/images/wanna1.png deleted file mode 100644 index e90d1cc12c..0000000000 Binary files a/windows/security/threat-protection/images/wanna1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna2.png b/windows/security/threat-protection/images/wanna2.png deleted file mode 100644 index 7b4a1dcd97..0000000000 Binary files a/windows/security/threat-protection/images/wanna2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna3.png b/windows/security/threat-protection/images/wanna3.png deleted file mode 100644 index 9b0b176366..0000000000 Binary files a/windows/security/threat-protection/images/wanna3.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna4.png b/windows/security/threat-protection/images/wanna4.png deleted file mode 100644 index 17fefde707..0000000000 Binary files a/windows/security/threat-protection/images/wanna4.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna5.png b/windows/security/threat-protection/images/wanna5.png deleted file mode 100644 index 92ecf67d20..0000000000 Binary files a/windows/security/threat-protection/images/wanna5.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna6.png b/windows/security/threat-protection/images/wanna6.png deleted file mode 100644 index 26824af34d..0000000000 Binary files a/windows/security/threat-protection/images/wanna6.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna7.png b/windows/security/threat-protection/images/wanna7.png deleted file mode 100644 index 634bd1449d..0000000000 Binary files a/windows/security/threat-protection/images/wanna7.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna8.png b/windows/security/threat-protection/images/wanna8.png deleted file mode 100644 index 59b42eb6f6..0000000000 Binary files a/windows/security/threat-protection/images/wanna8.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png deleted file mode 100644 index 8a67d190b7..0000000000 Binary files a/windows/security/threat-protection/images/wdatp-pillars2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png deleted file mode 100644 index 312167da41..0000000000 Binary files a/windows/security/threat-protection/images/wdeg.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png deleted file mode 100644 index 01801a519d..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png deleted file mode 100644 index 38404d7569..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png deleted file mode 100644 index eac90e96f5..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-export.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png deleted file mode 100644 index 53edeb6135..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png deleted file mode 100644 index 67abde13e0..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot.png and /dev/null differ diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md deleted file mode 100644 index 307fd1ee4b..0000000000 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) -description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. -ms.prod: windows-client -ms.localizationpriority: medium -ms.author: dansimp -author: dansimp -ms.reviewer: -manager: aaroncz -ms.technology: itpro-security -ms.date: 12/31/2017 -ms.topic: article ---- - -# What is Microsoft Baseline Security Analyzer and its uses? - -Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. - -MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016. - -> [!NOTE] -> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. - -## The Solution -A script can help you with an alternative to MBSA’s patch-compliance checking: - -- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. -For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0). - -For example: - -[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) -[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) - -The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. -The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers. - -## More Information - -For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit. - -- [Windows security baselines](windows-security-baselines.md) -- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) -- [Microsoft Security Guidance blog](/archive/blogs/secguide/) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 816d5da3f4..a2c40f975e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -222,8 +222,13 @@ sections: - question: | What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do? answer: | - This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office. - + This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office. + + - question: | + How do I open a support ticket for Microsoft Defender Application Guard? + answer: | + - Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create). + - Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**. additionalContent: | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png deleted file mode 100644 index 08cb4d5676..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png deleted file mode 100644 index 9e58d99ead..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png deleted file mode 100644 index 877b707030..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png deleted file mode 100644 index 5172022256..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index ad5d373c27..43d0713f40 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -15,6 +15,7 @@ ms.custom: asr ms.technology: itpro-security ms.collection: - highpri + - tier2 ms.topic: how-to --- @@ -98,7 +99,7 @@ Application Guard functionality is turned off by default. However, you can quick :::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune."::: -1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
                                  +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
                                  1. In the **Platform** list, select **Windows 10 and later**. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 6b284c9344..afc6aaef79 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -15,6 +15,7 @@ ms.custom: asr ms.technology: itpro-security ms.collection: - highpri + - tier2 ms.topic: conceptual --- diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png deleted file mode 100644 index daa96d291d..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg deleted file mode 100644 index 21a6b4f235..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg deleted file mode 100644 index ab2d5152ca..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - MsPortalFx.base.images-10 - - - - - - - - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg deleted file mode 100644 index dbbad7d780..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg deleted file mode 100644 index 06ab4c09d7..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - - - - - - - - - - - - - - Icon-general-18 - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png deleted file mode 100644 index a3286fb528..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png deleted file mode 100644 index e51cd9384c..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 393d33b206..ba53584a0f 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -10,6 +10,7 @@ manager: aaroncz ms.technology: itpro-security adobe-target: true ms.collection: + - tier2 - highpri ms.date: 12/31/2017 ms.topic: article diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md deleted file mode 100644 index 0ee92c6736..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows) -description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. -ms.prod: windows-client -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/13/2017 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.technology: itpro-security -ms.topic: how-to ---- - -# Set up and use Microsoft Defender SmartScreen on individual devices - -**Applies to:** -- Windows 10, version 1703 -- Windows 11 -- Microsoft Edge - -Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. - -## How users can use Windows Security to set up Microsoft Defender SmartScreen -Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it. - ->[!NOTE] ->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. - -**To use Windows Security to set up Microsoft Defender SmartScreen on a device** -1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. - -2. In the **Reputation-based protection** screen, choose from the following options: - - - In the **Check apps and files** area: - - - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - - - In the **Microsoft Defender SmartScreen for Microsoft Edge** area: - - - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **Potentially unwanted app blocking** area: - - - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md#potentially-unwanted-application-pua). - - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device. - - - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium). - - - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. - - - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area: - - - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - - ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png) - -## How Microsoft Defender SmartScreen works when a user tries to run an app -Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. - -By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended). - -## How users can report websites as safe or unsafe -Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. - -**To report a website as safe from the warning message** -- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. - -**To report a website as unsafe from Microsoft Edge** -- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. - -**To report a website as unsafe from Internet Explorer 11** -- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. - -## Related topics -- [Threat protection](../index.md) - -- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index e6f9bec119..969423ed4a 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 08/16/2021 ms.technology: itpro-security @@ -23,7 +24,7 @@ ms.technology: itpro-security **Applies to** - Windows 11 -- Windows 10 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. @@ -47,7 +48,7 @@ It's advisable to set **Account lockout duration** to approximately 15 minutes. ### Default values -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page. | Server type or Group Policy Object (GPO) | Default value | | - | - | diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 7436c55ccd..1aa90a6526 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 11/02/2018 ms.technology: itpro-security @@ -34,7 +35,7 @@ The **Account lockout threshold** policy setting determines the number of failed Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account. -Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. +Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn't need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. ### Possible values @@ -46,7 +47,7 @@ Because vulnerabilities can exist when this value is configured and when it's no ### Best practices -The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization. +The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization. As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). @@ -116,7 +117,7 @@ Because vulnerabilities can exist when this value is configured and when it's no - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. - [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. + [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index bd80ebe594..760392434f 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md). +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts). There are two options if this setting is enabled: diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index 5c6402aa17..ed12776057 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -28,6 +28,7 @@ Describes the best practices, location, values, policy management, and security ## Reference The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access isn't limited to what is associated with the user by default. The calling process may request that arbitrary extra privileges be added to the access token. The calling process may also build an access token that doesn't provide a primary identity for auditing in the system event logs. + Constant: SeTcbPrivilege ### Possible values diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index 82c3f5ffc9..cc0957e9e8 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -29,9 +29,11 @@ Describes the best practices, location, values, policy management, and security This user right determines if users can create a symbolic link from the device they're logged on to. -A symbolic link is a file-system object that points to another file-system object that is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. +A symbolic link is a file system object that points to another file system object that is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. + +> [!WARNING] +> This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. ->**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Constant: SeCreateSymbolicLinkPrivilege ### Possible values diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md index 8cdc5e7f53..f28c135001 100644 --- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png deleted file mode 100644 index 52acafba66..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png deleted file mode 100644 index 858be4e70e..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png deleted file mode 100644 index 2efa6877c8..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md deleted file mode 100644 index f0dbde13f1..0000000000 --- a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 1/4/2019 -ms.reviewer: -manager: aaroncz -ms.topic: include -ms.prod: m365-security ---- -Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index b65e3da751..41c09e6eb4 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/18/2018 ms.technology: itpro-security @@ -29,7 +30,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy. +Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user's session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy. > [!NOTE] > If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings. @@ -42,7 +43,7 @@ If **Machine will be locked after** is set to zero (0) or has no value (blank), ### Best practices -Set the time for elapsed user-input inactivity based on the device’s usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity. +Set the time for elapsed user-input inactivity based on the device's usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity. ### Location @@ -52,7 +53,7 @@ Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Pol ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | @@ -85,7 +86,7 @@ This policy setting helps you prevent unauthorized access to devices under your ### Countermeasure -Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device’s usage and location requirements. +Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device's usage and location requirements. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 91919d8ae3..92341b9213 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re ### Best practices -The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. +The [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) don't recommend configuring this setting. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index d7510658e7..5f6ed628f4 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -33,7 +33,8 @@ Normally, an application running on Windows can negotiate for more physical memo Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This limitation could lead to performance degradation. ->**Note:**  By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system. +> [!NOTE] +> By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system. Constant: SeLockMemoryPrivilege diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index bcdeda1852..5eb5a6a0b4 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 02c1a25fd5..f9b90574fd 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -35,7 +35,7 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -[Windows security baselines](../windows-security-baselines.md) recommend setting **Minimum password age** to one day. +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend setting **Minimum password age** to one day. Setting the number of days to 0 allows immediate password changes. This setting isn't recommended. Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index cde1a5df8b..b74a12c22c 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 03/30/2022 ms.technology: itpro-security @@ -50,7 +51,7 @@ In addition, requiring long passwords can actually decrease the security of an o ### Default values -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page. | Server type or Group Policy Object (GPO) | Default value | | - | - | diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 67f28accd4..42cb403da5 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -11,6 +11,7 @@ ms.reviewer: manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index a9b0b1ae89..465adda6a7 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -9,6 +9,7 @@ author: vinaypamnani-msft manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index e1585d602e..23edb11516 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -75,7 +76,7 @@ HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index c7b9c6ad9d..b84eb1eaf9 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.technology: itpro-security ms.date: 12/31/2017 @@ -112,4 +113,4 @@ The use of ALT key character combinations may greatly enhance the complexity of ## Related articles -- [Password Policy](password-policy.md) +- [Password Policy](/microsoft-365/admin/misc/password-policy-recommendations) diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index b4163b8525..e28f4796b7 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 1891e3b322..275d4a0bd8 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). ### Location @@ -69,7 +69,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the ### Countermeasure -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15. +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 79136b00da..e5a2bba1d9 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index f8f1af1c61..205e5f9c9a 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -59,7 +59,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode. -For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). +For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). ### Location diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index aa32f66540..1d3ea2ed65 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -1,70 +1,61 @@ --- -title: Behavior of the elevation prompt for standard users (Windows 10) +title: Behavior of the elevation prompt for standard users description: Learn about best practices, security considerations, and more for the policy setting, User Account Control Behavior of the elevation prompt for standard users. -ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba -ms.reviewer: ms.author: vinpa ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz -audience: ITPro ms.topic: conceptual -ms.date: 10/11/2021 +ms.date: 01/18/2023 ms.technology: itpro-security --- # User Account Control: Behavior of the elevation prompt for standard users **Applies to** -- Windows 11 -- Windows 10 +- Windows 11 +- Windows 10 Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. -## Reference - This policy setting determines the behavior of the elevation prompt for standard users. -### Possible values +## Possible values -- **Automatically deny elevation requests** +- **Automatically deny elevation requests** - This option returns an “Access denied” error message to standard users when they try to perform an operation that requires elevation of privilege. Most organizations that run desktops as standard users configure this policy to reduce Help Desk calls. + This option returns an *Access denied* error message to standard users when they try to perform an operation that requires elevation of privilege. Most organizations that run desktops as standard users configure this policy to reduce help desk calls. -- **Prompt for credentials on the secure desktop** +- **Prompt for credentials on the secure desktop** - This prompt for credentials is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Prompt for credentials** +- **Prompt for credentials** - An operation that requires elevation of privilege prompts the user to type an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + An operation that requires elevation of privilege prompts the user to type an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. This is the default value. -### Best practices +## Best practices -1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. -2. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. +1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. +2. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. -### Location +## Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options -### Default values +## Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | -| Default Domain Policy | Not defined| -| Default Domain Controller Policy | Not defined| -| Stand-Alone Server Default Settings | Prompt for credentials on the secure desktop| -| DC Effective Default Settings | Prompt for credentials on the secure desktop| -| Member Server Effective Default Settings | Prompt for credentials on the secure desktop| -| Client Computer Effective Default Settings | Prompt for credentials on the secure desktop| - +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Prompt for credentials on the secure desktop| +| DC Effective Default Settings | Prompt for credentials on the secure desktop| +| Member Server Effective Default Settings | Prompt for credentials on the secure desktop| +| Client Computer Effective Default Settings | Prompt for credentials on the secure desktop| + ## Policy management This section describes features and tools that are available to help you manage this policy. @@ -87,7 +78,7 @@ One of the risks that the UAC feature tries to mitigate is that of malicious pro ### Countermeasure -Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. +Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 0439fc8ee1..7e7e14c8c0 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 12/16/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index f9355db522..cacb1ef857 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -68,6 +68,8 @@ href: wdac-wizard-create-supplemental-policy.md - name: Editing a WDAC policy with the Wizard href: wdac-wizard-editing-policy.md + - name: Creating WDAC Policy Rules from WDAC Events + href: wdac-wizard-parsing-event-logs.md - name: Merging multiple WDAC policies with the Wizard href: wdac-wizard-merging-policies.md - name: WDAC deployment guide diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index c2987aea45..bf315dd58b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -14,6 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 10/16/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 642b8ea960..56ce82d42e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -38,15 +38,16 @@ To use AppLocker, you need: - For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules. - Devices running a supported operating system to enforce the AppLocker rules that you create. ->**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). +>[!NOTE] +>As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies ## Operating system requirements -The following table shows the on which operating systems AppLocker features are supported. +The following table shows the Windows versions on which AppLocker features are supported. | Version | Can be configured | Can be enforced | Available rules | Notes | | - | - | - | - | - | -| Windows 10 and Windows 11| Yes| Yes| Packaged apps
                                  Executable
                                  Windows Installer
                                  Script
                                  DLL| You can use the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016. | +| Windows 10 and Windows 11| Yes| Yes| Packaged apps
                                  Executable
                                  Windows Installer
                                  Script
                                  DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).

                                  Windows versions older than version 2004, including Windows Server 2019:

                                  • Policies deployed through GP are only supported on Enterprise and Server editions.
                                  • Policies deployed through MDM are supported on all editions.
                                  | | Windows Server 2019
                                  Windows Server 2016
                                  Windows Server 2012 R2
                                  Windows Server 2012| Yes| Yes| Packaged apps
                                  Executable
                                  Windows Installer
                                  Script
                                  DLL| | | Windows 8.1 Pro| Yes| No| N/A|| | Windows 8.1 Enterprise| Yes| Yes| Packaged apps
                                  Executable
                                  Windows Installer
                                  Script
                                  DLL| | @@ -54,16 +55,19 @@ The following table shows the on which operating systems AppLocker features are | Windows 8 Pro| Yes| No| N/A|| | Windows 8 Enterprise| Yes| Yes| Packaged apps
                                  Executable
                                  Windows Installer
                                  Script
                                  DLL|| | Windows RT| No| No| N/A| | -| Windows Server 2008 R2 Standard| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules will not be enforced.| -| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules will not be enforced.| -| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules will not be enforced.| -| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules will not be enforced.| -| Windows 7 Ultimate| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules will not be enforced.| -| Windows 7 Enterprise| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules will not be enforced.| +| Windows Server 2008 R2 Standard| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules won't be enforced.| +| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules won't be enforced.| +| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules won't be enforced.| +| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules won't be enforced.| +| Windows 7 Ultimate| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules won't be enforced.| +| Windows 7 Enterprise| Yes| Yes| Executable
                                  Windows Installer
                                  Script
                                  DLL| Packaged app rules won't be enforced.| | Windows 7 Professional| Yes| No| Executable
                                  Windows Installer
                                  Script
                                  DLL| No AppLocker rules are enforced.| -AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems. +AppLocker isn't supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature isn't supported on the above operating systems. + +>[!NOTE] +>You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). ## See also - [Administer AppLocker](administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 4c9e95f7c1..00a6cb48d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -1,6 +1,6 @@ --- title: Using Event Viewer with AppLocker (Windows) -description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. +description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 ms.reviewer: ms.author: vinpa @@ -14,7 +14,7 @@ manager: aaroncz audience: ITPro ms.topic: conceptual ms.technology: itpro-security -ms.date: 12/31/2017 +ms.date: 02/02/2023 --- # Using Event Viewer with AppLocker @@ -28,41 +28,44 @@ ms.date: 12/31/2017 >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. +This article lists AppLocker events and describes how to use Event Viewer with AppLocker. -The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about: +The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information: -- Which file is affected and the path of that file -- Which packaged app is affected and the package identifier of the app -- Whether the file or packaged app is allowed or blocked -- The rule type (path, file hash, or publisher) -- The rule name -- The security identifier (SID) for the user or group identified in the rule +- Which file is affected and the path of that file +- Which packaged app is affected and the package identifier of the app +- Whether the file or packaged app is allowed or blocked +- The rule type (path, file hash, or publisher) +- The rule name +- The security identifier (SID) for the user or group identified in the rule -Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). +Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`). For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). +> [!NOTE] +> The AppLocker event logs are very verbose and can result in a large number of events depending on the policies deployed, particularly in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether. + **To review the AppLocker log in Event Viewer** -1. Open Event Viewer. -2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**. +1. Open Event Viewer. +2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**. The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules. | Event ID | Level | Event message | Description | -| - | - | - | - | -| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| +| --- | --- | --- | --- | +| 8000 | Error| Application Identity Policy conversion failed. Status * <%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| -| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| -| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| +| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| +| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| -| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| +| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| | 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| | 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.| | 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| @@ -83,8 +86,7 @@ The following table contains information about the events that you can use to de | 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.| -## Related topics +## Related articles - [Tools to use with AppLocker](tools-to-use-with-applocker.md) - diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md deleted file mode 100644 index acdfc6b79b..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Use audit events to create then enforce WDAC policy rules (Windows) -description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: vinpa -manager: aaroncz -ms.date: 05/03/2021 -ms.technology: itpro-security -ms.topic: article ---- - -# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced - -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). - -Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your Windows Defender Application Control policy (WDAC) but should be included. - -While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. - -## Overview of the process to create WDAC policy to allow apps using audit events - -> [!NOTE] -> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md). - -To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. - -1. Install and run an application not allowed by the WDAC policy but that you want to allow. - -2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). - - **Figure 1. Exceptions to the deployed WDAC policy**
                                  - - ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) - -3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. - - ```powershell - $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" - $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml" - $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt" - ``` - -4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. - - ```powershell - New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings - ``` - - > [!NOTE] - > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md). - -5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)). - -6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level. - - > [!NOTE] - > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**. - -7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy. - - For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md). - -8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. - -## Convert WDAC **BASE** policy from audit to enforced - -As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. - -**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout. - -Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode. - -1. Initialize the variables that will be used and create the enforced policy by copying the audit version. - - ```powershell - $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced" - $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml" - $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml" - cp $AuditPolicyXML $EnforcedPolicyXML - ``` - -2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step. - - ```powershell - $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID - $EnforcedPolicyID = $EnforcedPolicyID.Substring(11) - ``` - - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. - -3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment. - - ```powershell - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9 - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10 - ``` - -4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement: - - ```powershell - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete - ``` - -5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary: - - > [!NOTE] - > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML. - - ```powershell - $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml" - ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary - ``` - -## Make copies of any needed **supplemental** policies to use with the enforced base policy - -Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure. - -1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used. - - ```powershell - $SupplementalPolicyName = "Lamna_Supplemental1" - $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml" - $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml" - ``` - -2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement. - - ```powershell - $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID - $SupplementalPolicyID = $SupplementalPolicyID.Substring(11) - ``` - - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. - -3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary: - - ```powershell - $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml" - ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary - ``` - -4. Repeat the steps above if you have other supplemental policies to update. - -## Deploy your enforced policy and supplemental policies - -Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index c15b97399b..2b03d8a6f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -13,7 +13,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/26/2022 +ms.date: 02/02/2023 ms.technology: itpro-security ms.topic: article --- @@ -62,6 +62,9 @@ To turn on managed installer tracking, you must: - Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs. - Enable AppLocker's Application Identity and AppLockerFltr services. +> [!NOTE] +> The managed installer AppLocker policy below is designed to be safely merged with any pre-existing AppLocker policies and won't change the behavior of those policies. However, if applied on a device that doesn't currently have any AppLocker policy, you will see a large increase in warning events generated in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether. + > [!NOTE] > MEMCM will automatically configure itself as a managed installer, and enable the required AppLocker components, if you deploy one of its inbox WDAC policies. If you are configuring MEMCM as a managed installer using any other method, additional setup is required. Use the [**ManagedInstaller** cmdline switch in your ccmsetup.exe setup](/mem/configmgr/core/clients/deploy/about-client-installation-properties#managedinstaller). Or you can deploy one of the MEMCM inbox audit mode policies alongside your custom policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index da03a2f08c..75b9c25b5d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -9,7 +9,7 @@ ms.reviewer: aaroncz ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 12/03/2022 +ms.date: 01/23/2023 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -26,18 +26,23 @@ ms.localizationpriority: medium >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. +This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The following instructions use PowerShell but can work with any scripting host. You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). +> [!IMPORTANT] +> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. +> +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. + ## Deploying policies for Windows 11 22H2 and above -You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the example below with the actual path to your WDAC policy binary file. +You can use the inbox [CiTool](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your WDAC policy binary file. ```powershell # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML) $PolicyBinary = "" -citool.exe --update-policy $PolicyBinary --json +CiTool --update-policy $PolicyBinary [-json] ``` ## Deploying policies for Windows 11, Windows 10 version 1903 and above, and Windows Server 2022 and above @@ -92,9 +97,9 @@ Use WMI to apply policies on all other versions of Windows and Windows Server. ## Deploying signed policies -If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. +If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. -1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: +1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: ```powershell $MountPoint = 'C:\EFIMount' diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index f0c1ff7b47..6562b00f12 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -13,7 +13,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 10/06/2022 +ms.date: 01/23/2023 ms.technology: itpro-security ms.topic: article --- @@ -28,10 +28,16 @@ ms.topic: article > [!NOTE] > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). -> -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. -Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. +> [!IMPORTANT] +> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart. +> +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. + +Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. + +> [!IMPORTANT] +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 14716db117..804ef93a26 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -8,7 +8,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 10/06/2022 +ms.date: 01/23/2023 ms.topic: how-to --- @@ -25,6 +25,11 @@ ms.topic: how-to You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. +> [!IMPORTANT] +> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. + ## Use Intune's built-in policies Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run: diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md index 2414d5dd4e..d8598308cd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -9,7 +9,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 11/02/2022 +ms.date: 02/02/2023 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -26,14 +26,19 @@ ms.localizationpriority: medium > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!IMPORTANT] +> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** and should not be used on that platform. Doing so may result in unexpected script enforcement behaviors. + ## Script enforcement overview By default, script enforcement is enabled for all WDAC policies unless the option **11 Disabled:Script Enforcement** is set in the policy. WDAC script enforcement involves a handshake between an enlightened script host, such as PowerShell, and WDAC. The actual enforcement behavior, however, is handled entirely by the script host. Some script hosts, like the Microsoft HTML Application Host (mshta.exe), simply block all code execution if any WDAC UMCI policy is active. Most script hosts first ask WDAC whether a script should be allowed to run based on the WDAC policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device. +Validation for signed scripts is done using the [WinVerifyTrust API](/windows/win32/api/wintrust/nf-wintrust-winverifytrust). To pass validation, the signature root must be present in the trusted root store on the device and be allowed by your WDAC policy. This behavior is different from WDAC validation for executable files, which doesn't require installation of the root certificate. + WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log). -> [!IMPORTANT] -> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. +> [!NOTE] +> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. > > Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly. @@ -43,7 +48,7 @@ WDAC shares the *AppLocker - MSI and Script* event log for all script enforcemen All PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) must be allowed by WDAC policy in order to run with Full Language rights. -Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that do not specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load. +Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that don't specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load. Any PowerShell script that isn't allowed by WDAC policy will still run, but only in Constrained Language Mode. diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 0286b18ad3..1d37a88d20 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 11/02/2022 +ms.date: 02/27/2023 ms.technology: itpro-security --- @@ -35,8 +35,8 @@ When you create policies for use with Windows Defender Application Control (WDAC | **Example Base Policy** | **Description** | **Where it can be found** | |-------------------------|---------------------------------------------------------------|--------| -| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
                                  %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml | -| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
                                  %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | +| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
                                  %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml | +| **AllowMicrosoft.xml** | This example policy is available in enforcement mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
                                  %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | | **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml | | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml | | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml | diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 23e85b02c4..53ab972b90 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -27,7 +27,7 @@ ms.topic: overview | Capability | Windows Defender Application Control | AppLocker | |-------------|------|-------------| | Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Available on Windows 8 or later. | -| SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later.
                                  WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies deployed through GP are only supported on Enterprise and Server editions.
                                  Policies deployed through MDM are supported on all editions. | +| SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later.
                                  WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).

                                  Windows versions older than version 2004, including Windows Server 2019:
                                  • Policies deployed through GP are only supported on Enterprise and Server editions.
                                  • Policies deployed through MDM are supported on all editions.
                                  | | Management solutions |
                                  • [Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md)
                                  • [Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)
                                  • [Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
                                  • [Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)
                                  |
                                  • [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
                                  • Configuration Manager (custom policy deployment via software distribution only)
                                  • [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
                                  • PowerShell
                                      • | | Per-User and Per-User group rules | Not available (policies are device-wide). | Available on Windows 8+. | | Kernel mode policies | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. | diff --git a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png deleted file mode 100644 index dac1240786..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png deleted file mode 100644 index 6d265509ea..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png deleted file mode 100644 index cefb124344..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png deleted file mode 100644 index 938e397751..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png deleted file mode 100644 index 3c93b2b948..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png deleted file mode 100644 index e3729e8214..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png deleted file mode 100644 index 782c2017ae..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png deleted file mode 100644 index b9a4b1881f..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png deleted file mode 100644 index 25f73eb190..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png deleted file mode 100644 index 3a33c13350..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png deleted file mode 100644 index 12ec2b924f..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png deleted file mode 100644 index 5cdb4cf3c4..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png deleted file mode 100644 index 8ef2d0e3ce..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png deleted file mode 100644 index f201956d4d..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png deleted file mode 100644 index 0c5eacc3f9..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png deleted file mode 100644 index 98e5507000..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png deleted file mode 100644 index 1b5483103b..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png deleted file mode 100644 index c37d55910d..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png deleted file mode 100644 index e132440266..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png deleted file mode 100644 index cbd0366eff..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png deleted file mode 100644 index 4d8325baa6..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png deleted file mode 100644 index e5ae089d6b..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png deleted file mode 100644 index 55f5173b03..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-manual-pfn-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-manual-pfn-rule.png new file mode 100644 index 0000000000..05ca0ca3e4 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-manual-pfn-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-pfn-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-pfn-rule.png new file mode 100644 index 0000000000..835d8695f9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-pfn-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png new file mode 100644 index 0000000000..841b3104fe Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png new file mode 100644 index 0000000000..75fd7c7798 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png new file mode 100644 index 0000000000..50dcbf7715 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png new file mode 100644 index 0000000000..f0e2056bcc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png new file mode 100644 index 0000000000..ef32ad6c9a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png new file mode 100644 index 0000000000..09e857e82e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png new file mode 100644 index 0000000000..5b3de97aff Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png new file mode 100644 index 0000000000..ee1af12b3d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png new file mode 100644 index 0000000000..5ae44b24cd Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png new file mode 100644 index 0000000000..4fd2a0813f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png deleted file mode 100644 index 67df953a08..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 6602ab9a3c..c3ca5cdf0c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -91,8 +91,10 @@ landingContent: links: - text: Using signed policies to protect against tampering url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md - - text: Audit and enforce policies - url: audit-and-enforce-windows-defender-application-control-policies.md + - text: Audit mode policies + url: audit-windows-defender-application-control-policies.md + - text: Enforcement mode policies + url: enforce-windows-defender-application-control-policies.md - text: Disabling WDAC policies url: disable-windows-defender-application-control-policies.md - linkListType: tutorial diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 5ccc7f5f17..47ef560b03 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -10,142 +10,103 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 05/29/2020 +ms.date: 03/01/2023 ms.technology: itpro-security ms.topic: article --- -# Manage Packaged Apps with Windows Defender Application Control +# Manage Packaged Apps with Windows Defender Application Control **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md). -This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy. +This article for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy. -## Understanding Packaged Apps and Packaged App Installers +## Comparing classic Windows Apps and Packaged Apps -Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. -With packaged apps, it's possible to control the entire app by using a single Windows Defender Application Control rule. - -Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, these components don't always share common attributes such as the software’s publisher name, product name, and product version. Therefore, Windows Defender Application Control controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule. +The biggest challenge in adopting application control is the lack of a strong app identity for classic Windows apps, also known as win32 apps. A typical win32 app consists of multiple components, including the installer that is used to install the app, and one or more exes, dlls, or scripts. An app can consist of hundreds or even thousands of individual binaries that work together to deliver the functionality that your users understand as the app. Some of that code may be signed by the software publisher, some may be signed by other companies, and some of it may not be signed at all. Much of the code may be written to disk by a common set of installers, but some may already be installed and some downloaded on demand. Some of the binaries have common resource header metadata, such as product name and product version, but other files won't share that information. So while you want to be able to express rules like "allow app Foo", that isn't something Windows inherently understands for classic Windows apps. Instead, you may have to create many WDAC rules to allow all the files that comprise the app. -### Comparing classic Windows Apps and Packaged Apps - -Windows Defender Application Control policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server -2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: - -- **Installing the apps**   All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. -- **Changing the system state**   Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your Windows Defender Application Control policies, it's important to understand whether an app that you're allowing can make system-wide changes. -- **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means. - -Windows Defender Application Control uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both. +Packaged apps on the other hand, also known as [MSIX](/windows/msix/overview), ensure that all the files that make up an app share the same identity and have a common signature. Therefore, with packaged apps, it's possible to control the entire app with a single WDAC rule. ## Using WDAC to Manage Packaged Apps -Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy: +> [!IMPORTANT] +> When controlling packaged apps, you must choose between signer rules or Package Family Name (PFN) rules. If **any** Package Family Name (PFN) rule is used in your WDAC base policy or one of its supplemental policies, then **all** packaged apps must be controlled exclusively using PFN rules. You can't mix-and-match PFN rules with signature-based rules within a given base policy's scope. This will affect many inbox system apps like the Start menu. You can use wildcards in PFN rules on Windows 11 to simplify the rule creation. -1. Gather information about which packaged apps are running in your environment. +### Creating signature-based rules for Packaged Apps -2. Create WDAC rules for specific packaged apps based on your policy strategies. For more information, see [Deploy Windows Defender Application Control policy (WDAC) rules and file rules](select-types-of-rules-to-create.md). +All of the files that make up an MSIX app are signed with a common catalog signature. You can create a signer rule from the MSIX app's installer file (\.msix or \.msixbundle) or from the AppxSignature.p7x file found in the app's installation folder under %ProgramFiles%\\WindowsApps\\ using the [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) PowerShell cmdlet. For example: -3. Continue to update the WDAC policies as new package apps are introduced into your environment. For information on how to do this update, see [Merge WDAC policies](merge-windows-defender-application-control-policies.md). +#### Create signer rule from MSIX/MSIXBUNDLE -## Blocking Packaged Apps - -You can now use `New-CIPolicyRule -Package $Package -Deny` to block packaged apps. - -### Blocking Packaged Apps Which Are Installed on the System - -Below are the list of steps you can follow to block one or more packaged apps in the case that the apps are on the system you're using the WDAC PowerShell cmdlets on: - -1. Get the app identifier for an installed package - - ```powershell - $package = Get-AppxPackage -name ** - ``` - Where the name of the app is surrounded by asterisks, for example *windowsstore* - -2. Make a rule by using the New-CIPolicyRule cmdlet - - ```powershell - $Rule = New-CIPolicyRule -Package $package -deny - ``` -3. Repeat for other packages you want to block using $rule +=… - -4. Make a policy for just the blocks you created for packages - - ```powershell - New-CIpolicy -rules $rule -f .\policy.xml -u - ``` - -5. Merge with an existing policy that authorizes the other applications and system components required for your scenario. Here we use the sample Allow Windows policy - - ```powershell - Merge-CIPolicy -PolicyPaths .\policy.xml,C:\windows\Schemas\codeintegrity\examplepolicies\DefaultWindows_Audit.xml -o allowWindowsDenyPackages.xml - ``` - -6. Disable audit mode if needed - - ```powershell - Set-RuleOption -o 3 -Delete .\allowWindowsDenyPackages.xml - ``` - -7. Enable invalidate EAs on reboot - - ```powershell - Set-RuleOption -o 15 .\allowWindowsDenyPackages.xml - ``` - -8. Compile the policy - - ```powershell - ConvertFrom-CIPolicy .\AllowWindowsDenyPackages.xml C:\compiledpolicy.bin - ``` - -9. Install the policy without restarting - - ```powershell - Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = "C:\compiledpolicy.bin"} - ``` - ### Blocking Packaged Apps Which Aren't Installed on the System - -If the app you intend to block isn't installed on the system you're using the WDAC PowerShell cmdlets on, then follow the steps below: - -1. Create a dummy rule using Steps 1-5 in the Blocking Packaged Apps Which Are Installed on the System section above - -2. Navigate to the app you want to block on the Store website - -3. Copy the GUID in the URL for the app - - Example: the GUID for the Microsoft To-Do app is 9nblggh5r558 - - `https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab` -4. Use the GUID in the following REST query URL to retrieve the identifiers for the app - - Example: for the Microsoft To-Do app, the URL would be `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata` - - The URL will return: - - ``` - { "packageFamilyName": "Microsoft.Todos_8wekyb3d8bbwe", - "packageIdentityName": "Microsoft.Todos", - "windowsPhoneLegacyId": "6088f001-776c-462e-984d-25b6399c6607", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` - -5. Use the value returned by the query URL for the packageFamilyName to replace the package name generated earlier in the dummy rule from Step 1. - -## Allowing Packaged Apps -The method for allowing specific packaged apps is similar to the method outlined above for blocking packaged apps, with the only difference being the parameter to the New-CIPolicyRule cmdlet. - -```powershell -$Rule = New-CIPolicyRule -Package $package -allow +```powershell +$FilePath = $env:USERPROFILE+'\Downloads\WDACWizard_2.1.0.1_x64_8wekyb3d8bbwe.MSIX' +$Rules = New-CIPolicyRule -DriverFilePath $FilePath -Level Publisher ``` -Since many system apps are packaged apps, it's recommended that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules. +Then use the [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) PowerShell cmdlet to merge your new rule into your existing WDAC policy XML. + +#### Create signer rule from AppxSignature.p7x + +```powershell +$FilePath = $env:ProgramFiles+'\WindowsApps\Microsoft.WDAC.WDACWizard_2.1.0.1_x64__8wekyb3d8bbwe\AppxSignature.p7x' +$Rules = New-CIPolicyRule -DriverFilePath $FilePath -Level Publisher +``` + +Then use the [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) PowerShell cmdlet to merge your new rule into your existing WDAC policy XML. + +### Creating PackageFamilyName rules for Packaged Apps + +#### Create PFN rules from PowerShell + +You can create PFN rules directly from packaged apps that are currently installed using the [Get-AppXPackage](/powershell/module/appx/get-appxpackage) and [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) PowerShell cmdlets. For example: + +```powershell +# Query for the packaged apps. This example looks for all packages from Microsoft. +$Packages = Get-AppXPackage -Name Microsoft.* +foreach ($Package in $Packages) +{ + $Rules += New-CIPolicyRule -Package $Package +} +``` + +Then use the [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) PowerShell cmdlet to merge your new rule(s) into your existing WDAC policy XML. + +#### Create PFN rules using the WDAC Wizard + +##### Create PFN rule from an installed MSIX app + +Use the following steps to create a WDAC PFN rule for an app that is installed on the system: + +1. From the **Policy Signing Rules** page of the [WDAC Wizard](https://aka.ms/wdacwizard), select **Add Custom Rule**. +2. Check **Usermode Rule** as the Rule Scope, if not checked. +3. Select either **Allow** or **Deny** for your Rule Action. +4. Select **Packaged App** for your Rule Type. +5. In the **Package Name** field, enter a string value to search. You can use `?` or `*` wildcards in the search string. Then select **Search**. +6. In the results box, check one or more apps for which you want to create rules. +7. Select **Create Rule**. +8. Create any other rules desired, then complete the Wizard. + +![Create PFN rule from WDAC Wizard](images/wdac-wizard-custom-pfn-rule.png) + +##### Create a PFN rule using a custom string + +Use the following steps to create a PFN rule with a custom string value: + +1. Repeat steps 1-4 in the previous example. +2. Check the box labeled **Use Custom Package Family**. The *Search* button label changes to *Create*. +3. In the **Package Name** field, enter a string value for your PFN rule. You can use `?` or `*` wildcards if targeting Windows 11 devices. Then select **Create** +4. In the results box, check one or more apps for which you want to create rules. +5. Select **Create Rule**. +6. Create any other rules desired, then complete the Wizard. + +![Create PFN rule with custom string from WDAC Wizard](images/wdac-wizard-custom-manual-pfn-rule.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index fc266be640..7acb0c4301 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -11,11 +11,12 @@ ms.localizationpriority: medium audience: ITPro ms.collection: - highpri + - tier3 author: jgeurten ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 11/01/2022 +ms.date: 02/08/2023 ms.technology: itpro-security ms.topic: article --- @@ -72,7 +73,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- ```xml - 10.0.25210.0 + 10.0.25290.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -201,6 +202,56 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -229,11 +280,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + @@ -413,18 +469,44 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -557,6 +639,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + @@ -713,16 +801,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - @@ -745,37 +823,54 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + - - - - + - + + + + + + + - @@ -785,7 +880,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -797,70 +892,47 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - + + + - + - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + @@ -868,14 +940,232 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -885,17 +1175,139 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - + + + + - - + + + + - - + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -927,36 +1339,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -972,24 +1354,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - @@ -998,394 +1362,184 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1393,38 +1547,69 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + + + + + + + - + + + + + + + + + + + + - + + + + + + @@ -1433,58 +1618,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - + @@ -1495,675 +1648,776 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + @@ -2179,7 +2433,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.25210.0 + 10.0.25290.0 diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md index e9f786a561..ac290b7659 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md @@ -11,9 +11,9 @@ ms.prod: windows-client ms.technology: itpro-security --- -# CITool.exe technical reference +# CiTool technical reference -CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2. +CiTool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CiTool to update and manage policies. CiTool is currently included as part of the Windows image in Windows 11 version 22H2. ## Policy Commands @@ -44,33 +44,45 @@ CI Tool makes Windows Defender Application Control (WDAC) policy management easi ## Examples -1. Deploy a WDAC policy onto the system +1. Deploy a WDAC policy ```powershell - PS C:\Users\ CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" - Operation Successful - Press Enter to Continue + CiTool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" ``` -2. Refresh the WDAC policies +2. Refresh the WDAC policies on the system ```powershell - PS C:\Users\ CITool --refresh - Operation Successful + CiTool --refresh ``` 3. Remove a specific WDAC policy by its policy ID ```powershell - PS C:\Users\ CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" - Operation Successful - Press Enter to Continue + CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" ``` -4. Display the help menu +4. List the actively enforced WDAC policies on the system ```powershell - PS C:\Users\ CITool -h + $wdacPolicies = (CiTool -lp -json | ConvertFrom-Json).Policies + + # Check each policy's IsEnforced state and return only the enforced policies + foreach($wdacPolicy in $wdacPolicies ){ + + if($wdacPolicy.IsEnforced) + { + Write-Host $wdacPolicy.FriendlyName + Write-Host $wdacPolicy.PolicyID "`n" + } + } + + ``` + +5. Display the help menu + + ```powershell + CiTool -h ----------------------------- Policy Commands --------------------------------- --update-policy /Path/To/Policy/File diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 9a7322339f..a5642a032c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -9,7 +9,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 07/01/2022 +ms.date: 02/02/2023 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -19,7 +19,6 @@ ms.localizationpriority: medium **Applies to:** - - Windows 10 - Windows 11 - Windows Server 2016 and above @@ -27,11 +26,11 @@ ms.localizationpriority: medium > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production. +This article covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production. ## Managed Installer and ISG will cause garrulous events -When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy. +When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy. ## .NET native images may generate false positive block events diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index d14c84c13f..9672782041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -13,7 +13,7 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz -ms.date: 08/29/2022 +ms.date: 01/23/2023 ms.technology: itpro-security ms.topic: article --- @@ -96,7 +96,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the | **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | | **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. | | **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). | -| **RootCertificate** | Currently unsupported. | +| **RootCertificate** | This level may produce an overly permissive policy and isn't recommended for most use cases. | | **WHQL** | Trusts binaries if they've been validated and signed by WHQL. This level is primarily for kernel binaries. | | **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. | | **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This level is primarily for kernel binaries. | diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index b4c9fd2969..73c7ef9d1e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: jgeurten -ms.reviewer: isbrahm +ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.topic: conceptual diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md new file mode 100644 index 0000000000..c89baad871 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md @@ -0,0 +1,141 @@ +--- +title: Windows Defender Application Control Wizard WDAC Event Parsing +description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events. +keywords: WDAC event parsing, allow listing, block listing, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: windows-client +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +author: jgeurten +ms.reviewer: jsuther1974 +ms.author: vinpa +manager: aaroncz +ms.topic: conceptual +ms.date: 02/01/2023 +ms.technology: itpro-security +--- + +# Creating WDAC Policy Rules from WDAC Events in the Wizard + +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). + +As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types: + +1. [WDAC event log events on the system](#wdac-event-viewer-log-parsing) +2. [Exported WDAC events (EVTX files) from any system](#wdac-event-log-file-parsing) +3. [Exported WDAC events from MDE Advanced Hunting](#mde-advanced-hunting-wdac-event-parsing) + + +## WDAC Event Viewer Log Parsing + +To create rules from the WDAC event logs on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header. + + The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)](images/wdac-wizard-event-log-system-expanded.png) + +4. Select the Next button to view the audit and block events and create rules. +5. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## WDAC Event Log File Parsing + +To create rules from the WDAC `.EVTX` event logs files on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header. +4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)](images/wdac-wizard-event-log-files-expanded.png) + +5. Select the Next button to view the audit and block events and create rules. +6. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## MDE Advanced Hunting WDAC Event Parsing + +To create rules from the WDAC events in [MDE Advanced Hunting](querying-application-control-events-centrally-using-advanced-hunting.md): + +1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: + + ```KQL + | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName + ``` + + The following Advanced Hunting query is recommended: + + ```KQL + DeviceEvents + // Take only WDAC events + | where ActionType startswith 'AppControlCodeIntegrity' + // SigningInfo Fields + | extend IssuerName = parsejson(AdditionalFields).IssuerName + | extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash + | extend PublisherName = parsejson(AdditionalFields).PublisherName + | extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash + // Audit/Block Fields + | extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash + | extend PolicyId = parsejson(AdditionalFields).PolicyID + | extend PolicyName = parsejson(AdditionalFields).PolicyName + // Keep only required fields for the WDAC Wizard + | project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName + ``` + +2. Export the WDAC event results by selecting the **Export** button in the results view. + + > [!div class="mx-imgBorder"] + > [![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)](images/wdac-wizard-event-log-mde-ah-export-expanded.png) + +3. Select **Policy Editor** from the WDAC Wizard main page. +4. Select **Convert Event Log to a WDAC Policy**. +5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header. +6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)](images/wdac-wizard-event-log-mde-ah-parsing-expanded.png) + +7. Select the Next button to view the audit and block events and create rules. +8. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## Creating Policy Rules from the Events + +On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers. + +To create a rule and add it to the WDAC policy: + +1. Select an audit or block event in the table by selecting the row of interest. +2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules. +3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type. +4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated. + + > [!div class="mx-imgBorder"] + > [![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)](images/wdac-wizard-event-rule-creation-expanded.png) + +5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies. + +> [!WARNING] +> It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens. + + +## Up next + +- [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 938e4370ae..a961918d5c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -8,7 +8,7 @@ author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte manager: jsuther -ms.date: 10/06/2022 +ms.date: 01/23/2023 ms.topic: overview --- @@ -55,6 +55,11 @@ All Windows Defender Application Control policy changes should be deployed in au ## Choose how to deploy WDAC policies +> [!IMPORTANT] +> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. We recommend [deploying via script](deployment/deploy-wdac-policies-with-script.md) in this case. +> +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. + There are several options to deploy Windows Defender Application Control policies to managed endpoints, including: - [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 6ac671b28d..9f5f66cd38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -11,6 +11,7 @@ ms.localizationpriority: medium audience: ITPro ms.collection: - highpri + - tier3 author: vinaypamnani-msft ms.reviewer: isbrahm ms.author: vinpa @@ -38,7 +39,7 @@ In most organizations, information is the most valuable asset, and ensuring that Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). -Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). +Application control is a crucial line of defense for protecting enterprises given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). > [!NOTE] > Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png deleted file mode 100644 index 363648cbc0..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png deleted file mode 100644 index eec35c6dcf..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png deleted file mode 100644 index abf5a30659..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md deleted file mode 100644 index a3773ffe67..0000000000 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Manage Windows Security in Windows 10 in S mode -description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance. -keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows -search.product: eADQiWindows 10XVcnh -ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/30/2018 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-security -ms.topic: how-to ---- - -# Manage Windows Security in Windows 10 in S mode - -**Applies to** - -- Windows 10 in S mode, version 1803 - -Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. - -The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. - -:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png"::: - -For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). - -## Managing Windows Security settings with Intune - -In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts. - -For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](/intune/endpoint-protection-windows-10). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 3f25837b24..41b535c96b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,6 +11,7 @@ manager: aaroncz ms.technology: itpro-security ms.collection: - highpri + - tier2 ms.date: 12/31/2017 ms.topic: article --- diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png deleted file mode 100644 index 99e8cb1384..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png deleted file mode 100644 index fbd6a798b0..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png deleted file mode 100644 index 865af86b19..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index f605793303..6c14ed44e0 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -23,7 +23,7 @@ ms.topic: conceptual - Windows 11 - Windows 10 -This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective. +This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective. > [!NOTE] > System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard). @@ -76,7 +76,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 272fed2a81..25276608c2 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -1,26 +1,12 @@ --- title: Add Production Devices to the Membership Group for a Zone (Windows) description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. -ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Add Production Devices to the Membership Group for a Zone diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index 12a0d5018e..632879c8fa 100644 --- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -1,26 +1,12 @@ --- title: Add Test Devices to the Membership Group for a Zone (Windows) description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. -ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Add Test Devices to the Membership Group for a Zone diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 5bb2312dbe..1d83bb85fd 100644 --- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -1,26 +1,12 @@ --- title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows) description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). -ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Appendix A: Sample GPO Template Files for Settings Used in this Guide diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 4aeb22b1f0..c7559e5687 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -1,28 +1,15 @@ --- title: Assign Security Group Filters to the GPO (Windows) description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers. -ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Assign Security Group Filters to the GPO diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 11fb40c04f..5c6763d795 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -1,25 +1,11 @@ --- title: Basic Firewall Policy Design (Windows) description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. -ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index c3caab02c2..e090a1ea53 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -1,24 +1,15 @@ --- title: Best practices for configuring Windows Defender Firewall description: Learn about best practices for configuring Windows Defender Firewall -keywords: firewall, best practices, security, network security, network, rules, filters, ms.prod: windows-client ms.date: 11/09/2022 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: paoloma -author: paolomatarazzo -ms.localizationpriority: medium -manager: aaroncz -audience: ITPro ms.collection: - highpri + - tier3 ms.topic: article -ms.technology: itpro-security appliesto: - - ✅ Windows 10 and later - - ✅ Windows Server 2016 and later + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Best practices for configuring Windows Defender Firewall diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index 35518f5c27..fc07a5e4d8 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -1,26 +1,12 @@ --- title: Boundary Zone GPOs (Windows) description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security. -ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Boundary Zone GPOs diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index fc8ce50228..4d101a8462 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -1,26 +1,12 @@ --- title: Boundary Zone (Windows) description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security. -ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Boundary Zone diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 7684a782be..cdcbe5df44 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -1,26 +1,12 @@ --- title: Certificate-based Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. -ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Certificate-based Isolation Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index ae9e0d2610..8d72f5d261 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -1,26 +1,12 @@ --- title: Certificate-based Isolation Policy Design (Windows) description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. -ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Certificate-based isolation policy design diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index 98faaf9390..0fe1d36358 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -1,26 +1,12 @@ --- title: Change Rules from Request to Require Mode (Windows) description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. -ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Change Rules from Request to Require Mode diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index 6e55af017d..b7488176fa 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -1,26 +1,12 @@ --- title: Checklist Configuring Basic Firewall Settings (Windows) description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. -ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Configuring Basic Firewall Settings diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index 42dedfb5a6..a10f355d7a 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -1,26 +1,12 @@ --- title: Checklist Configuring Rules for an Isolated Server Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. -ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Configuring Rules for an Isolated Server Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 7a27fdafd9..ad3c072c15 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -1,26 +1,12 @@ --- title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows) description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone -ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index e13496eb9d..e0f4a4d830 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -1,26 +1,12 @@ --- title: Checklist Configuring Rules for the Boundary Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. -ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Configuring Rules for the Boundary Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index 1a33764cd6..e026d05ea7 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -1,26 +1,12 @@ --- title: Checklist Configuring Rules for the Encryption Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. -ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Configuring Rules for the Encryption Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index 146c7be617..553a621f37 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -1,26 +1,12 @@ --- title: Checklist Configuring Rules for the Isolated Domain (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. -ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Configuring Rules for the Isolated Domain diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index 2437571f7b..2db03bf2b4 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -1,26 +1,12 @@ --- title: Checklist Creating Group Policy Objects (Windows) description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. -ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Creating Group Policy Objects diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index a334a5eedd..2358c7d807 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -1,26 +1,12 @@ --- title: Checklist Creating Inbound Firewall Rules (Windows) description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. -ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Creating Inbound Firewall Rules diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index 556a01f1c5..e7f1a2a9ce 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -1,26 +1,12 @@ --- title: Checklist Creating Outbound Firewall Rules (Windows) description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. -ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Creating Outbound Firewall Rules diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 7a3a496e98..1a5e7d2ae6 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -1,26 +1,12 @@ --- title: Create Rules for Standalone Isolated Server Zone Clients (Windows) description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone -ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 70b910425b..4a7816bc4d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -1,26 +1,12 @@ --- title: Checklist Implementing a Basic Firewall Policy Design (Windows) description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. -ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Implementing a Basic Firewall Policy Design diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index f5cc9a2ba8..75e334503f 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -1,26 +1,12 @@ --- title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows) description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. -ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Implementing a Certificate-based Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index ce9abfe303..922dc06a9f 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -1,26 +1,12 @@ --- title: Checklist Implementing a Domain Isolation Policy Design (Windows) description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. -ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Implementing a Domain Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index db49df08e9..e283e43a55 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -1,26 +1,12 @@ --- title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows) description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists. -ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Checklist: Implementing a Standalone Server Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index 60e8551837..bab0dffc8e 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -1,26 +1,12 @@ --- title: Configure Authentication Methods (Windows) description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security. -ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Configure Authentication Methods @@ -52,7 +38,7 @@ To complete these procedures, you must be a member of the Domain Administrators 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. - 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. + 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication extended key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 089e73a9ab..b9b04feed8 100644 --- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -1,26 +1,12 @@ --- title: Configure Data Protection (Quick Mode) Settings (Windows) description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone. -ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Configure Data Protection (Quick Mode) Settings diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index 2526c140bf..365f1423db 100644 --- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -1,26 +1,12 @@ --- title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows) description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. -ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Configure Group Policy to Autoenroll and Deploy Certificates diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index dc610001a5..83ef251330 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -1,26 +1,12 @@ --- title: Configure Key Exchange (Main Mode) Settings (Windows) description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security. -ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Configure Key Exchange (Main Mode) Settings diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index 35828e953a..1bb9ff6c3c 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -1,26 +1,12 @@ --- title: Configure the Rules to Require Encryption (Windows) description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption. -ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Configure the Rules to Require Encryption diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index c025101f58..74f57aec8b 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -1,26 +1,12 @@ --- title: Configure the Windows Defender Firewall Log (Windows) description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC. -ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Configure the Windows Defender Firewall with Advanced Security Log diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 3e77330596..c10e472cbc 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -1,24 +1,11 @@ --- title: Configure the Workstation Authentication Template (Windows) description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations. -ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 -ms.reviewer: jekrynit -manager: aaroncz -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later ms.topic: conceptual --- diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 26b8f6be29..de731f58a0 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -1,26 +1,12 @@ --- title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows) description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked -ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index 5c43673b29..54b9527285 100644 --- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -1,31 +1,16 @@ --- title: Confirm That Certificates Are Deployed Correctly (Windows) description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations. -ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: securit -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual -ms.date: 09/07/2021 -ms.technology: itpro-security +ms.date: 01/24/2023 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Confirm That Certificates Are Deployed Correctly - After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly. @@ -37,23 +22,21 @@ To complete these procedures, you must be a member of the Domain Administrators In this topic: - [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device) - - [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed) ## To refresh Group Policy on a device From an elevated command prompt, run the following command: -``` syntax -gpupdate /target:computer /force +``` cmd +gpupdate /target:computer /force ``` After Group Policy is refreshed, you can see which GPOs are currently applied to the device. ## To verify that a certificate is installed -1. Open the Cerificates console. - -2. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**. +1. Open the Certificates console +1. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates** The CA that you created appears in the list. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index ed4354a524..7a95770682 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -1,26 +1,12 @@ --- title: Copy a GPO to Create a New GPO (Windows) description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. -ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Copy a GPO to Create a New GPO diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index 1987320e47..6fd5ce3ffc 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -1,26 +1,12 @@ --- title: Create a Group Account in Active Directory (Windows) description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console. -ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create a Group Account in Active Directory diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index f8f7c3977f..2eef741da8 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -1,28 +1,15 @@ --- title: Create a Group Policy Object (Windows) description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group. -ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create a Group Policy Object diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index 7a0d8b8743..8c9b8675b6 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -1,26 +1,12 @@ --- title: Create an Authentication Exemption List Rule (Windows) description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies. -ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create an Authentication Exemption List Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 1c1d6c0e60..b8efe4ed2a 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -1,26 +1,12 @@ --- title: Create an Authentication Request Rule (Windows) description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. -ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create an Authentication Request Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index 8045d1975d..058c8148ed 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -1,26 +1,12 @@ --- title: Create an Inbound ICMP Rule (Windows) description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. -ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create an Inbound ICMP Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index ea3861bad7..fbbf4a06b1 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -1,28 +1,15 @@ --- title: Create an Inbound Port Rule (Windows) description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. -ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create an Inbound Port Rule @@ -51,11 +38,13 @@ This topic describes how to create a standard port rule for a specified protocol 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. - >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + > [!Note] + > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. 5. On the **Program** page, click **All programs**, and then click **Next**. - >**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. + > [!Note] + > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. 6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. @@ -71,6 +60,7 @@ This topic describes how to create a standard port rule for a specified protocol 9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - >**Note:** If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + > [!Note] + > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type. 10. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index 5c79645f58..d477bd3dec 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -1,26 +1,12 @@ --- title: Create an Inbound Program or Service Rule (Windows) description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules. -ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create an Inbound Program or Service Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index 9ce8ea91f2..539d7fcf90 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -1,26 +1,12 @@ --- title: Create an Outbound Port Rule (Windows) description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. -ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create an Outbound Port Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 02116e5f9f..6083981a32 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,21 +1,12 @@ --- title: Create an Outbound Program or Service Rule (Windows) description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create an Outbound Program or Service Rule diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 4ecf74444b..85de932389 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -1,21 +1,12 @@ --- title: Create Inbound Rules to Support RPC (Windows) description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create Inbound Rules to Support RPC diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 4782bb53e2..83d9d7ca2e 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -1,20 +1,11 @@ --- title: Create Windows Firewall rules in Intune (Windows) description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later ms.date: 12/31/2017 --- @@ -24,9 +15,9 @@ ms.date: 12/31/2017 >[!IMPORTANT] >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -To get started, Open the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type. +To get started, Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type. Select Windows Defender Firewall. -:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Endpoint Manager admin center."::: +:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Intune admin center."::: >[!IMPORTANT] >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it. diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 77ea069a39..aadb54b9eb 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -1,23 +1,15 @@ --- title: Create WMI Filters for the GPO (Windows) description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Create WMI Filters for the GPO diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 5d7dc149f9..8df474f3c3 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,21 +1,12 @@ --- title: Designing a Windows Defender Firewall Strategy (Windows) description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Designing a Windows Defender Firewall with Advanced Security Strategy diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index 68a9b98493..5089c8d823 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -1,21 +1,12 @@ --- title: Determining the Trusted State of Your Devices (Windows) description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Determining the Trusted State of Your Devices diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index 8694e3c9fc..4db33e1b27 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -1,21 +1,12 @@ --- title: Documenting the Zones (Windows) description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Documenting the Zones diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 60932b1a3d..e481999a70 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -1,21 +1,12 @@ --- title: Domain Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Domain Isolation Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index d906a7fa27..8186a03186 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -1,21 +1,12 @@ --- title: Domain Isolation Policy Design (Windows) description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Domain Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 8e5cbc491c..c4377b8254 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -1,21 +1,12 @@ --- title: Enable Predefined Inbound Rules (Windows) description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Enable Predefined Inbound Rules diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 818f3191e4..83d2eec6b3 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -1,21 +1,12 @@ --- title: Enable Predefined Outbound Rules (Windows) description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/07/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Enable Predefined Outbound Rules diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index ec8427d677..f26b60d3f2 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -1,21 +1,12 @@ --- title: Encryption Zone GPOs (Windows) description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Encryption Zone GPOs diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 0cf4b23338..4dc931b4ea 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,21 +1,12 @@ --- title: Encryption Zone (Windows) description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Encryption Zone diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md deleted file mode 100644 index 759c9f4ce3..0000000000 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) -description: Evaluating Windows Defender Firewall with Advanced Security Design Examples -ms.reviewer: jekrynit -ms.author: paoloma -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -ms.topic: conceptual -ms.date: 09/08/2021 -ms.technology: itpro-security -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 ---- - -# Evaluating Windows Defender Firewall with Advanced Security Design Examples - - -The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. - -- [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md) - -- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) - -- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) - -- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) - diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index a37aa1bb81..410c3c56be 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -1,21 +1,12 @@ --- title: Exempt ICMP from Authentication (Windows) description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Exempt ICMP from Authentication diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index e90686a631..52d0334bfa 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,21 +1,12 @@ --- title: Exemption List (Windows) description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Exemption List diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index 9f9f8dbc43..5b4fbe6b78 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -1,20 +1,11 @@ --- title: Filter origin audit log improvements description: Filter origin documentation audit log improvements -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: normal -author: paolomatarazzo -manager: aaroncz ms.topic: troubleshooting -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index 08a86364ba..d281e5120c 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,21 +1,12 @@ --- title: Firewall GPOs (Windows) description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Firewall GPOs diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 948e5e1bab..3a7fd73b29 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,21 +1,12 @@ --- title: Basic Firewall Policy Design Example (Windows) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Basic Firewall Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md index ae7a47f809..2f28d5f315 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md +++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md @@ -1,20 +1,11 @@ --- title: Troubleshooting Windows Firewall settings after a Windows upgrade description: Firewall settings lost on upgrade -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: troubleshooting -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index 7e8e014d6c..8f60efe829 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -1,21 +1,12 @@ --- title: Gathering Information about Your Active Directory Deployment (Windows) description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Gathering Information about Your Active Directory Deployment diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 5a815ce133..3aa6cef30a 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,21 +1,12 @@ --- title: Gathering Info about Your Network Infrastructure (Windows) description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Gathering Information about Your Current Network Infrastructure diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index c004735816..1f0cbb3885 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -1,21 +1,12 @@ --- title: Gathering Information about Your Devices (Windows) description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Gathering Information about Your Devices diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index 8655113adc..a4fa1bcbac 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -1,21 +1,12 @@ --- title: Gathering Other Relevant Information (Windows) description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Gathering Other Relevant Information diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index 27014f95a8..69323a3def 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -1,21 +1,12 @@ --- title: Gathering the Information You Need (Windows) description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Gathering the Information You Need diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index e01a4c33c8..08115f7e6c 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -1,21 +1,12 @@ --- title: GPO\_DOMISO\_Boundary (Windows) description: This example GPO supports devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # GPO\_DOMISO\_Boundary diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index abf7fcbadf..e25451e208 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -1,21 +1,12 @@ --- title: GPO\_DOMISO\_Encryption\_WS2008 (Windows) description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. -ms.reviewer: jekrynit -ms.author: paoloma -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.prod: windows-client -ms.localizationpriority: medium ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # GPO\_DOMISO\_Encryption\_WS2008 diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 19d5d2f4fe..8f51e224f1 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -1,21 +1,12 @@ --- title: GPO\_DOMISO\_Firewall (Windows) description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # GPO\_DOMISO\_Firewall diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index 8147d76ef7..b2372a88c2 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,21 +1,12 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows) description: Author this GPO by using Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # GPO\_DOMISO\_IsolatedDomain\_Clients diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index fadc52139d..100d7233bc 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,21 +1,12 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # GPO\_DOMISO\_IsolatedDomain\_Servers diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 877c262554..d4e5b71479 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,21 +1,12 @@ --- title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows) description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Identifying Windows Defender Firewall with Advanced Security implementation goals diff --git a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif deleted file mode 100644 index 5c7dfb0ebc..0000000000 Binary files a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif and /dev/null differ diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index c745825369..86253b807a 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,21 +1,12 @@ --- title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows) description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Implementing Your Windows Defender Firewall with Advanced Security Design Plan diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index 2cede95e14..4cab3c840b 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -1,21 +1,12 @@ --- title: Isolated Domain GPOs (Windows) description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Isolated Domain GPOs diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index 2f854ff73f..d11cfd0fa4 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -1,21 +1,12 @@ --- title: Isolated Domain (Windows) description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Isolated Domain diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index 5724da80ea..6d41f4d5e5 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -2,20 +2,11 @@ title: Isolating Microsoft Store Apps on Your Network (Windows) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: jekrynit -ms.author: paoloma -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Isolating Microsoft Store Apps on Your Network diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index f3eb72f2e3..f875516002 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -1,21 +1,12 @@ --- title: Link the GPO to the Domain (Windows) description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Link the GPO to the Domain diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index b0597ddac5..12d13c2b22 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,21 +1,12 @@ --- title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows) description: Mapping your implementation goals to a Windows Firewall with Advanced Security design -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Mapping your implementation goals to a Windows Firewall with Advanced Security design diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 2db48a89d3..d5f3a66214 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,21 +1,12 @@ --- title: Modify GPO Filters (Windows) description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Modify GPO Filters to Apply to a Different Zone or Version of Windows diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index e55dca92b4..992acb97d6 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -1,21 +1,12 @@ --- title: Open the Group Policy Management Console to IP Security Policies (Windows) description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Open the Group Policy Management Console to IP Security Policies diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 0dead272e0..4752a0a65d 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -1,23 +1,15 @@ --- title: Group Policy Management of Windows Firewall with Advanced Security (Windows) description: Group Policy Management of Windows Firewall with Advanced Security -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Group Policy Management of Windows Firewall with Advanced Security diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index f51325daf5..ce8f5b6d70 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,21 +1,12 @@ --- title: Group Policy Management of Windows Defender Firewall (Windows) description: Group Policy Management of Windows Defender Firewall with Advanced Security -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Group Policy Management of Windows Defender Firewall diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 85c5fb4099..ff0894fbe9 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,21 +1,12 @@ --- title: Open Windows Defender Firewall with Advanced Security (Windows) description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Open Windows Defender Firewall with Advanced Security diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index b0b4bc000c..0d2b6f0d17 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -1,21 +1,12 @@ --- title: Planning Certificate-based Authentication (Windows) description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Certificate-based Authentication @@ -55,6 +46,6 @@ If you're installing the certificates on an operating system other than Windows, When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution. -Starting in Windows Server 2012, you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, and name restrictions and certificate thumbprints. This EKU is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. +Starting in Windows Server 2012, you can configure certificate selection criteria so the desired certificate is selected and/or validated. extended key usage (EKU) criteria can be configured, and name restrictions and certificate thumbprints. This EKU is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. **Next:** [Documenting the Zones](documenting-the-zones.md) diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index a29847e44c..b9416b2c65 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,21 +1,12 @@ --- title: Planning Domain Isolation Zones (Windows) description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Domain Isolation Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 7e46a275c4..13d93e09de 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,21 +1,12 @@ --- title: Planning GPO Deployment (Windows) description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning GPO Deployment diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 02e00fb3c5..8fd656a093 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,21 +1,12 @@ --- title: Planning Group Policy Deployment for Your Isolation Zones (Windows) description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Group Policy Deployment for Your Isolation Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index 4eefdea9e1..1c78f627e8 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,21 +1,12 @@ --- title: Planning Isolation Groups for the Zones (Windows) description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Isolation Groups for the Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 4515218f2b..a347ceb834 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,21 +1,12 @@ --- title: Planning Network Access Groups (Windows) description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Network Access Groups diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index c96545cf8b..07b4cbd666 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,21 +1,12 @@ --- title: Planning Server Isolation Zones (Windows) description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Server Isolation Zones diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index 027506a427..44044b6641 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,21 +1,12 @@ --- title: Planning Settings for a Basic Firewall Policy (Windows) description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Settings for a Basic Firewall Policy diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 572fa33116..1a3b157e57 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,21 +1,12 @@ --- title: Planning the GPOs (Windows) description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning the GPOs diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index e9691ceada..1e06c6b8aa 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,21 +1,12 @@ --- title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows) description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning to Deploy Windows Defender Firewall with Advanced Security diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 22b46bd189..8909eac102 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,21 +1,12 @@ --- title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows) description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Planning Your Windows Defender Firewall with Advanced Security Design diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md deleted file mode 100644 index 430a461918..0000000000 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Procedures Used in This Guide (Windows) -description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. -ms.reviewer: jekrynit -ms.author: paoloma -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -ms.topic: conceptual -ms.date: 09/08/2021 -ms.technology: itpro-security -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 ---- - -# Procedures Used in This Guide - - -The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. - -- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) - -- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) - -- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) - -- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) - -- [Configure Authentication Methods](configure-authentication-methods.md) - -- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md) - -- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) - -- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md) - -- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) - -- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md) - -- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) - -- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) - -- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) - -- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) - -- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) - -- [Create a Group Policy Object](create-a-group-policy-object.md) - -- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) - -- [Create an Authentication Request Rule](create-an-authentication-request-rule.md) - -- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) - -- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) - -- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) - -- [Create an Outbound Port Rule](create-an-outbound-port-rule.md) - -- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) - -- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) - -- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) - -- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) - -- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) - -- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) - -- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) - -- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) - -- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) - -- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md) - -- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) - -- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) - -- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) - -- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index 3cb9728be9..9fcf79f2f1 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,21 +1,12 @@ --- title: Protect devices from unwanted network traffic (Windows) description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 01/18/2022 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Protect devices from unwanted network traffic diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index 55de70d2af..5b7c793f7f 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -1,21 +1,12 @@ --- title: Quarantine behavior description: Quarantine behavior is explained in detail. -ms.author: paoloma -author: paolomatarazzo -manager: aaroncz -ms.reviewer: jekrynit ms.prod: windows-client -ms.localizationpriority: normal ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Quarantine behavior diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index d478752b6a..44cc1d2090 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,21 +1,12 @@ --- title: Require Encryption When Accessing Sensitive Network Resources (Windows) description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Require Encryption When Accessing Sensitive Network Resources diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index efc90aca28..54222bff1a 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,21 +1,12 @@ --- title: Restrict Access to Only Specified Users or Devices (Windows) description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Restrict Access to Only Specified Users or Computers diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 7dca23dc7e..c2298b824a 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,21 +1,12 @@ --- title: Restrict access to only trusted devices (Windows) description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Restrict access to only trusted devices diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index 091d80f05a..5132add40c 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,21 +1,12 @@ --- title: Restrict Server Access to Members of a Group Only (Windows) description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Restrict Server Access to Members of a Group Only diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 03f3651091..8f7f607d58 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -2,20 +2,11 @@ title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows) description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: jekrynit -ms.author: paoloma -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Securing End-to-End IPsec connections by using IKEv2 diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index f4d1fc60c6..11d7750b21 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,21 +1,12 @@ --- title: Server Isolation GPOs (Windows) description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Server Isolation GPOs diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index 97ae77f6c1..41824b3e09 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,21 +1,12 @@ --- title: Server Isolation Policy Design Example (Windows) description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Server Isolation Policy Design Example diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 1b500c186c..f2bedf42fb 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,21 +1,12 @@ --- title: Server Isolation Policy Design (Windows) description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Server Isolation Policy Design diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index 08eda94fb7..2716e511cc 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -1,20 +1,11 @@ --- title: Troubleshooting UWP App Connectivity Issues in Windows Firewall description: Troubleshooting UWP App Connectivity Issues in Windows Firewall -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: troubleshooting -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 5e70140b77..b51780f073 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,21 +1,12 @@ --- title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows) description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index cbf01ad656..0658883723 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -2,20 +2,11 @@ title: Understand WFAS Deployment (Windows) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: jekrynit -ms.author: paoloma -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Understanding the Windows Defender Firewall with Advanced Security Design Process diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index f260e9c06d..c535da432a 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,21 +1,12 @@ --- title: Verify That Network Traffic Is Authenticated (Windows) description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Verify That Network Traffic Is Authenticated diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index cf9152516d..db4d835bdb 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -2,20 +2,11 @@ title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows) description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: jekrynit -ms.author: paoloma -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Windows Defender Firewall with Advanced Security Administration with Windows PowerShell diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index 6a6d733678..708fe115d7 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,21 +1,12 @@ --- title: Windows Defender Firewall with Advanced Security deployment overview (Windows) description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Windows Defender Firewall with Advanced Security deployment overview diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index e095007a7d..75c5a94168 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,21 +1,12 @@ --- title: Windows Defender Firewall with Advanced Security design guide (Windows) description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. -ms.reviewer: jekrynit -ms.author: paoloma ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz ms.topic: conceptual ms.date: 09/08/2021 -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Windows Defender Firewall with Advanced Security design guide diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 56c5f70707..282125d3bd 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -2,23 +2,14 @@ title: Windows Defender Firewall with Advanced Security (Windows) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: jekrynit -ms.custom: asr -ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Windows Defender Firewall with Advanced Security @@ -36,7 +27,7 @@ The Windows Defender Firewall with Advanced Security MMC snap-in is more flexibl ## Feature description -Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. +Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network's isolation strategy. ## Practical applications diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 5d976ff196..c79a189b61 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -2,14 +2,16 @@ title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. ms.prod: windows-client -ms.author: paoloma -author: paolomatarazzo +ms.author: sushmanemali +author: s4sush manager: aaroncz ms.topic: article ms.localizationpriority: medium ms.date: 11/4/2022 -ms.reviewer: +ms.reviewer: paoloma ms.technology: itpro-security +ms.collection: + - tier3 --- # Common Criteria certifications @@ -24,12 +26,16 @@ The product releases below are currently certified against the cited *Protection - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. +### Windows 11, Windows 10 (version 20H2, 21H1, 21H2), Windows Server, Windows Server 2022, Azure Stack HCIv2 version 21H2, Azure Stack Hub and Edge -
                                      +Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients -
                                      - Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) +- [Security Target](https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf) +- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf) +- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf) +- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf) + +### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients @@ -38,10 +44,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf) -
                                      - -
                                      - Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V +### Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. @@ -50,10 +53,7 @@ Certified against the Protection Profile for Virtualization, including the Exten - [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf) - [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1909, Windows Server, version 1909 +### Windows 10, version 1909, Windows Server, version 1909 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. @@ -62,10 +62,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1903, Windows Server, version 1903 +### Windows 10, version 1903, Windows Server, version 1903 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -74,10 +71,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1809, Windows Server, version 1809 +### Windows 10, version 1809, Windows Server, version 1809 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -86,10 +80,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1803, Windows Server, version 1803 +### Windows 10, version 1803, Windows Server, version 1803 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -98,10 +89,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1709, Windows Server, version 1709 +### Windows 10, version 1709, Windows Server, version 1709 Certified against the Protection Profile for General Purpose Operating Systems. @@ -110,10 +98,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1703, Windows Server, version 1703 +### Windows 10, version 1703, Windows Server, version 1703 Certified against the Protection Profile for General Purpose Operating Systems. @@ -122,10 +107,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for General Purpose Operating Systems. @@ -134,10 +116,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1507, Windows Server 2012 R2 +### Windows 10, version 1507, Windows Server 2012 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -146,8 +125,6 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf) -
                                      - ## Archived certified products The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1): @@ -156,12 +133,7 @@ The product releases below were certified against the cited *Protection Profile* - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. - - -
                                      -
                                      - Windows Server 2016, Windows Server 2012 R2, Windows 10 +### Windows Server 2016, Windows Server 2012 R2, Windows 10 Certified against the Protection Profile for Server Virtualization. @@ -170,10 +142,7 @@ Certified against the Protection Profile for Server Virtualization. - [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1607, Windows 10 Mobile, version 1607 +### Windows 10, version 1607, Windows 10 Mobile, version 1607 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -182,10 +151,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -194,10 +160,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1511 +### Windows 10, version 1511 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -206,10 +169,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1507, Windows 10 Mobile, version 1507 +### Windows 10, version 1507, Windows 10 Mobile, version 1507 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -218,10 +178,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 10, version 1507 +### Windows 10, version 1507 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -230,10 +187,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
                                      - -
                                      - Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 +### Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -241,10 +195,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf) -
                                      - -
                                      - Surface Pro 3, Windows 8.1 +### Surface Pro 3, Windows 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -252,10 +203,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf) -
                                      - -
                                      - Windows 8.1, Windows Phone 8.1 +### Windows 8.1, Windows Phone 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -263,10 +211,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf) -
                                      - -
                                      - Windows 8, Windows Server 2012 +### Windows 8, Windows Server 2012 Certified against the Protection Profile for General Purpose Operating Systems. @@ -274,10 +219,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf) -
                                      - -
                                      - Windows 8, Windows RT +### Windows 8, Windows RT Certified against the Protection Profile for General Purpose Operating Systems. @@ -285,10 +227,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf) -
                                      - -
                                      - Windows 8, Windows Server 2012 BitLocker +### Windows 8, Windows Server 2012 BitLocker Certified against the Protection Profile for Full Disk Encryption. @@ -296,10 +235,7 @@ Certified against the Protection Profile for Full Disk Encryption. - [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) -
                                      - -
                                      - Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client +### Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -307,10 +243,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) -
                                      - -
                                      - Windows 7, Windows Server 2008 R2 +### Windows 7, Windows Server 2008 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -318,46 +251,31 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) -
                                      - -
                                      - Microsoft Windows Server 2008 R2 Hyper-V Role +### Microsoft Windows Server 2008 R2 Hyper-V Role - [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305) - [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) -
                                      - -
                                      - Windows Vista, Windows Server 2008 at EAL4+ +### Windows Vista, Windows Server 2008 at EAL4+ - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) -
                                      - -
                                      - Windows Vista, Windows Server 2008 at EAL1 +### Windows Vista, Windows Server 2008 at EAL1 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) -
                                      - -
                                      - Microsoft Windows Server 2008 Hyper-V Role +### Microsoft Windows Server 2008 Hyper-V Role - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) - [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf) -
                                      - -
                                      - Windows Server 2003 Certificate Server +### Windows Server 2003 Certificate Server - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) - [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) @@ -366,12 +284,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) -
                                      - -
                                      - Windows Rights Management Services +### Windows Rights Management Services - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) - -
                                      \ No newline at end of file diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png deleted file mode 100644 index 94be89b74f..0000000000 Binary files a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 2b518a0153..4ff1d859be 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -7,6 +7,7 @@ ms.author: vinpa manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.date: 6/30/2022 ms.technology: itpro-security @@ -76,6 +77,7 @@ Enables or disables networking in the sandbox. You can disable network access to `value` Supported values: +- *Enable*: Enables networking in the sandbox. - *Disable*: Disables networking in the sandbox. - *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC. @@ -184,6 +186,7 @@ Enables or disables sharing of the host clipboard with the sandbox. `value` Supported values: +- *Enable*: Enables sharing of the host clipboard with the sandbox. - *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. - *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*. diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 3987f694a9..6e2f83d198 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -7,6 +7,7 @@ ms.author: vinpa manager: aaroncz ms.collection: - highpri + - tier2 ms.topic: article ms.date: 6/30/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png deleted file mode 100644 index 242f5dd9bc..0000000000 Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index b08b62f673..bac325bbe0 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -8,6 +8,7 @@ author: vinaypamnani-msft manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 02/14/2022 ms.reviewer: rmunck @@ -20,7 +21,7 @@ ms.technology: itpro-security The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products. -The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy. +The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.

                                      The Security Compliance Toolkit consists of: @@ -74,9 +75,9 @@ More information on the Policy Analyzer tool can be found on the [Microsoft Secu LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. -LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted “LGPO text” files. +LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files. It can export local policy to a GPO backup. -It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. +It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file. Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 0c513379b1..807e2e2800 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -8,6 +8,7 @@ author: vinaypamnani-msft manager: aaroncz ms.collection: - highpri + - tier3 ms.topic: conceptual ms.date: 01/26/2022 ms.reviewer: jmunck diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 64689039a1..ad5c50ecc7 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -1,7 +1,6 @@ --- title: Secure Boot and Trusted Boot description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 -search.appverid: MET150 author: vinaypamnani-msft ms.author: vinpa manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: conceptual ms.date: 09/21/2021 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: jsuther --- @@ -25,11 +21,11 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. -As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it's trusted by the Secure Boot policy and hasn’t been tampered with. +As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. ## Trusted Boot -Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. +Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product's early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index d432c8a8ff..0e145097a8 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -31,5 +31,7 @@ href: feature-lifecycle.md - name: Deprecated Windows features href: deprecated-features.md + - name: Resources for deprecated features + href: deprecated-features-resources.md - name: Removed Windows features href: removed-features.md \ No newline at end of file diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md new file mode 100644 index 0000000000..f00940e722 --- /dev/null +++ b/windows/whats-new/deprecated-features-resources.md @@ -0,0 +1,73 @@ +--- +title: Resources for deprecated features in the Windows client +description: Resources and details for deprecated features in the Windows Client. +ms.date: 02/14/2023 +ms.prod: windows-client +ms.technology: itpro-fundamentals +ms.localizationpriority: medium +author: mestew +ms.author: mstewart +manager: aaroncz +ms.topic: reference +ms.collection: highpri, tier1 +--- + +# Resources for deprecated features + +**Applies to** + +- Windows 10 +- Windows 11 + +This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features: + +## Microsoft Support Diagnostic Tool resources + +The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters). + +If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change will allow you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require additional assistance. + +### Redirected MSDT troubleshooters + +The following troubleshooters will automatically be redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**: + +- Background Intelligent Transfer Service (BITS) +- Bluetooth +- Camera +- Internet Connections +- Network Adapter +- Playing Audio +- Printer +- Program Compatibility Troubleshooter +- Recording Audio +- Video Playback +- Windows Network Diagnostics +- Windows Media Player DVD +- Windows Media Player Library +- Windows Media Player Settings +- Windows Update + +### Retired MSDT troubleshooters + +The following troubleshooters will be removed in a future release of Windows: + +- Connection to a Workplace using DirectAccess +- Devices and Printers +- Hardware and Devices +- HomeGroup +- Incoming Connections +- Internet Explorer Performance +- Internet Explorer Safety +- Keyboard +- Power +- Search and Indexing +- Speech +- System Maintenance +- Shared Folders +- Windows Store Apps + +## Next steps + +- [Windows feature lifecycle](feature-lifecycle.md) +- [Deprecated Windows features](deprecated-features.md) +- [Removed Windows features](removed-features.md) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 3c58ebfc65..331770192b 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -8,8 +8,8 @@ ms.localizationpriority: medium author: mestew ms.author: mstewart manager: aaroncz -ms.reviewer: ms.topic: article +ms.collection: highpri, tier1 --- # Deprecated features for Windows client @@ -36,6 +36,7 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | +| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | | Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.

                                      Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 | | Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022| | Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

                                      For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 | @@ -71,7 +72,7 @@ The features in this article are no longer being actively developed, and might b |RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 | |Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 | |Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 | -|System Image Backup (SIB) Solution | We recommend that users use full-disk backup solutions from other vendors. | 1709 | +|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software vendor. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 | |TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 | |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 | |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 | @@ -83,4 +84,6 @@ The features in this article are no longer being actively developed, and might b |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 | -|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
                                      Applies to Windows Server 2016 and Windows Server 2019.| \ No newline at end of file +|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
                                      Applies to Windows Server 2016 and Windows Server 2019.| + + diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 19bd51f371..bd292f17c7 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article", diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md index 11eaa12e7e..d97cc8895b 100644 --- a/windows/whats-new/feature-lifecycle.md +++ b/windows/whats-new/feature-lifecycle.md @@ -7,9 +7,9 @@ author: mestew manager: aaroncz ms.author: mstewart ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-fundamentals ms.date: 10/28/2022 +ms.collection: highpri, tier2 --- # Windows client features lifecycle diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index 66e69fb814..78b5590c17 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -2,12 +2,12 @@ title: Windows 10 Enterprise LTSC description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: low ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 60f00167d7..0663fe6cd9 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -1,12 +1,11 @@ --- title: What's new in Windows 10 Enterprise LTSC 2015 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). ms.prod: windows-client -author: aczechowski -ms.localizationpriority: medium +author: mestew +ms.localizationpriority: low ms.topic: article ms.technology: itpro-fundamentals ms.date: 12/31/2017 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 43da9f13c3..1b70c22e66 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -1,11 +1,10 @@ --- title: What's new in Windows 10 Enterprise LTSC 2016 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). ms.prod: windows-client -author: aczechowski +author: mestew ms.localizationpriority: low ms.topic: article ms.technology: itpro-fundamentals diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index ac0e6ef2cc..14d7f14fa9 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -1,15 +1,13 @@ --- title: What's new in Windows 10 Enterprise LTSC 2019 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). ms.prod: windows-client -author: aczechowski +author: mestew ms.localizationpriority: medium ms.topic: article -ms.collection: - - highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index ac2853f72a..c6f1572c34 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -1,15 +1,13 @@ --- title: What's new in Windows 10 Enterprise LTSC 2021 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. ms.prod: windows-client -author: aczechowski -ms.localizationpriority: low +author: mestew +ms.localizationpriority: high ms.topic: article -ms.collection: - - highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- @@ -165,7 +163,7 @@ Windows Hello enhancements include: ### Microsoft Intune family of products -Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). +Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). ### Configuration Manager diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index bdaca31c06..d0825bcd12 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -7,9 +7,9 @@ author: mestew ms.author: mstewart manager: aaroncz ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-fundamentals ms.date: 01/05/2023 +ms.collection: highpri, tier1 --- # Features and functionality removed in Windows client diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 8c1413f87f..02ecc6cade 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,11 +1,10 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)? -ms.reviewer: ms.prod: windows-client -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index b37fc54c61..d0b7cbda02 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -3,10 +3,9 @@ title: What's new in Windows 10, version 1607 (Windows 10) description: What's new in Windows 10 for Windows 10 (version 1607)? ms.prod: windows-client ms.localizationpriority: medium -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.topic: article ROBOTS: NOINDEX ms.technology: itpro-fundamentals diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 0b0ebd0b2a..8a8e9a3e7e 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -3,10 +3,9 @@ title: What's new in Windows 10, version 1703 description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). ms.prod: windows-client ms.localizationpriority: medium -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.topic: article ROBOTS: NOINDEX ms.technology: itpro-fundamentals diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 24468089e9..55b211215b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -2,10 +2,9 @@ title: What's new in Windows 10, version 1709 description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). ms.prod: windows-client -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 4bfc545809..9c77663750 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -2,10 +2,9 @@ title: What's new in Windows 10, version 1803 description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). ms.prod: windows-client -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 776e3fd5fe..b617d899f5 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -1,16 +1,15 @@ --- title: What's new in Windows 10, version 1809 -ms.reviewer: description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. ms.prod: windows-client -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 01/31/2023 --- # What's new in Windows 10, version 1809 for IT Pros @@ -19,12 +18,14 @@ ms.date: 12/31/2017 In this article, we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. + + ## Deployment ### Windows Autopilot self-deploying mode @@ -68,7 +69,7 @@ This new functionality is an update to the [BitLocker CSP](/windows/client-manag This feature will soon be enabled on Olympia Corp as an optional feature. -#### Delivering BitLocker policy to AutoPilot devices during OOBE +#### Delivering BitLocker policy to Autopilot devices during OOBE You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This option allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 703e8af27b..f4005118e9 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -2,9 +2,9 @@ title: What's new in Windows 10, version 1903 description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 9b27125a3b..602a7fcac7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -2,9 +2,9 @@ title: What's new in Windows 10, version 1909 description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX @@ -73,7 +73,7 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic ### Microsoft Intune family of products -Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). +Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). ### Windows 10 Pro and Enterprise in S mode diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index d61e9c57ec..22d328d14f 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -2,9 +2,9 @@ title: What's new in Windows 10, version 2004 description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 118d9441cc..078b022d66 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -2,12 +2,12 @@ title: What's new in Windows 10, version 20H2 description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- @@ -71,7 +71,7 @@ Activities are grouped into the following phases: **Plan** > **Prepare** > **Dep Enhancements to Windows Autopilot since the last release of Windows 10 include: - [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode. - [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience. -- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**. +- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**. ### Windows Assessment and Deployment Toolkit (ADK) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index cdf34929de..77d6e3c52f 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -2,12 +2,12 @@ title: What's new in Windows 10, version 21H1 description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index 0b5aea83f8..c6aaf4368c 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -1,14 +1,13 @@ --- title: What's new in Windows 10, version 21H2 for IT pros description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. -manager: dougeby +manager: aaroncz ms.prod: windows-client -ms.author: aaroncz -author: aczechowski +ms.author: mstewart +author: mestew ms.localizationpriority: medium ms.topic: article -ms.collection: highpri -ms.custom: intro-overview +ms.collection: highpri, tier2 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md index 19a2bb9c46..99199e8037 100644 --- a/windows/whats-new/whats-new-windows-10-version-22H2.md +++ b/windows/whats-new/whats-new-windows-10-version-22H2.md @@ -5,10 +5,11 @@ ms.prod: windows-client ms.technology: itpro-fundamentals ms.author: mstewart author: mestew -manager: dougeby +manager: aaroncz ms.localizationpriority: medium -ms.topic: overview +ms.topic: article ms.date: 10/18/2022 +ms.collection: highpri, tier1 --- # What's new in Windows 10, version 22H2 diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index 273e6b1c68..9879efdeab 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -1,14 +1,13 @@ --- title: What's new in Windows 11, version 22H2 for IT pros description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. -manager: dougeby +manager: aaroncz ms.prod: windows-client ms.author: mstewart author: mestew ms.localizationpriority: medium ms.topic: article -ms.collection: highpri -ms.custom: intro-overview +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md deleted file mode 100644 index bdfa205f5c..0000000000 --- a/windows/whats-new/windows-10-insider-preview.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Documentation for Windows 10 Insider Preview (Windows 10) -description: Preliminary documentation for some Windows 10 features in Insider Preview. -ms.prod: windows-client -author: dansimp -ms.date: 04/14/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.technology: itpro-fundamentals ---- - -# Documentation for Windows 10 Insider Preview - ->[!NOTE] -> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently. - - - - -  - -  - - - - - diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 165bd132d3..93f8c35444 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -1,7 +1,6 @@ --- title: Windows 11 overview for administrators description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. -ms.reviewer: manager: aaroncz author: mestew ms.author: mstewart @@ -10,8 +9,7 @@ ms.date: 09/20/2022 ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: overview -ms.collection: highpri -ms.custom: intro-overview +ms.collection: highpri, tier1 --- # Windows 11 overview diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 38dd1a3030..d61ccbad1a 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -2,12 +2,12 @@ title: Plan for Windows 11 description: Windows 11 deployment planning, IT Pro content. ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- @@ -73,7 +73,7 @@ The recommended method to determine if your infrastructure, deployment processes As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. -- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 6f5f8d35ad..46740f84c3 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -2,12 +2,12 @@ title: Prepare for Windows 11 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 4a63cc1f7c..f264fb396a 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -1,16 +1,15 @@ --- title: Windows 11 requirements -description: Hardware requirements to deploy Windows 11 +description: Hardware requirements to deploy Windows 11. manager: aaroncz author: mestew ms.author: mstewart ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.custom: seo-marvel-apr2020 -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 02/13/2023 --- # Windows 11 requirements @@ -19,51 +18,60 @@ ms.date: 12/31/2017 - Windows 11 -This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). +This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). ## Hardware requirements To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements: - -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). -- RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB\* or greater available storage is required to install Windows 11. - - Extra storage space might be required to download updates and enable specific features. -- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. -- System firmware: UEFI, Secure Boot capable. -- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. -- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be more requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). +- **Processor**: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](/windows-hardware/design/minimum/windows-processor-requirements) or system on a chip (SoC). -Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +- **Memory**: 4 gigabytes (GB) or greater. -For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). +- **Storage**: 64 GB or greater available disk space. -## Operating system requirements + > [!NOTE] + > There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). + +- **Graphics card**: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. + +- **System firmware**: UEFI, Secure Boot capable. + +- **TPM**: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. + +- **Display**: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. + +- **Internet connection**: Internet connectivity is necessary to perform updates, and to download and use some features. + + - Windows 11 Home edition requires an internet connection and a Microsoft Account to complete device setup on first use. + +For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). + +For more information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). + +## OS requirements Eligible Windows 10 devices must be on version 2004 or later, and have installed the September 14, 2021 security update or later, to upgrade directly to Windows 11. > [!NOTE] -> S mode is only supported on the Home edition of Windows 11. -> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
                                       
                                      -> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. +> +> - S mode is only supported on the Home edition of Windows 11. +> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode). +> - To switch a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you can't switch back to S mode later. ## Feature-specific requirements -Some features in Windows 11 have requirements beyond those requirements listed above. See the following list of features and associated requirements. +Some features in Windows 11 have requirements beyond the minimum [hardware requirements](#hardware-requirements). - **5G support**: requires 5G capable modem. - **Auto HDR**: requires an HDR monitor. -- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and greater. - **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. -- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) +- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output). - **Multiple Voice Assistant**: requires a microphone and speaker. - **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width. - **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. @@ -76,35 +84,43 @@ Some features in Windows 11 have requirements beyond those requirements listed a - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. +- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live *Countries and Regions* page for the most up-to-date information on availability. Some features in the Xbox app require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. ## Virtual machine support -The following configuration requirements apply to VMs running Windows 11. +The following configuration requirements apply to VMs running Windows 11. -- Generation: 2 \* -- Storage: 64 GB or greater -- Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - - General settings: Secure boot capable, virtual TPM enabled -- Memory: 4 GB or greater -- Processor: Two or more virtual processors +- **Generation**: 2 -The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). + > [!NOTE] + > In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. -\* In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. +- **Storage**: 64 GB or greater disk space. -> [!NOTE] -> Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. +- **Security**: + + - **Azure**: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled. + - **Hyper-V**: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager). + + - General settings: Secure boot capable, virtual TPM enabled. + +- **Memory**: 4 GB or greater. + +- **Processor**: Two or more virtual processors. + + - The VM host processor must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). + + > [!NOTE] + > There may be some instances where this requirement for the VM host doesn't apply. For more information, see [Options for using Windows 11 with Mac computers](https://support.microsoft.com/topic/cd15fd62-9b34-4b78-b0bc-121baa3c568c). + + - Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in the BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. ## Next steps -[Plan for Windows 11](windows-11-plan.md)
                                      -[Prepare for Windows 11](windows-11-prepare.md) +- [Plan for Windows 11](windows-11-plan.md) +- [Prepare for Windows 11](windows-11-prepare.md) ## See also -[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
                                      -[What's new in Windows 11 overview](/windows/whats-new/windows-11-overview) - +- [Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) +- [What's new in Windows 11 overview](/windows/whats-new/windows-11-overview)